the mac_selinux calls on line 627 and 629 in core/namespace.c can and should probably be removed

systemd version the issue has been seen with

https://bugzilla.redhat.com/show_bug.cgi?id=1746413#c30

Used distribution

Fedora

Expected behaviour you didn't see

Systemd seems to not create "dummy bind-mount files" without device node labels .

Unexpected behaviour you saw

Systemd seems to create "dummy bind-mount file" with device node labels.

Steps to reproduce the problem
https://bugzilla.redhat.com/show_bug.cgi?id=1746413#c30

The faillback code starting at core/namespace.c line 625 seems to cause systemd to create the "dummy bind-mount file" with the device node label:

type=AVC msg=audit(1567152101.123:147): avc:  denied  { create } for  pid=1291 comm="(r-launch)" name="random" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=file permissive=1

As you can see the target is a file. /dev/random (or any device) is a character file. And so systemd should not create this dummy bind-mount target file with a device node type like "random_device_t". Because there shouldnt be any "files" with device node types (theres only char files and block files for storage devices).

The argument is:

First, with the mode stat()ed from the actual device node (before the call to mknod()),
and then with mode==0, before creating a dummy mount target. So the "dummy bind mount target"
should not be labelled as a device node, but as a normal file. Or at least systemd passes
this metadata to selabel_lookup_raw().

But if that is the case then why call mac_selinux_create_file_prepare(d, 0); on line 627 in the first place.

The issue is that according to the bug reports attached avc denials, systemd is creating dummy bind-mount target files with device node contexts, and it should not do that. Because files with device node contexts should not exist.

[poettering]

consider preparing a PR for this, it's the best way to get this fixed, as us maintainers are not selinux gurus, and hence rely on tested patches being submitted to keep this all working

[keszybz]

But if that is the case then why call mac_selinux_create_file_prepare(d, 0)

That's exactly the call which tells selabel_lookup_raw() that we're creating a file with path d, mode 0, i.e. without S_IFCHR. So maybe the fix is in selabel_lookup_raw() to notice this and not use tcontext=system_u:object_r:random_device_t:s0 but instead tcontext=system_u:object_r:init_var_run_t:s0 or something else?

It should just create the file without any selinux awareness as far as i am concerned.
The labeling will be taken care of by the bind mount.

I am not sure what the best solution to this issue would be but the result should be that systemd would create the dummy bind-mount target file as if there was no selinux. That is why my simple suggestion is to just remove those two calls at 627 and 629.

The main point, again, is that there shouldnt be any plain files with device node types. Anticipating that bad scenario in policy sets a bad precendent. The goal is to enforce integrity, You cannot do that when you label objects in incompatible way's

[sharkcz]

CCing @wrabcak

[sharkcz]

I still wonder why only s390x has been affected. But we could drop the workaround from the policy in rawhide and work on a proper fix there.

Maybe for the same reason of this fallback scenario. I cannot find an explanation for this scenario, but obviously it was added for a reason. It would have helped if it said: "fallback for when .... happens".

this is still an issue (x86_64) -- systemd 244-1

Dec 06 09:30:11 brutus audit[2246529]: AVC avc:  denied  { create } for  pid=2246529 comm="(d-daemon)" name="tty" scontext=sys.id:sys.role:systemd.
system.subj:s0 tcontext=sys.id:sys.role:dev.devtty.dev_file:s0 tclass=file permissive=1
Dec 06 09:30:11 brutus audit[2246529]: AVC avc:  denied  { mounton } for  pid=2246529 comm="(d-daemon)" path="/tmp/namespace-dev-w51Hoa/dev/random"
 dev="tmpfs" ino=4687874 scontext=sys.id:sys.role:systemd.system.subj:s0 tcontext=sys.id:sys.role:dev.random.dev_file:s0 tclass=file permissive=1
Dec 06 09:30:11 brutus audit[2246529]: AVC avc:  denied  { create } for  pid=2246529 comm="(d-daemon)" name="random" scontext=sys.id:sys.role:syste
md.system.subj:s0 tcontext=sys.id:sys.role:dev.random.dev_file:s0 tclass=file permissive=1
Dec 06 09:30:11 brutus audit[2246529]: AVC avc:  denied  { mounton } for  pid=2246529 comm="(d-daemon)" path="/tmp/namespace-dev-w51Hoa/dev/zero" d
ev="tmpfs" ino=4680702 scontext=sys.id:sys.role:systemd.system.subj:s0 tcontext=sys.id:sys.role:dev.zero.dev_file:s0 tclass=file permissive=1
Dec 06 09:30:11 brutus audit[2246529]: AVC avc:  denied  { create } for  pid=2246529 comm="(d-daemon)" name="zero" scontext=sys.id:sys.role:systemd.system.subj:s0 tcontext=sys.id:sys.role:dev.zero.dev_file:s0 tclass=file permissive=1
Dec 06 09:30:11 brutus audit[2246529]: AVC avc:  denied  { mounton } for  pid=2246529 comm="(d-daemon)" path="/tmp/namespace-dev-w51Hoa/dev/null" dev="tmpfs" ino=4680700 scontext=sys.id:sys.role:systemd.system.subj:s0 tcontext=sys.id:sys.role:dev.null.isid:s0 tclass=file permissive=1
Dec 06 09:30:11 brutus audit[2246529]: AVC avc:  denied  { create } for  pid=2246529 comm="(d-daemon)" name="null" scontext=sys.id:sys.role:systemd.system.subj:s0 tcontext=sys.id:sys.role:dev.null.isid:s0 tclass=file permissive=1
Dec 06 09:30:11 brutus audit[2246529]: AVC avc:  denied  { mounton } for  pid=2246529 comm="(d-daemon)" path="/tmp/namespace-dev-w51Hoa/dev/ptmx" dev="tmpfs" ino=4680693 scontext=sys.id:sys.role:systemd.system.subj:s0 tcontext=sys.id:sys.role:dev.ptmx.dev_file:s0 tclass=file permissive=1
Dec 06 09:30:11 brutus audit[2246529]: AVC avc:  denied  { create } for  pid=2246529 comm="(d-daemon)" name="ptmx" scontext=sys.id:sys.role:systemd.system.subj:s0 tcontext=sys.id:sys.role:dev.ptmx.dev_file:s0 tclass=file permissive=1

# /usr/lib/systemd/system/usbguard.service
[Unit]
Description=USBGuard daemon
Wants=systemd-udevd.service local-fs.target
Documentation=man:usbguard-daemon(8)

[Service]
AmbientCapabilities=
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
DeviceAllow=/dev/null rw
DevicePolicy=strict
ExecStart=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectSystem=yes
PIDFile=/run/usbguard.pid
ReadOnlyPaths=-/
ReadWritePaths=-/dev/shm -/var/log/usbguard -/tmp -/etc/usbguard/
Restart=on-failure
RestrictAddressFamilies=AF_UNIX AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
Type=simple
UMask=0077

[Install]
WantedBy=basic.target

This seems to trigger that in the above:

DevicePolicy=strict

[cgzones]

In the original bug report the submitter claims that the fix for bug 1769148 solves the original issue.

@doverride is it an option to call mac_selinux_create_file_prepare with S_IFREG? Then you can define a file context /dev/.* -- gen_context(system_u:object_r:device_bind_dummy_t,s0).

On Fri, Jan 10, 2020 at 06:03:48AM -0800, cgzones wrote: In the [original bug report](https://bugzilla.redhat.com/show_bug.cgi?id=1746413) the submitter [claims](https://bugzilla.redhat.com/show_bug.cgi?id=1746413#c34) that the [fix](415fe5e) for bug [1769148](https://bugzilla.redhat.com/show_bug.cgi?id=1769148) solves the issue. @doverride is it an option to call `mac_selinux_create_file_prepare` with `S_IFREG`? Then you can define a file context `/dev/.* -- gen_context(system_u:object_r:device_bind_dummy_t,s0)`.

That wouldnt be sustainable as not all files in /dev are alway's only systemd bind mount dummy files (now and in the future). Besides, I am not sure if that is worth the trouble. If systemd in this case just does not look up the context and instead just creates these bind mount dummy files as-is then everything should be OK i believe. Easy-peasy (in theory)

…

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #13762 (comment)

-- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift

This fixes the issue:

diff --git a/src/core/namespace.c b/src/core/namespace.c
index c0ff44c..b0eef4f 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -628,9 +628,7 @@ static int clone_device_node(
 
         /* We're about to fallback to bind-mounting the device
          * node. So create a dummy bind-mount target. */
-        mac_selinux_create_file_prepare(d, 0);
         r = mknod(dn, S_IFREG, 0);
-        mac_selinux_create_file_clear();
         if (r < 0 && errno != EEXIST)
                 return log_debug_errno(errno, "mknod() fallback failed for '%s': %m", d);

This is a reliable reproducer:

systemd-run -p DeviceAllow="/dev/null rw" -p DevicePolicy=strict -p PrivateDevices=yes /bin/ls -alZ /dev

I can;t prepare a pull request because i am boycotting github and seems that is the only avenue