Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugs found by SELinux #5214

Closed
DemiMarie opened this issue Aug 3, 2019 · 5 comments
Closed

Bugs found by SELinux #5214

DemiMarie opened this issue Aug 3, 2019 · 5 comments
Labels
affects-4.1 This issue affects Qubes OS 4.1. C: core eol-4.1 Closed because Qubes 4.1 has reached end-of-life (EOL) P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.

Comments

@DemiMarie
Copy link

DemiMarie commented Aug 3, 2019
edited
Loading

Qubes OS version:

Qubes release 4.0 (R4.0)

Affected component(s) or functionality:

Probably multiple. Bugs have been found in qrexec, qubes-firewall, and others so far.

Steps to reproduce the behavior:

Run with SELinux in strict enforcing mode and start writing SELinux policies.

Expected or desired behavior:

  • qrexec-agent doesn’t leak a Xen FD and a TTY FD to processes spawned by PAM.
  • qubes-firewall ships with .pyc files in the RPM package.
  • udevadm is not run except using sudo.

Actual behavior:

  • qrexec-agent leaks a Xen FD and a TTY FD to processes spawned by PAM.
  • qubes-firewall doesn’t ship with .pyc files in the RPM package.
  • udevadm is run without sudo.

General notes:

These show up as AVC denials. In the first case, namespace_init_t was passed FDs belonging to Xen and a TTY, which SELinux (correctly) blocked. In the second case, init_t was trying to write compiled Python bytecode, which was also blocked. The third and forth cases are because on strict SELinux systems, administrative users such as user log in as staff_u:staff_r:staff_t:s0-s0:c0.c1023 by default. This does not grant them permission to run udevadm, but using sudo, they can transition to staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023, which does have the needed permissions.

I have consulted the following relevant documentation:

I am aware of the following related, non-duplicate issues:

#4329, #4278, #4279
@andrewdavidwong andrewdavidwong added C: core P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. labels Aug 3, 2019
@andrewdavidwong andrewdavidwong added this to the Release 4.0 updates milestone Aug 3, 2019
@marmarek
Copy link
Member

marmarek commented Aug 3, 2019

Can you paste full relevant messages?

As for .pyc files, which exactly? I see those:

$ rpm -ql qubes-core-agent|grep pyc$
/usr/lib/python2.7/site-packages/qubesagent/__init__.pyc
/usr/lib/python2.7/site-packages/qubesagent/firewall.pyc
/usr/lib/python2.7/site-packages/qubesagent/test_firewall.pyc
/usr/lib/python2.7/site-packages/qubesagent/xdg.pyc
/usr/lib/yum-plugins/yum-qubes-hooks.pyc

@DemiMarie
Copy link
Author

There are missing .pyc files under the Qubes kernel module directory, but I think the missing files here are actually bugs in Fedora.

@DemiMarie
Copy link
Author

Presumably fixed by QubesOS/qubes-core-qrexec@0516ffc, closing.

@marmarek
Copy link
Member

marmarek commented Jul 1, 2021

  • qrexec-agent leaks a Xen FD and a TTY FD to processes spawned by PAM.

  • qubes-firewall doesn’t ship with .pyc files in the RPM package.

  • udevadm is run without sudo.

The change you linked is only at the dom0 side, so it's unlikely fixing any of those.

@marmarek marmarek reopened this Jul 1, 2021
@DemiMarie DemiMarie mentioned this issue Dec 10, 2021
Draft
@andrewdavidwong andrewdavidwong added the affects-4.1 This issue affects Qubes OS 4.1. label Aug 8, 2023
@andrewdavidwong andrewdavidwong removed this from the Release 4.1 updates milestone Aug 13, 2023
@andrewdavidwong andrewdavidwong added the eol-4.1 Closed because Qubes 4.1 has reached end-of-life (EOL) label Dec 7, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 7, 2024

This issue is being closed because:

If anyone believes that this issue should be reopened, please leave a comment saying so.
(For example, if a bug still affects Qubes OS 4.2, then the comment "Affects 4.2" will suffice.)

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-4.1 This issue affects Qubes OS 4.1. C: core eol-4.1 Closed because Qubes 4.1 has reached end-of-life (EOL) P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marmarek @DemiMarie @andrewdavidwong