Issue

Description of problem: IMHO the rules added to enable dracut execution are too loose (/etc/fapolicyd/rules.d/20-dracut.rules): -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- allow perm=any uid=0 : dir=/var/tmp/ allow perm=any uid=0 trust=1 : all -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- I think there are 2 issues: 1. the "allow perm=any uid=0 : dir=/var/tmp/" rule is not needed at all, dracut executes fine (at least with default command "dracut -f") with just second rule -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- cat /etc/fapolicyd/rules.d/20-dracut.rules Carve out an exception for dracut's initramfs building #allow perm=any uid=0 : dir=/var/tmp/ allow perm=any uid=0 trust=1 : all systemctl restart fapolicyd dracut /tmp/initrd.img $(uname -r) 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 2. the "allow perm=any uid=0 trust=1 : all" rule allows root user to execute any crafted program -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- cat > hello.c << EOF #include <stdio.h> int main(int argc, char *argv[]) { printf("Hello!\n"); return 0; } EOF gcc -o hello hello.c ./hello Hello! 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- I think if there is no other choice but this second rule, then a comment in the rules file should clearly mention that this opens the world for root user a lot more than just dracut. Version-Release number of selected component (if applicable): fapolicyd-1.1.3-8.el8_7.1.x86_64 How reproducible: Always, see above.

Release Notes

No. of Comments

Resolution

Not a Bug