Re: Fedora 34 selinux blocking out-of-tree module loading even when secureboot is disabled???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Feb 19, 2021 at 5:23 PM Hans de Goede <hdegoede@xxxxxxxxxx> wrote:
> Hi,
>
> On 2/19/21 2:24 PM, Ondrej Mosnacek wrote:
> > Hi Hans,
> >
> > On Fri, Feb 19, 2021 at 1:36 PM Hans de Goede <hdegoede@xxxxxxxxxx> wrote:
> >> Hi All,
> >>
> >> While dogfooding F34 I noticed that out of tree kernel modules (1) are
> >> now being blocked, not by the kernel's lockdown mechanism (which only
> >> does this when secureboot is enabled) but by selinux:
> >>
> >> audit: type=1400 audit(1613736626.937:95): avc:  denied  { integrity } for  pid=401 comm="systemd-udevd" lockdown_reason="unsigned module loading" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lockdown permissive=1
> >>
> >> Note as you can see I've put selinux in permissive mode and that
> >> fixes the unsigned module loading, showing that this is indeed
> >> caused by some new selinux rules.
> >>
> >> I must say that this seems like a bad idea, we already have the kernel
> >> enforcing module-loading lockdown stuff, we really do not need selinux to
> >> add extra enforcement on top of this, esp. not enforcement which seems
> >> to circumvent the usual "disable secure boot" workaround.
> >
> > Yes, it was unintentional
>
> Ah, good TBH I was worried a bit that it was intentional.
>
> I'm happy to hear that it was unintentional and a fix is on its way.
>
> > - we introduced the lockdown class (which
> > mimics the lockdown mechanism, but works on per-SELinux-domain basis)
> > into the Fedora policy with [1], but this was one of the things not
> > found by initial testing. We didn't mean to introduce any regressions,
> > just limit the new permissions only to domains that actually need
> > them.
> >
> > This particular issue is already fixed in git (as of a few days ago):
> > https://github.com/fedora-selinux/selinux-policy/commit/fee95c0434ade64c14add7f07233eb44f396262b
>
> Thank you for the detailed explanation.
>
> > And the permission will be allowed also to unconfined_t, which is the
> > type that user sessions will get by default (under the "targeted"
> > policy), so also e.g. manual modprobe from terminal should still work:
> > https://github.com/fedora-selinux/selinux-policy/commit/e4ea1e13059ac475c3f012a3f58cbf0b0e554164
> >
> > The fixes should propagate into F34 and Rawhide soon.
>
> Sounds good, I look forward to being able to turn enforcing back on.
>
> ###
>
> Unrelated, while looking at audit.log to get info sending my original email
> I also noticed multiple of these lockdown related AVC lines:
>
> type=AVC msg=audit(1613257073.100:186): avc:  denied  { integrity } for  pid=647 comm="systemd-logind" lockdown_reason="hibernation" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=lockdown permissive=1
>
> Note this is on a system with secure-boot disabled. Known issue or should I file a bug for this?
>
> ###
>
> While at it, I've also gone over audit.log for more AVCs in F34 and found a whole bunch of "denied  { watch } ..." AVCs:
>
> type=AVC msg=audit(1613257064.658:130): avc:  denied  { watch } for  pid=515 comm="avahi-daemon" path="/services" dev="mmcblk1p4" ino=1175311 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
>
> type=AVC msg=audit(1613257065.502:152): avc:  denied  { watch } for  pid=640 comm="accounts-daemon" path="/etc/gdm" dev="mmcblk1p4" ino=1175113 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:xdm_etc_t:s0 tclass=dir permissive=1
>
> type=AVC msg=audit(1613257067.416:177): avc:  denied  { watch } for  pid=723 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="mmcblk1p4" ino=1175380 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1613257067.809:178): avc:  denied  { watch } for  pid=724 comm="gnome-session-b" path="/run/systemd/sessions" dev="tmpfs" ino=68 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1613257071.851:179): avc:  denied  { watch } for  pid=758 comm="gnome-shell" path="/var/lib/gdm/.config" dev="mmcblk1p4" ino=262217 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1613257071.851:180): avc:  denied  { watch } for  pid=758 comm="gnome-shell" path="/etc/xdg" dev="mmcblk1p4" ino=1175203 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1613257071.863:181): avc:  denied  { watch } for  pid=758 comm="gnome-shell" path="/var/lib/flatpak" dev="mmcblk1p4" ino=262080 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1
>
> type=AVC msg=audit(1613257074.278:187): avc:  denied  { watch } for  pid=867 comm="gmain" path="/etc" dev="mmcblk1p4" ino=1175041 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1613257074.322:188): avc:  denied  { watch } for  pid=870 comm="gsd-sound" path="/var/lib/gdm/.local/share/sounds" dev="mmcblk1p4" ino=265134 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=dir permissive=1
>
> type=AVC msg=audit(1613257075.986:196): avc:  denied  { watch } for  pid=758 comm="gnome-shell" path="/var/lib/AccountsService/icons" dev="mmcblk1p4" ino=262116 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:accountsd_var_lib_t:s0 tclass=dir permissive=1
>
> Are these known issue(s) or should I file a bug(s) for this?

Some of those look familiar and likely already have BZs reported and a
few of them might be fixed in git already... but I'll defer to Zdenek,
who probably has a better overview of the current bugs.

>
> IF you want bug(s) for this can you let me know if I should split these over multiple bugs ?
>
> And if you want them split can you know how you want them grouped ?
>
> Regards,
>
> Hans
>

-- 
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux