Bug 1561053

Summary: SELinux prevents cockpit-ws from reading the /proc/cpuinfo file
Product: [Fedora] Fedora Reporter: Paul Whalen <pwhalen>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: armhfp   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.1-19.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-01 19:07:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Whalen 2018-03-27 14:21:01 UTC 
Description of problem:

After installation of F28 Beta 1.1 Server on armhfp with defaults:

ausearch -ts recent -m avc
----
time->Tue Mar 27 10:02:56 2018
type=AVC msg=audit(1522159376.627:197): avc:  denied  { read } for  pid=1367 comm="cockpit-ws" name="cpuinfo" dev="proc" ino=4026532510 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=s0
----
time->Tue Mar 27 10:02:56 2018
type=AVC msg=audit(1522159376.666:198): avc:  denied  { read } for  pid=1367 comm="cockpit-ws" name="cpuinfo" dev="proc" ino=4026532510 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=s0


Version:
selinux-policy-3.14.1-18.fc28.noarch
cockpit-ws-161-2.fc28.armv7hl
Comment 1 Milos Malik 2018-03-27 14:40:58 UTC 
Could you '--raw' when collecting the denials?

# ausearch -ts today -m avc --raw

The tcontext= value appears to be incomplete.
Comment 2 Paul Whalen 2018-03-27 15:41:00 UTC 
(In reply to Milos Malik from comment #1)
> Could you '--raw' when collecting the denials?
> 
> # ausearch -ts today -m avc --raw
> 
> The tcontext= value appears to be incomplete.

Sorry about that, was on serial console:

type=AVC msg=audit(1522159376.627:197): avc:  denied  { read } for  pid=1367 comm="cockpit-ws" name="cpuinfo" dev="proc" ino=4026532510 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1522159376.666:198): avc:  denied  { read } for  pid=1367 comm="cockpit-ws" name="cpuinfo" dev="proc" ino=4026532510 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1522164572.184:308): avc:  denied  { read } for  pid=2263 comm="cockpit-ws" name="cpuinfo" dev="proc" ino=4026532510 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1522164572.226:309): avc:  denied  { read } for  pid=2263 comm="cockpit-ws" name="cpuinfo" dev="proc" ino=4026532510 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
Comment 3 Paul Whalen 2018-03-27 19:39:15 UTC 
The AVC's happen after logging into cockpit via http.
Comment 4 Fedora Update System 2018-03-29 21:09:15 UTC 
selinux-policy-3.14.1-19.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-234de0ee13
Comment 5 Fedora Update System 2018-03-30 15:18:31 UTC 
selinux-policy-3.14.1-19.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-234de0ee13
Comment 6 Fedora Update System 2018-04-01 19:07:55 UTC 
selinux-policy-3.14.1-19.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.