704186 – net-firewall/nftables-0.9.0-r5 reads from stdin on system boot

Bug 704186 - net-firewall/nftables-0.9.0-r5 reads from stdin on system boot

Summary: net-firewall/nftables-0.9.0-r5 reads from stdin on system boot

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-12-29 16:09 UTC by thomasb
Modified:	2022-05-31 23:10 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description thomasb 2019-12-29 16:09:17 UTC

/etc/init.d/nftables causes a SELinux deny message on system boot:

type=AVC msg=audit(1577611160.883:28): avc:  denied  { open } for  pid=5824 comm="nft" path="pipe:[9042]" dev="pipefs" ino=9042 scontext=system_u:system_r:iptables_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1
type=SYSCALL msg=audit(1577611160.883:28): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=7f738cacf1d5 a2=0 a3=0 items=1 ppid=5822 pid=5824 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nft" exe="/sbin/nft" subj=system_u:system_r:iptables_t key=(null)
type=CWD msg=audit(1577611160.883:28): cwd="/"
type=PATH msg=audit(1577611160.883:28): item=0 name="/dev/stdin" inode=9042 dev=00:08 mode=010600 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:initrc_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1577611160.883:28): proctitle=6E6674002D66002D

This happens as the SELinux policy prohibits /sbin/nft reading out of /dev/stdin. I don't see a reason why /sbin/nft should read stdin anyway, so probably this should be fixed in the init script itself instead of altering the SELinux policy.

I temporarily fixed it with this policy enhancement:

  allow iptables_t initrc_t:fifo_file open;


Reproducible: Always

Steps to Reproduce:
1. ensure /etc/init.d/nftables is in default runlevel and loads a ruleset
2. reboot the machine
3. find the above pasted deny message with ausearch

Comment 1 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev

2020-01-06 11:16:04 UTC

Hi Thomas!

The change isn't as easy from nftables side as you think.

The script makes uses of pipes (and stdin reading) to load the ruleset because it needs to ensure the prior ruleset is flushed and it needs to do so atomically (on modern kernels). There is no warranty that the ruleset starts with a "flush ruleset" statement so we ensure that is the case by using that and an include statement. Any other approach would either be too complicated (requiring a temporary file that will fail as per https://bugs.gentoo.org/704184 or a static file that will not permit changing the configuration variables to specify which file to load).

Similarly the panic actions behave in a similar way by injecting a set of rules that prevent new connections (and or established ones) as the only ruleset and those will require also their own files.

We decided to skip that to avoid increasing the complexity for the users (with more files and therefore more points of failure and to debug when things misbehave). So it would instead be preferable to allow initrc_t fifo access as you did.

Comment 2 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev

2021-05-13 06:51:46 UTC

Hi Thomas, based on the feedback on #789306 I will make stdin use (during loads only) optional.

I have posted a new script, init.d and conf.d files which I'd appreciate if you could test and give me some feedback on.

This does not solve the problem with panics which still need stdin to work.