search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

Fedora 40: It is not possible to register system using rhsm.service #2214

Open jirihnidek opened 4 days ago

jirihnidek commented 4 days ago

When user tries to register system using client tool communicating over D-Bus with rhsm.service (e.g. rhc), then registration is terminated with following error in rhsm.log:

2024-07-03 12:42:28,228 [DEBUG] rhsm-service:575312:MainThread @client_info.py:75 - D-Bus sender: :1.2504 (cmd-line: ./rhc)
2024-07-03 12:42:28,228 [DEBUG] rhsm-service:575312:MainThread @i18n.py:166 - Trying to use locale: cs_CZ.UTF-8
2024-07-03 12:42:28,229 [INFO] rhsm-service:575312:MainThread @i18n.py:169 - Could not import locale for cs_CZ.UTF-8: [Errno 2] No translation file found for domain: 'rhsm'
2024-07-03 12:42:28,229 [INFO] rhsm-service:575312:MainThread @i18n.py:139 - Could not import locale either for cs_CS.UTF-8: [Errno 2] No translation file found for domain: 'rhsm'
2024-07-03 12:42:28,229 [DEBUG] rhsm-service:575312:MainThread @register.py:63 - Trying to create new domain socket server.
2024-07-03 12:42:28,229 [DEBUG] rhsm-service:575312:MainThread @server.py:329 - Adding sender :1.2504 to the set of senders
2024-07-03 12:42:28,230 [ERROR] rhsm-service:575312:MainThread @util.py:72 - org.freedesktop.DBus.Error.AccessDenied: Failed to bind socket "/run/dbus-He8ox0m8QT": Operace zamítnuta
Traceback (most recent call last):
  File "/usr/lib64/python3.12/site-packages/rhsmlib/dbus/util.py", line 70, in dbus_handle_exceptions
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/rhsmlib/dbus/objects/register.py", line 117, in Start
    address: str = self.impl.start(sender)
                   ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/rhsmlib/dbus/objects/register.py", line 69, in start
    address: str = self.server.run()
                   ^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/rhsmlib/dbus/server.py", line 386, in run
    self._server = dbus.server.Server(self._server_socket)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/dbus/server.py", line 60, in __new__
    return super(Server, cls).__new__(cls, address, connection_class,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Failed to bind socket "/run/dbus-He8ox0m8QT": Operace zamítnuta

Troubleshooting of this issue shows that access to this socket file is forbidden by SELinux:

root@localhost:~# ausearch -m AVC,USER_AVC -ts recent
----
time->Wed Jul  3 15:08:51 2024
type=AVC msg=audit(1720012131.061:2250): avc:  denied  { create } for  pid=598507 comm="rhsm-service" name="dbus-087jgD8hIx" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=sock_file permissive=0

Attempt to fix this issue

root@localhost:~# ausearch -m AVC,USER_AVC -ts recent | audit2allow -R

require {
    type rhsmcertd_t;
    type rhsmcertd_var_run_t;
    class sock_file create;
}

#============= rhsmcertd_t ==============
allow rhsmcertd_t rhsmcertd_var_run_t:sock_file create;

root@localhost:~# ausearch -m AVC,USER_AVC -ts recent | audit2allow -M my_rhsm_fix_01

root@localhost:~# semodule -i my_rhsm_fix_01.pp

After restart of rhsm.service some issues still remain...

root@localhost:~# ausearch -m AVC,USER_AVC -ts recent
----
time->Wed Jul  3 15:14:29 2024
type=AVC msg=audit(1720012469.744:2259): avc:  denied  { setattr } for  pid=599170 comm="rhsm-service" name="dbus-yRjoegDlWV" dev="tmpfs" ino=9162 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=sock_file permissive=0
----
time->Wed Jul  3 15:14:31 2024
type=AVC msg=audit(1720012471.825:2261): avc:  denied  { unlink } for  pid=599170 comm="rhsm-service" name="dbus-yRjoegDlWV" dev="tmpfs" ino=9162 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rhsmcertd_var_run_t:s0 tclass=sock_file permissive=0

Generating new pp file and restarting rhsm.service fixed this issue.

Complete refpolicy file looks like this:

require {
    type rhsmcertd_t;
    type rhsmcertd_var_run_t;
    class sock_file { create setattr unlink };
}

#============= rhsmcertd_t ==============
allow rhsmcertd_t rhsmcertd_var_run_t:sock_file create;
allow rhsmcertd_t rhsmcertd_var_run_t:sock_file { setattr unlink };