871963 – sys-apps/gentoo-systemd-integration-9: On a SELinux+systemd host, 10-gentoo-path fails to read /etc/profile.env

Bug 871963 - sys-apps/gentoo-systemd-integration-9: On a SELinux+systemd host, 10-gentoo-path fails to read /etc/profile.env

Summary: sys-apps/gentoo-systemd-integration-9: On a SELinux+systemd host, 10-gentoo-p...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-09-19 23:38 UTC by David Sardari
Modified:	2022-10-03 12:36 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Sardari 2022-09-19 23:38:22 UTC

10-gentoo-path requires read access on "/etc/profile.env", but fails due to the fcontext of "/etc/profile.env".

Reproducible: Always

Steps to Reproduce:
1. Setup Gentoo with systemd and SELinux
2. Boot

Actual Results:  
You get the following denials:

[   12.208682] audit: type=1400 audit(1663626722.916:3): avc:  denied  { read } for  pid=951 comm="10-gentoo-path" name="profile.env" dev="dm-1" ino=285848 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1
[   12.211534] audit: type=1400 audit(1663626722.916:4): avc:  denied  { open } for  pid=951 comm="10-gentoo-path" path="/etc/profile.env" dev="dm-1" ino=285848 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1
[   12.214297] audit: type=1400 audit(1663626722.916:5): avc:  denied  { getattr } for  pid=951 comm="10-gentoo-path" path="/etc/profile.env" dev="dm-1" ino=285848 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1


Expected Results:  
10-gentoo-path should be able to read "/etc/profile.env".


I circumvented above denials with:

❯ find / -inum 285848
/etc/profile.env

❯ semanage fcontext -l | grep '/etc/profile\\\.env' | column -t
/etc/profile\.env  regular  file  system_u:object_r:etc_runtime_t:s0

❯ sesearch -A -s systemd_generator_t -c file -p getattr,open,read | grep etc
allow systemd_generator_t etc_t:file { getattr ioctl lock open read };
allow systemd_generator_t lvm_etc_t:file { getattr ioctl lock map open read };

❯ semanage fcontext -m -f f -t etc_t '/etc/profile\.env'

❯ restorecon -Fv /etc/profile.env
Relabeled /etc/profile.env from system_u:object_r:etc_runtime_t:s0 to system_u:object_r:etc_t:s0

Comment 1 Mike Gilbert gentoo-dev

2022-09-21 03:48:57 UTC

I know nothing about selinux. Patches welcome.

Comment 2 Kenton Groombridge gentoo-dev

2022-09-21 14:36:03 UTC

The labeling of /etc/profile.env as etc_runtime_t goes all the way back to the initial commit of refpolicy in git... I'm not convinced that this file should be etc_runtime_t since it is created by env-update and not during system init, which would mean this is a policy bug.