Bugzilla – Bug 1213435
AUDIT-WHITELIST: policycoreutils-dbus: Polkit actions and DBUS service
Last modified: 2024-03-13 09:21:58 UTC
A recent policycoreutils packaging improvement (https://build.opensuse.org/package/show/security:SELinux/policycoreutils) added the policycoreutils-dbus subpackage. This package needs a whitelisting for the following errors: ``` policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.config.pkexec.run (no:no:auth_admin) policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.restorecon (no:no:auth_admin_keep) policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.setenforce (no:no:auth_admin_keep) policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.semanage (no:no:auth_admin_keep) policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.customized (no:no:auth_admin_keep) policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.semodule_list (no:no:auth_admin_keep) policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.relabel_on_boot (no:no:auth_admin_keep) policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.change_default_policy (no:no:auth_admin_keep) policycoreutils-dbus.noarch: E: polkit-untracked-privilege (Badness: 10) org.selinux.change_default_mode (no:no:auth_admin_keep) ``` and ``` policycoreutils-dbus.noarch: E: dbus-file-unauthorized (Badness: 10) /etc/dbus-1/system.d/org.selinux.conf (sha256 file digest default filter:c61012885a96effafb8769c969f35ec37872ed074064d0995ea76c8e32d71ab9 shell filter:3b610033e2566d2af9c67a390debf66f93e9750805f4f0811dcdc886016ed407 xml filter:0ec37dac1d4ff66ca0ff3aec940c28ad9468e70f7376571dcaf311c58ef66927) policycoreutils-dbus.noarch: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system-services/org.selinux.service (sha256 file digest default filter:72e1dbaa64ae4f041b45d87c1ec65ae1f6596245171cf6bd967e4d13e4d48600 shell filter:72e1dbaa64ae4f041b45d87c1ec65ae1f6596245171cf6bd967e4d13e4d48600 xml filter:<failed-to-calculate>) ```
I also looked a bit into this package. The D-Bus service is small and looks sane enough. Only `auth_admin_keep` settings. An interesting side path was looking into libselinux's `restorecon()` function which recursively walks the file system for relabelling. I didn't dig much deeper due to the complexity of the algorithm. But there's a lot of naive opening and stat'ing in the logic. I wouldn't be surprised if during relabelling typical file system attack can be used to gain privileges. This could be something for a separate AUDIT-1 or so, if somebody is interested. The GUI tool `system-config-selinux` is supposed to be run as root (polkit policy shipped for this). The Python code for this tool uses a lot of `subprocess.statusoutput` which runs an single command string through the shell. It turns out that placing special characters in various GUI fields can lead to code execution as root. Examples: fcontextPage.py: add(). In "File Labelling" click "+" for adding an entry, put something like '; touch /tmp/evil_file; ls ' into the "File Specification" field, /tmp/evil_file will be created. similarly in loginsPage.py add/delete: goto UserMapping, click "+" for adding a user, place something like ; touch /tmp/my_user; true into the "Login Name" field, /tmp/my_user will come into existence. While this is not an outright security issue, since the GUI can only be started with root priviliges anyway, it is really bad style and, basically a bug. There are a lot more uses of "statusoutput" which should all be replaced by safe calls by subprocess calls that don't go through the shell.
I have split the audit of the -gui subpackage into a separate AUDIT-1 (bug 1215977), so that we can go ahead with the whitelisting of the -dbus package and unblock security:SELinux -> Factory submissions.
Merged in https://build.opensuse.org/request/show/1116005