Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove the NoNewPrivileges because it breaks the ability to open socket #109

Merged
merged 1 commit into from
Dec 10, 2024
Merged

Remove the NoNewPrivileges because it breaks the ability to open socket #109

merged 1 commit into from
Dec 10, 2024
+4 −1

Conversation

yixiangzhike
Copy link
Contributor

If NoNewPrivileges is true, it breaks the ability to open a socket under /var/lib/gssproxy when selinux enabled.

The failed messages:
Nov 30 11:37:33 localhost systemd[1]: Starting GSSAPI Proxy Daemon... Nov 30 11:37:34 localhost gssproxy[22445]: gssproxy[22445]: Failed to create Unix Socket! (13:Permission denied) Nov 30 11:37:34 localhost systemd[1]: gssproxy.service: Main process exited, code=exited, status=1/FAILURE Nov 30 11:37:34 localhost systemd[1]: gssproxy.service: Failed with result 'exit-code'. Nov 30 11:37:34 localhost systemd[1]: Failed to start GSSAPI Proxy Daemon.

The audit log:
type=SELINUX_ERR msg=audit(11/30/2024 11:37:34.067:189) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:gssproxy_t:s0 type=AVC msg=audit(11/30/2024 11:37:34.067:189) : avc: denied { nnp_transition } for pid=22445 comm=(gssproxy) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=process2 permissive=0 ----
type=AVC msg=audit(11/30/2024 11:37:34.080:190) : avc: denied { add_name } for pid=22445 comm=gssproxy name=default.sock scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=dir permissive=0 ----
type=SERVICE_START msg=audit(11/30/2024 11:37:34.082:191) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=gssproxy comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=failed'

@simo5
Copy link
Contributor

simo5 commented Dec 9, 2024

What OS have you tested this on?
I see a similar thing in Fedora, but there it is merely commented out and not outright removed.
In general I would also ask that you comment it out and add a comment above it that explains why it doesn't work, otherwise a few months down the road I will get another PR asing to add the "missing" noNewPrivileges thing.

Also please make DCO check happy

@yixiangzhike
Remove the NoNewPrivileges because it breaks the ability to open socket
4ef0c12 
If NoNewPrivileges is true, it breaks the ability to open a socket
under /var/lib/gssproxy when selinux enabled.

The failed messages:
Nov 30 11:37:33 localhost systemd[1]: Starting GSSAPI Proxy Daemon...
Nov 30 11:37:34 localhost gssproxy[22445]: gssproxy[22445]: Failed to create Unix Socket! (13:Permission denied)
Nov 30 11:37:34 localhost systemd[1]: gssproxy.service: Main process exited, code=exited, status=1/FAILURE
Nov 30 11:37:34 localhost systemd[1]: gssproxy.service: Failed with result 'exit-code'.
Nov 30 11:37:34 localhost systemd[1]: Failed to start GSSAPI Proxy Daemon.

The audit log:
type=SELINUX_ERR msg=audit(11/30/2024 11:37:34.067:189) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:gssproxy_t:s0
type=AVC msg=audit(11/30/2024 11:37:34.067:189) : avc:  denied  { nnp_transition } for  pid=22445 comm=(gssproxy) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=process2 permissive=0
----
type=AVC msg=audit(11/30/2024 11:37:34.080:190) : avc:  denied  { add_name } for  pid=22445 comm=gssproxy name=default.sock scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=dir permissive=0
----
type=SERVICE_START msg=audit(11/30/2024 11:37:34.082:191) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=gssproxy comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=failed'

Signed-off-by: yixiangzhike <yixiangzhike007@163.com>
@yixiangzhike
Copy link
Contributor Author

What OS have you tested this on? I see a similar thing in Fedora, but there it is merely commented out and not outright removed. In general I would also ask that you comment it out and add a comment above it that explains why it doesn't work, otherwise a few months down the road I will get another PR asing to add the "missing" noNewPrivileges thing.

Also please make DCO check happy

My OS is openEuler.
And I have changed the PR.

@simo5
Copy link
Contributor

simo5 commented Dec 10, 2024

This works, thank you.

@simo5 simo5 merged commit 6874c56 into gssapi:main Dec 10, 2024
3 checks passed
@lslebodn
Copy link

@yixiangzhike IMHO it would be better to either to fix SELinux policy in your distro
or to provide systemd snippet override to disable the option either in your distro or on your local machine.
Removing security hardening is not ideal.

BTW there are bunch of systemd service on my fedora machine which have the option enabled and they work well with SELinux in the enforcing mode

[root@localhost ~]#  grep NoNewPrivileges /usr/lib/systemd/system/*.service
/usr/lib/systemd/system/abrtd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/bluetooth.service:NoNewPrivileges=true
/usr/lib/systemd/system/chronyd-restricted.service:NoNewPrivileges=yes
/usr/lib/systemd/system/chronyd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/chronyd.service:NoNewPrivileges=no
/usr/lib/systemd/system/cockpit.service:NoNewPrivileges=true
/usr/lib/systemd/system/colord.service:NoNewPrivileges=true
/usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/dbus-org.freedesktop.import1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/dbus-org.freedesktop.locale1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/dbus-org.freedesktop.login1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/dbus-org.freedesktop.machine1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/dbus-org.freedesktop.timedate1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/fprintd.service:NoNewPrivileges=true
/usr/lib/systemd/system/geoclue.service:NoNewPrivileges=true
/usr/lib/systemd/system/gssproxy.service:# NoNewPrivileges: when true breaks the ability to open a socket
/usr/lib/systemd/system/gssproxy.service:#   under /var/lib/gssproxy so no NoNewPrivileges
/usr/lib/systemd/system/irqbalance.service:NoNewPrivileges=yes
/usr/lib/systemd/system/logrotate.service:#  no NoNewPrivileges for third party rotate scripts
/usr/lib/systemd/system/ModemManager.service:NoNewPrivileges=true
/usr/lib/systemd/system/nm-priv-helper.service:NoNewPrivileges=true
/usr/lib/systemd/system/polkit.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-coredump@.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-homed.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-hostnamed.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-importd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-initctl.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-journald.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-journald@.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-localed.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-logind.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-machined.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-networkd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-oomd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-resolved.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-rfkill.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-sysupdate.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-timedated.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-timesyncd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-userdbd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/upower.service:NoNewPrivileges=true

and even much more enabeld in SELinux policy

[root@localhost ~]# sesearch -A -p nnp_transition
allow NetworkManager_t initrc_t:process2 { nnp_transition nosuid_transition };
allow abrt_t abrt_handle_event_t:process2 nnp_transition; [ abrt_handle_event ]:True
allow anaconda_t initrc_t:process2 { nnp_transition nosuid_transition };
allow apmd_t initrc_t:process2 { nnp_transition nosuid_transition };
allow authconfig_t initrc_t:process2 { nnp_transition nosuid_transition };
allow certmonger_unconfined_t initrc_t:process2 { nnp_transition nosuid_transition };
allow cluster_t initrc_t:process2 { nnp_transition nosuid_transition };
allow condor_startd_t initrc_t:process2 { nnp_transition nosuid_transition };
allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
allow container_runtime_t container_user_t:process2 nnp_transition;
allow firstboot_t initrc_t:process2 { nnp_transition nosuid_transition };
allow glusterd_t initrc_t:process2 { nnp_transition nosuid_transition };

//snip

[root@localhost ~]# sesearch -A -p nnp_transition | wc -l
156

@yixiangzhike
Copy link
Contributor Author

@yixiangzhike IMHO it would be better to either to fix SELinux policy in your distro or to provide systemd snippet override to disable the option either in your distro or on your local machine. Removing security hardening is not ideal.

BTW there are bunch of systemd service on my fedora machine which have the option enabled and they work well with SELinux in the enforcing mode

[root@localhost ~]#  grep NoNewPrivileges /usr/lib/systemd/system/*.service
/usr/lib/systemd/system/abrtd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/bluetooth.service:NoNewPrivileges=true
/usr/lib/systemd/system/chronyd-restricted.service:NoNewPrivileges=yes
/usr/lib/systemd/system/chronyd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/chronyd.service:NoNewPrivileges=no
/usr/lib/systemd/system/cockpit.service:NoNewPrivileges=true
/usr/lib/systemd/system/colord.service:NoNewPrivileges=true
/usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/dbus-org.freedesktop.import1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/dbus-org.freedesktop.locale1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/dbus-org.freedesktop.login1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/dbus-org.freedesktop.machine1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/dbus-org.freedesktop.timedate1.service:NoNewPrivileges=yes
/usr/lib/systemd/system/fprintd.service:NoNewPrivileges=true
/usr/lib/systemd/system/geoclue.service:NoNewPrivileges=true
/usr/lib/systemd/system/gssproxy.service:# NoNewPrivileges: when true breaks the ability to open a socket
/usr/lib/systemd/system/gssproxy.service:#   under /var/lib/gssproxy so no NoNewPrivileges
/usr/lib/systemd/system/irqbalance.service:NoNewPrivileges=yes
/usr/lib/systemd/system/logrotate.service:#  no NoNewPrivileges for third party rotate scripts
/usr/lib/systemd/system/ModemManager.service:NoNewPrivileges=true
/usr/lib/systemd/system/nm-priv-helper.service:NoNewPrivileges=true
/usr/lib/systemd/system/polkit.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-coredump@.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-homed.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-hostnamed.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-importd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-initctl.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-journald.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-journald@.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-localed.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-logind.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-machined.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-networkd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-oomd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-resolved.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-rfkill.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-sysupdate.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-timedated.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-timesyncd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/systemd-userdbd.service:NoNewPrivileges=yes
/usr/lib/systemd/system/upower.service:NoNewPrivileges=true

and even much more enabeld in SELinux policy

[root@localhost ~]# sesearch -A -p nnp_transition
allow NetworkManager_t initrc_t:process2 { nnp_transition nosuid_transition };
allow abrt_t abrt_handle_event_t:process2 nnp_transition; [ abrt_handle_event ]:True
allow anaconda_t initrc_t:process2 { nnp_transition nosuid_transition };
allow apmd_t initrc_t:process2 { nnp_transition nosuid_transition };
allow authconfig_t initrc_t:process2 { nnp_transition nosuid_transition };
allow certmonger_unconfined_t initrc_t:process2 { nnp_transition nosuid_transition };
allow cluster_t initrc_t:process2 { nnp_transition nosuid_transition };
allow condor_startd_t initrc_t:process2 { nnp_transition nosuid_transition };
allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
allow container_runtime_t container_user_t:process2 nnp_transition;
allow firstboot_t initrc_t:process2 { nnp_transition nosuid_transition };
allow glusterd_t initrc_t:process2 { nnp_transition nosuid_transition };

//snip

[root@localhost ~]# sesearch -A -p nnp_transition | wc -l
156

It's better idea to fix selinux policy. It should allow init_t nnp transition to gssproxy_t in selinux policy.I will have a try.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yixiangzhike @simo5 @lslebodn