search

linux-application-whitelisting / fapolicyd

File Access Policy Daemon
GNU General Public License v3.0
192 stars 55 forks source link

fapolicyd not updating after install of an rpm #265

Closed scarneysc closed 1 year ago

scarneysc commented 1 year ago

fapolicyd version: 1.1.3-12.el8 OS: 4.18.0-477.15.1.el8_8.x86_64 #1 SMP Fri Jun 2 08:27:19 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux

Problem

fapolicyd is blocking uses of emacs. The deny message is 2023-08-16T17:58:55.007653-05:00 swdvz4g40065 fapolicyd[13351]: rule=16 dec=deny_log perm=open auid=1230 pid=49652 exe=/usr/bin/emacs-26.1 : path=/usr/share/emacs/site-lisp/site-start.el ftype=text/x-lisp trust=0

Steps

`bash-4.4$ rpm -q --info emacs-common-26.1-7.el8.x86_64 Name : emacs-common Epoch : 1 Version : 26.1 Release : 7.el8 Architecture: x86_64 Install Date: Wed 16 Aug 2023 05:36:05 PM CDT Group : Applications/Editors Size : 93225242 License : GPLv3+ and GFDL and BSD Signature : RSA/SHA256, Thu 05 Aug 2021 08:05:38 AM CDT, Key ID 199e2f91fd431d51 Source RPM : emacs-26.1-7.el8.src.rpm Build Date : Thu 05 Aug 2021 05:34:38 AM CDT Build Host : x86-039.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. http://bugzilla.redhat.com/bugzilla Vendor : Red Hat, Inc. URL : http://www.gnu.org/software/emacs/ Summary : Emacs common files Description : Emacs is a powerful, customizable, self-documenting, modeless text editor. Emacs contains special code editing features, a scripting language (elisp), and the capability to read mail, news, and more without leaving the editor.

This package contains all the common files needed by emacs, emacs-lucid or emacs-nox.` Signature is sha256.

What else could be the issue?

radosroka commented 1 year ago

Fapolicyd gets rid of many files from /usr/share/ so the internal database can be as small as possible so lookup is fast. You can alter the default exclude list /etc/fapolicyd/rpm-filter.conf (in later versions /etc/fapolicyd/fapolicyd-filter.conf). 

+ /
 - usr/include/
 - usr/share/
  + emacs/ 
  # Python byte code
  + *.py?
  # Python text files
  + *.py
  # Some apps have a private libexec
  + */libexec/*
  # Ruby
  + *.rb
  # Perl
  + *.pl
  # System tap
  + *.stp
  # Javascript
  + *.js
  # Java archive
  + *.jar
  # M4
  + *.m4
  # PHP
  + *.php
  # Perl Modules
  + *.pm
  # Lua
  + *.lua
  # Java
  + *.class
  # Typescript
  + *.ts
  # Typescript JSX
  + *.tsx
  # Lisp
  + *.el
  # Compiled Lisp
  + *.elc
 - usr/src/kernel*/
  + */scripts/*
  + */tools/objtool/*
stevegrubb commented 1 year ago

It's saying /usr/share/emacs/site-lisp/site-start.el is not trusted. But that is in a system directory. So, for 1.1.3, you want to see if this is included in the trust db, fapolicyd-cli --dump-db. You might also check that it belongs to an rpm. rpm -qf /usr/share/emacs/site-lisp/site-start.el. If it comes from an rpm, it should have been included.

You can also manually add it to the trust db.

scarneysc commented 1 year ago

I will try radosroka's suggestion.

I have a request. I was concerned about this because something similar could have tripped us up on our production system. I scoured the MAN pages and the README and what radosroka said is not mentioned. Coould you guys add something to a MAN page or the README explaining this so people know what to do?

stevegrubb commented 1 year ago

Radovan's solution needs fapolicyd-1.2 or higher. The version you are using does not have it, but it includes lisp files. what rpm -qf does is tell you if it is owned by an rpm. If it is, it should be automatically enrolled in the trust database. If not, you have to manually add it.

fapolicyd-cli --file add /usr/share/emacs/site-lisp/site-start.el

scarneysc commented 1 year ago

So I updated the file, re-updated fapolicyd and restarted the service. No luck. Guess I am stuck with 1.2. So, will that be on RHEL9?

scarneysc commented 1 year ago

If it is not enrolling even though it is in an rpm, is that a bug?

radosroka commented 1 year ago

The feature should be backported. Just put there '+ emacs/' like I did and it should work.

scarneysc commented 1 year ago

Attaching the screenshot of rpm-filter.conf. It won't let me attach the file itself. rpm-filter-conf

I added the emacs in and the file still doesn't show up. Other lisp files do under that structure. Might there be an issue with that particular file?

radosroka commented 1 year ago

Attaching the screenshot of rpm-filter.conf. It won't let me attach the file itself. rpm-filter-conf

I added the emacs in and the file still doesn't show up. Other lisp files do under that structure. Might there be an issue with that particular file?

Format of the file is wrong. Check the man page. Lines should be nested somehow. In case you use the default .conf then just add emacs line after /usr/share and check for correct nesting.

Each of your lines is a root directory. I think that first / includes everything.

radosroka commented 1 year ago

And even when you configure it correctly it won't be there because it's packaged as a config and we exclude configs even before check the filter and I'm not sure if it's feature or a bug.

https://github.com/linux-application-whitelisting/fapolicyd/blob/8e6fb6d1fb4d858678c7badc72068972d1b9bf53/src/library/rpm-backend.c#L219

as @stevegrubb pointed out you can still manually mark it via CLI as a trusted file that should still work.

scarneysc commented 1 year ago

So our upgrade workflow is to have a high level install program which drives installation of the rpms. The installer verifies the authenticity and integrity of the rpms before deploying them via dnf. This would be one more thing that would have to be done. Know which rpms deploy config files that may have to be run and do an fapolicyd-cli --file add /path/to/config/file, correct?

scarneysc commented 1 year ago

OK, I think I understand. I passed on the information to my team. Closing issue.