Bug 1513399
| Summary: | avc: denied { map } for systemd on modules.dep.bin | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Martin Pitt <mpitt> |
| Component: | openvswitch | Assignee: | Aaron Conole <aconole> |
| Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 27 | CC: | aconole, apevec, apo, brad.inch, chrisw, dwalsh, fleitner, jpazdziora, lvrabec, mgrepl, plautrba, pmoore, tgraf, tredaelli |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-06-29 14:46:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Bug 1508336 was filed against openvswitch and is very similar, although there it's not systemd but modprobe which is being denied map access to modules.dep.bin. selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393 selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393 selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. Just encountered this problem after installing openvswitch-2.8.1-1 on Fedora 27 (4.13.13-300.fc27.x86_64 with selinux-policy-3.13.1-283.16).
Resolved with the following policy update:
module openvswitch_1 1.0;
require {
type openvswitch_t;
type modules_object_t;
class file map;
class system module_load;
}
#============= openvswitch_t ==============
allow openvswitch_t modules_object_t:file map;
allow openvswitch_t self:system module_load;
I confirm that with selinux-policy-3.13.1-283.16.fc27.noarch I still see the AVC denial. Lukáš, what fix was supposed to go to that version? Do you want this bugzilla reopened, or new filed? Alternatively, bug 1508336 could be used for the final fix. Overall, is allowing module_load what should be done for openvswitch_t, should that be isolated into some one-purpose helper? *** Bug 1517239 has been marked as a duplicate of this bug. *** Any chance of getting proper fix to updates-testing? I like the idea to create new SELinux type for openvswitch doamin (e.g: openvswitch_load_module_t) and there will be transition like: type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t And we'll label this one purpose helper with openvswitch_load_module_exec_t. Main issue here is that if we allow module_load for openvswitch_t we basically make this domain unconfined. Is this possible from openvswitch POV? Thanks, Lukas. I am about to propose a script upstream to do just that. Is it possible to get your assistance to review? This was accepted. OvS 2.10 will have the appropriate tools for the selinux domain transitions to prevent these AVC denials. Thank you for the information. What is the plan for bringing 2.10 (and thus the fix) to Fedora 27 / Fedora 28 / rawhide? |
Description of problem: A recent update on Fedora 27 now causes the following SELinux denial, right after booting: # journalctl -b |grep avc.*denied.*modules.dep Nov 15 05:44:17 localhost.localdomain audit[1]: AVC avc: denied { map } for pid=1 comm="systemd" path="/usr/lib/modules/4.13.11-300.fc27.x86_64/modules.dep.bin" dev="dm-0" ino=4291251 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file permissive=0 We noticed this when refreshing Cockpit's fedora-27 test VM (https://github.com/cockpit-project/cockpit/pull/8082). The previous refresh was just a few days ago, so this is a very recent regression. Version-Release number of selected component (if applicable): # rpm -qa | egrep 'selinux-policy|kernel-core|systemd-2' selinux-policy-3.13.1-283.14.fc27.noarch selinux-policy-targeted-3.13.1-283.14.fc27.noarch kernel-core-4.13.11-300.fc27.x86_64 systemd-234-9.fc27.x86_64 The previous image (where this does not happen) has the same selinux, but an older kernel and systemd: selinux-policy-3.13.1-283.14.fc27.noarch selinux-policy-targeted-3.13.1-283.14.fc27.noarch systemd-234-8.fc27.x86_64 kernel-core-4.13.9-300.fc27.x86_64 How reproducible: Always