selinux: restore missing ioctl/lock and gpg_exec_t in optional policy blocks#643
Merged
bfjelds merged 2 commits intoMay 13, 2026
Merged
Conversation
PR #636 replaced refpolicy interface macros with hand-expanded allow rules inside optional_policy blocks, but the expansions had two gaps: 1. gpg_entry_type(trident_t) was dropped entirely, losing all permissions on gpg_exec_t. The replacement only covered gpg_agent_exec_t. Restore gpg_exec_t with the full domain_entry_file permission set. 2. All six _exec_t replacements (chronyd, logrotate, rpm, sudo, kadmind, gpg_agent) used { getattr open read execute execute_no_trans map } but the original can_exec / domain_entry_file macros also grant ioctl and lock. Restore these two permissions to match upstream semantics. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes SELinux policy permission regressions introduced when refpolicy interface macros were manually expanded inside optional_policy blocks (to support ACL images that remove certain SELinux modules). This PR restores missing permissions so Trident can execute GPG and other helper binaries without AVC denials on full Azure Linux images.
Changes:
- Add
gpg_exec_tback into the optional GPG policy block and grant Trident the expected executable access. - Restore
ioctlandlockpermissions on several_exec_tallow rules (chronyd, logrotate, rpm, sudo, kadmind, and gpg-agent) to align with prior macro-derived permissions.
The pre-#636 policy used gpg_entry_type(trident_t) which grants entrypoint on gpg_exec_t. However, entrypoint means 'this binary is a valid entry point for transitioning INTO trident_t' — the opposite of what is needed. Trident execs gpg/gpg-agent and stays in its own domain (trident_t), so the correct permission is execute_no_trans (execute without domain transition), matching can_exec macro semantics. The original macro choice was incorrect; fix it properly now rather than faithfully restoring incorrect behavior. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
/azp run [GITHUB]-trident-pr-e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
fintelia
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
PR #636 replaced refpolicy interface macros with hand-expanded allow rules inside
optional_policyblocks so the policy compiles on ACL images that lack those modules. However, the manual expansions had two permission gaps:1.
gpg_exec_tdropped entirelyThe original
gpg_entry_type(trident_t)macro expanded todomain_entry_file(trident_t, gpg_exec_t), granting trident access to the main gpg/gpg2 binary. The replacement only coveredgpg_agent_exec_t—gpg_exec_twas neither required nor referenced.On full Azure Linux where GPG is installed, trident loses all permissions on the gpg binary (needed by tdnf/rpm for package signature verification).
2.
ioctlandlocksystematically dropped from all exec replacementsSix exec macro replacements (chronyd_exec_t, logrotate_exec_t, rpm_exec_t, sudo_exec_t, kadmind_exec_t, gpg_agent_exec_t) all used
{ getattr open read execute execute_no_trans map }but the originalcan_exec/domain_entry_filemacros also grantioctlandlock.This creates a permission gap on full AZL that could cause AVC denials.
3.
entrypointused instead ofexecute_no_transon gpg binariesThe pre-#636 policy used
gpg_entry_type(trident_t)which grantsentrypoint— meaning 'this binary is a valid entry point for transitioning INTO trident_t.' However, trident (and osmodifier, which trident calls) do not directly exec gpg. GPG is invoked indirectly by tdnf/rpm for package signature verification, running intrident_tviaexecute_no_trans. There is notype_transitionrule for gpg → trident_t anywhere in the policy, soentrypointwas always a latent bug in the original policy. The correct permission isexecute_no_trans(execute without domain transition), matchingcan_execmacro semantics.Verified that all tools invoked by osmodifier (useradd, usermod, systemctl, openssl, sed, grub2-mkconfig, blkid, setfiles, semanage, chmod) are already covered by existing policy rules.
Fix
gpg_exec_tto the GPG optional blockexecute_no_trans(notentrypoint) on bothgpg_exec_tandgpg_agent_exec_tto match actual runtime behaviorioctlandlockon all six_exec_tallow rules to match upstream macro semanticsReview
Changes validated by 9-agent deep review (3 roles × 3 models: GPT-5.5, Opus, Sonnet). Finding #2 (entrypoint semantics) was flagged by all 3 skeptic models and 2 of 3 architect models.
Validation