Bug 1213435

Summary: AUDIT-WHITELIST: policycoreutils-dbus: Polkit actions and DBUS service
Product: [Novell Products] SUSE Security Incidents Reporter: Filippo Bonazzi <filippo.bonazzi>
Component: AuditsAssignee: Filippo Bonazzi <filippo.bonazzi>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1215977
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Filippo Bonazzi 2023-07-18 15:30:54 UTC 
A recent policycoreutils packaging improvement (https://build.opensuse.org/package/show/security:SELinux/policycoreutils) added the policycoreutils-dbus subpackage.

This package needs a whitelisting for the following errors:

```
policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.config.pkexec.run (no:no:auth_admin)
policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.restorecon (no:no:auth_admin_keep)
policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.setenforce (no:no:auth_admin_keep)
policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.semanage (no:no:auth_admin_keep)
policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.customized (no:no:auth_admin_keep)
policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.semodule_list (no:no:auth_admin_keep)
policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.relabel_on_boot (no:no:auth_admin_keep)
policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.change_default_policy (no:no:auth_admin_keep)
policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.change_default_mode (no:no:auth_admin_keep)
```

and

```
policycoreutils-dbus.noarch: E: dbus-file-unauthorized (Badness: 10) /etc/dbus-1/system.d/org.selinux.conf (sha256 file digest default filter:c61012885a96effafb8769c969f35ec37872ed074064d0995ea76c8e32d71ab9 shell filter:3b610033e2566d2af9c67a390debf66f93e9750805f4f0811dcdc886016ed407 xml filter:0ec37dac1d4ff66ca0ff3aec940c28ad9468e70f7376571dcaf311c58ef66927)
policycoreutils-dbus.noarch: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system-services/org.selinux.service (sha256 file digest default filter:72e1dbaa64ae4f041b45d87c1ec65ae1f6596245171cf6bd967e4d13e4d48600 shell filter:72e1dbaa64ae4f041b45d87c1ec65ae1f6596245171cf6bd967e4d13e4d48600 xml filter:&lt;failed-to-calculate&gt;)
```
Comment 1 Matthias Gerstner 2023-08-03 11:36:23 UTC 
I also looked a bit into this package. The D-Bus service is small and looks
sane enough. Only `auth_admin_keep` settings.

An interesting side path was looking into libselinux's `restorecon()` function
which recursively walks the file system for relabelling. I didn't dig much
deeper due to the complexity of the algorithm. But there's a lot of naive
opening and stat'ing in the logic. I wouldn't be surprised if during
relabelling typical file system attack can be used to gain privileges. This
could be something for a separate AUDIT-1 or so, if somebody is interested.

The GUI tool `system-config-selinux` is supposed to be run as root (polkit
policy shipped for this). The Python code for this tool uses a lot of
`subprocess.statusoutput` which runs an single command string through the
shell. It turns out that placing special characters in various GUI fields can
lead to code execution as root. Examples:

fcontextPage.py: add(). In "File Labelling" click "+" for adding an entry, put
something like

    '; touch /tmp/evil_file; ls '

into the "File Specification" field, /tmp/evil_file will be created.

similarly in loginsPage.py add/delete: goto UserMapping, click "+" for adding
a user, place something like

    ; touch /tmp/my_user; true

into the "Login Name" field, /tmp/my_user will come into existence.

While this is not an outright security issue, since the GUI can only be
started with root priviliges anyway, it is really bad style and, basically a
bug. There are a lot more uses of "statusoutput" which should all be replaced
by safe calls by subprocess calls that don't go through the shell.
Comment 2 Filippo Bonazzi 2023-10-05 14:17:57 UTC 
I have split the audit of the -gui subpackage into a separate AUDIT-1 (bug 1215977), so that we can go ahead with the whitelisting of the -dbus package and unblock security:SELinux -> Factory submissions.
Comment 5 Filippo Bonazzi 2023-10-09 09:07:12 UTC 
Merged in https://build.opensuse.org/request/show/1116005