Refine BlueChi's SELinux policy #883
Comments
engelmi
added a commit
to engelmi/bluechi
that referenced
this issue
Apr 17, 2024
Relates to: eclipse-bluechi#879 Relates to: eclipse-bluechi#883 Relates to: eclipse-bluechi#884 This is a temporary fix to get BlueChi with its SELinux policy to work again as it is currently broken. As soon as the policy is refined (eclipse-bluechi#883) this change can be reversed and the policy enforced again. Signed-off-by: Michael Engel <mengel@redhat.com>
This was referenced Apr 17, 2024
engelmi
added a commit
that referenced
this issue
Apr 18, 2024
Relates to: #879 Relates to: #883 Relates to: #884 This is a temporary fix to get BlueChi with its SELinux policy to work again as it is currently broken. As soon as the policy is refined (#883) this change can be reversed and the policy enforced again. Signed-off-by: Michael Engel <mengel@redhat.com>
engelmi
added a commit
to engelmi/bluechi
that referenced
this issue
Sep 7, 2024
Relates to: eclipse-bluechi#883 When enforcing the SELinux policy of BlueChi, the calls from bluechi-agent to systemd are blocked. The missing privileges of bluechi_agent_t (source context) on the systemd types (e.g. systemd_unit_file_t) and init type have been added. Signed-off-by: Michael Engel <mengel@redhat.com>
Merged
engelmi
added a commit
to engelmi/bluechi
that referenced
this issue
Sep 7, 2024
Relates to: eclipse-bluechi#883 When enforcing the SELinux policy of BlueChi, the calls from bluechi-agent to systemd are blocked. The missing privileges of bluechi_agent_t (source context) on the systemd types (e.g. systemd_unit_file_t) and init type have been added. Signed-off-by: Michael Engel <mengel@redhat.com>
engelmi
added a commit
to engelmi/bluechi
that referenced
this issue
Sep 9, 2024
Relates to: eclipse-bluechi#883 When enforcing the SELinux policy of BlueChi, the calls from bluechi-agent to systemd are blocked. The missing privileges of bluechi_agent_t (source context) on the systemd types (e.g. systemd_unit_file_t) and init type have been added. Signed-off-by: Michael Engel <mengel@redhat.com>
engelmi
added a commit
to engelmi/bluechi
that referenced
this issue
Sep 9, 2024
Relates to: eclipse-bluechi#883 When enforcing the SELinux policy of BlueChi, the calls from bluechi-agent to systemd are blocked. The missing privileges of bluechi_agent_t (source context) on the systemd types (e.g. systemd_unit_file_t) and init type have been added. Signed-off-by: Michael Engel <mengel@redhat.com>
engelmi
added a commit
to engelmi/bluechi
that referenced
this issue
Sep 11, 2024
Relates to: eclipse-bluechi#883 When enforcing the SELinux policy of BlueChi, the calls from bluechi-agent to systemd are blocked. The missing privileges of bluechi_agent_t (source context) on the systemd types (e.g. systemd_unit_file_t) and init type have been added. Signed-off-by: Michael Engel <mengel@redhat.com>
engelmi
added a commit
to engelmi/bluechi
that referenced
this issue
Sep 12, 2024
Relates to: eclipse-bluechi#883 When enforcing the SELinux policy of BlueChi, the calls from bluechi-agent to systemd are blocked. The missing privileges of bluechi_agent_t (source context) on the systemd types (e.g. systemd_unit_file_t) and init type have been added. Signed-off-by: Michael Engel <mengel@redhat.com>
engelmi
added a commit
to engelmi/bluechi
that referenced
this issue
Sep 13, 2024
Relates to: eclipse-bluechi#883 When enforcing the SELinux policy of BlueChi, the calls from bluechi-agent to systemd are blocked. The missing privileges of bluechi_agent_t (source context) on the systemd types (e.g. systemd_unit_file_t) and init type have been added. Signed-off-by: Michael Engel <mengel@redhat.com>
engelmi
added a commit
that referenced
this issue
Sep 13, 2024
Relates to: #883 When enforcing the SELinux policy of BlueChi, the calls from bluechi-agent to systemd are blocked. The missing privileges of bluechi_agent_t (source context) on the systemd types (e.g. systemd_unit_file_t) and init type have been added. Signed-off-by: Michael Engel <mengel@redhat.com>
|
After #935 was merged, the integration tests were run in multihost mode (with SELinux enforced enabled) to find any potential SELinux issues: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
In #850 we changed the
bluechi-selinuxpolicy from permissive to enforcing by default. This leads to various errors.Known issues
Blocked systemd calls
When enforcing it prevents various essential calls for
bluechi-agent(and probablybluechi-controller). For example starting a systemd service from thebluechi-agentis blocked:type=USER_AVC msg=audit(1713363081.067:544): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/etc/systemd/system/simple.service" cmdline="" function="bus_unit_method_start_generic" scontext=system_u:system_r:bluechi_agent_t:s0 tcontext=unconfined_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'These need to be added to bluechi.te. For reference, please see https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/systemd.if
Files can't be read
BlueChi reads its configuration files from
/etc. However, it is possible to pass in paths to configuration files via the-cCLI option. The policy only allows reads from/etc, though. Using chcon it is possible to allow reads for files on other locations.This needs to be changed in:
/tmp/bluechiand thenchcon -R -t etc_t /tmp/bluechi/, where all configuration files passed in via-care locatedTo Reproduce
Installing the latest BlueChi from snapshot repo on copr:
https://copr.fedorainfracloud.org/coprs/g/centos-automotive-sig/bluechi-snapshot
Starting
bluechi-controllerandbluechi-agent. Then starting a unit viabluechictlto trigger the denial for starting systemd units, for example.Expected behavior
All functionalities from BlueChi (in expected uses) aren't denied by the SELinux policy.
The text was updated successfully, but these errors were encountered: