Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1980560

Summary: If init_t can read all file_type directories, it should be able to watch them as well
Product: [Fedora] Fedora Reporter: Dusty Mabe <dustymabe>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: ON_QA --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 34CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dusty Mabe 2021-07-08 20:56:28 UTC 
Description of problem:

We are seeing issues where init_t (systemd) is not able to watch directories. This makes path units pretty useless.

According to Dan Walsh: "If init_t can read all file_type directories, it should be able to watch them as well." https://github.com/containers/container-selinux/issues/135#issuecomment-867961079



Can we get selinux updated to allow systemd to watch directories so our path units will work again.

More context in:

https://github.com/coreos/fedora-coreos-tracker/issues/861
https://github.com/containers/container-selinux/issues/135



Version-Release number of selected component (if applicable):

```
[core@localhost ~]$ rpm -q selinux-policy container-selinux
selinux-policy-34.11-1.fc34.noarch
container-selinux-2.163.0-1.fc34.noarch
```


How reproducible:
Always

Steps to Reproduce:

spin up an FCOS machine with this butane config:


```
variant: fcos
version: 1.3.0
systemd:
  units:
    - name: tester.path
      enabled: true
      contents: |
        [Unit]
        Description=Watch for kube config
        [Path]
        PathExists=/etc/kubernetes/kubeconfig
        [Install]
        WantedBy=multi-user.target
    - name: tester.service
      enabled: false
      contents: |
        [Unit]
        Description=Watch for test config
        [Service]
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=bash -c "echo tester: $(date)"
storage:
  directories:
    - path: /etc/kubernetes
passwd:
  users:
    - name: core
      ssh_authorized_keys:
		- "MY-PUBKEY"
```

Notice that after you log in you can't activate the path unit by creating /etc/kubernetes/kubeconfig and you'll see the following in the journal:

```
$ journalctl | grep -i avc | grep denied
Jul 08 20:50:34 localhost audit[1]: AVC avc:  denied  { watch } for  pid=1 comm="systemd" path="/etc/kubernetes" dev="sda4" ino=18874496 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kubernetes_file_t:s0 tclass=dir permissive=0
```

We don't have the same problem if we use some randomly directory  (i.e. `/etc/foobar/kubeconfig`).


Actual results:

Denied


Expected results:

Not denied


Additional info:
Comment 1 Zdenek Pytela 2021-07-09 06:57:38 UTC 
I've opened a PR:
https://github.com/fedora-selinux/selinux-policy/pull/799

If there is no negative feedback, I'll merge it soon. I expect one objection it is not complete enough.
Comment 2 Dusty Mabe 2021-07-09 13:41:44 UTC 
Thanks @zpytela. If there is a scratch build available somewhere I can try to test with it.
Comment 3 Zdenek Pytela 2021-07-09 14:14:37 UTC 
PR
Show all checks -> build-rpm -> Details -> Artifacts -> rpms
Comment 4 Dusty Mabe 2021-07-09 14:31:07 UTC 
Thanks.. Looks like it works great!

```
[core@localhost ~]$ journalctl | grep -i avc
[core@localhost ~]$ 
[core@localhost ~]$ systemctl status tester.service
○ tester.service - Watch for test config
     Loaded: loaded (/etc/systemd/system/tester.service; static)
     Active: inactive (dead)
TriggeredBy: ● tester.path
[core@localhost ~]$ 
[core@localhost ~]$ sudo journalctl -u tester.service -u tester.path -f & 
[1] 1200
[core@localhost ~]$ -- Journal begins at Fri 2021-07-09 14:28:17 UTC. --
Jul 09 14:28:26 localhost systemd[1]: Started Watch for kube config.

[core@localhost ~]$ 
[core@localhost ~]$ 
[core@localhost ~]$ sudo touch /etc/kubernetes/kubeconfig
[core@localhost ~]$ Jul 09 14:29:35 localhost.localdomain systemd[1]: Starting Watch for test config...
Jul 09 14:29:35 localhost.localdomain bash[1211]: tester: Fri Jul 9 14:29:35 UTC 2021
Jul 09 14:29:35 localhost.localdomain systemd[1]: Finished Watch for test config.

[core@localhost ~]$ journalctl | grep -i avc
[core@localhost ~]$ 
[core@localhost ~]$ rpm -q selinux-policy selinux-policy-targeted
selinux-policy-34.13-1.20210707_172609.3600bd4.fc35.noarch
selinux-policy-targeted-34.13-1.20210707_172609.3600bd4.fc35.noarch
```
Comment 5 Zdenek Pytela 2021-07-13 16:29:47 UTC 
Merged.
Comment 6 Fedora Update System 2021-07-14 19:45:21 UTC 
FEDORA-2021-119c2c9b63 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-119c2c9b63
Comment 7 Fedora Update System 2021-07-15 01:40:57 UTC 
FEDORA-2021-119c2c9b63 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-119c2c9b63`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-119c2c9b63

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.