840230 – net-firewall/nftables: wrong fcontext for /var/lib/nftables and content

Bug 840230 - net-firewall/nftables: wrong fcontext for /var/lib/nftables and content

Summary: net-firewall/nftables: wrong fcontext for /var/lib/nftables and content

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-23 00:27 UTC by David Sardari
Modified:	2022-09-13 08:47 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Sardari 2022-04-23 00:27:53 UTC

I belive the following fcontext change is necessary:

➤ semanage fcontext -l -C

➤ ausearch -m avc --start boot
----
time->Sat Apr 23 01:56:08 2022
type=PROCTITLE msg=audit(1650671768.186:14): proctitle=6E6674002D63002D66002F7661722F6C69622F6E667461626C65732F72756C65732D73617665
type=PATH msg=audit(1650671768.186:14): item=0 name="/var/lib/nftables/rules-save" inode=644956 dev=00:1c mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lib_t nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1650671768.186:14): cwd="/"
type=SYSCALL msg=audit(1650671768.186:14): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffe4977cb06 a2=0 a3=0 items=1 ppid=3714 pid=3715 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nft" exe="/sbin/nft" subj=system_u:system_r:iptables_t key=(null)
type=AVC msg=audit(1650671768.186:14): avc:  denied  { read } for  pid=3715 comm="nft" name="rules-save" dev="dm-0" ino=644956 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=0

➤ ls -ldZ /var/lib/nftables /var/lib/nftables/rules-save
drwxr-xr-x. 1 root root system_u:object_r:var_lib_t  78 16. Apr 13:47 /var/lib/nftables/
-rw-------. 1 root root system_u:object_r:var_lib_t 598 16. Apr 13:47 /var/lib/nftables/rules-save

➤ semanage fcontext -l | grep "/var/lib/.*tables"
/var/lib/ip6?tables(/.*)?    all files    system_u:object_r:initrc_tmp_t

➤ sesearch --allow --source iptables_t --target initrc_tmp_t --class file --perm read
allow iptables_t initrc_tmp_t:file { append getattr ioctl lock open read write };

➤ semanage fcontext -a -t initrc_tmp_t "/var/lib/nftables(/.*)?"

➤ restorecon -R -F -v /var/lib/nftables
Relabeled /var/lib/nftables from system_u:object_r:var_lib_t to system_u:object_r:initrc_tmp_t
Relabeled /var/lib/nftables/.keep_net-firewall_nftables-0 from system_u:object_r:var_lib_t to system_u:object_r:initrc_tmp_t
Relabeled /var/lib/nftables/rules-save from system_u:object_r:var_lib_t to system_u:object_r:initrc_tmp_t

Comment 1 Larry the Git Cow gentoo-dev

2022-09-03 20:04:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f537bac5606bd0ad279ab8016c2c8c51476956d

commit 6f537bac5606bd0ad279ab8016c2c8c51476956d
Author:     Kenton Groombridge <concord@gentoo.org>
AuthorDate: 2022-05-30 22:51:28 +0000
Commit:     Kenton Groombridge <concord@gentoo.org>
CommitDate: 2022-09-03 20:04:19 +0000

    iptables: add file context for /usr/libexec/nftables/nftables.sh
    
    Bug: https://bugs.gentoo.org/840230
    Signed-off-by: Kenton Groombridge <concord@gentoo.org>

 policy/modules/system/iptables.fc | 2 ++
 1 file changed, 2 insertions(+)

https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d935f927cd34c1a91d3a8f3c9278baeeef852320

commit d935f927cd34c1a91d3a8f3c9278baeeef852320
Author:     Kenton Groombridge <concord@gentoo.org>
AuthorDate: 2021-01-27 01:02:21 +0000
Commit:     Kenton Groombridge <concord@gentoo.org>
CommitDate: 2022-09-03 20:04:08 +0000

    iptables: add file context for saved rules
    
    Bug: https://bugs.gentoo.org/840230
    Signed-off-by: Kenton Groombridge <concord@gentoo.org>

 policy/modules/system/init.fc     | 1 -
 policy/modules/system/iptables.fc | 5 +++++
 2 files changed, 5 insertions(+), 1 deletion(-)

Comment 2 David Sardari 2022-09-13 07:55:20 UTC

I added "sec-policy/* ~amd64" to /etc/portage/package.accept_keywords/main and updated packages to 2.20220520-r1.

fcontext is fine with ">=sec-policy/*-2.20220520-r1" packages:

❯ matchpathcon /var/lib/{ip,ip6,nf}tables{,/*} /usr/libexec/nftables/nftables.sh | column -t
/var/lib/iptables                  system_u:object_r:iptables_conf_t:s0
/var/lib/ip6tables                 system_u:object_r:iptables_conf_t:s0
/var/lib/nftables                  system_u:object_r:iptables_conf_t:s0
/var/lib/nftables/rules-save       system_u:object_r:iptables_conf_t:s0
/usr/libexec/nftables/nftables.sh  system_u:object_r:iptables_exec_t:s0

❯ sesearch --allow --source iptables_t --target iptables_conf_t --class file --perm read
allow iptables_t iptables_conf_t:file { append create getattr ioctl link lock open read rename setattr unlink write };

So, this bug is solved with ">=sec-policy/*-2.20220520-r1".

Comment 3 Sam James archtester

2022-09-13 08:12:57 UTC

I don't think that makes it invalid at all. That new version fixes your issue and it was in response to this bug, it's simply FIXED.

Comment 4 David Sardari 2022-09-13 08:47:24 UTC

k, I didn't know it got fixed in 2.20220520 in response to this bug :)