Bug 1673107
| Summary: | Rebase selinux-policy package against Fedora 30 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Lukas Vrabec <lvrabec> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | Tomas Capek <tcapek> |
| Priority: | high | ||
| Version: | 8.1 | CC: | jscotka, lmanasko, lvrabec, mabrown, mmalik, plautrba, rmetrich, ssekidde, zpytela |
| Target Milestone: | rc | Keywords: | Rebase |
| Target Release: | 8.1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: |
.`selinux-policy` rebased to 3.14.3
The `selinux-policy` package has been upgraded to upstream version 3.14.3, which provides a number of bug fixes and enhancements to the allow rules over the previous version.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:10:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1682526 | ||
| Bug Blocks: | 1567073, 1583703, 1593577, 1593607, 1605215, 1608051, 1612552, 1622548, 1638666, 1640296, 1641631, 1647777, 1649312, 1656738, 1656837, 1657281, 1657800, 1658624, 1664316, 1664409, 1664983, 1667016, 1668840, 1669277, 1669285, 1670313, 1671019, 1671129, 1672531, 1672546, 1673056, 1683642, 1684103, 1685689, 1687721, 1687867, 1688671, 1690925, 1691351, 1692676, 1693679, 1697894, 1700222, 1700667, 1701158, 1702243, 1702255, 1702580, 1705044, 1708098, 1719025 | ||
The SELinux denial mentioned in comment#2 appears during each reboot. # getsebool -a | grep mmap domain_can_mmap_files --> off mmap_low_allowed --> off wine_mmap_zero_ignore --> off # Following SELinux denials appeared after upgrade on my RHEL-8.0 MLS machine:
----
type=PROCTITLE msg=audit(04/01/2019 13:20:01.606:132) : proctitle=/sbin/modprobe -q -- nft-set
type=MMAP msg=audit(04/01/2019 13:20:01.606:132) : fd=0 flags=MAP_PRIVATE
type=SYSCALL msg=audit(04/01/2019 13:20:01.606:132) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x5b92c a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=7 pid=1005 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:kmod_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(04/01/2019 13:20:01.606:132) : avc: denied { map } for pid=1005 comm=modprobe path=/usr/lib/modules/4.18.0-64.el8.x86_64/modules.dep.bin dev="sda2" ino=26059525 scontext=system_u:system_r:kmod_t:s15:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(04/01/2019 13:20:02.020:136) : proctitle=(null)
type=PATH msg=audit(04/01/2019 13:20:02.020:136) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=8404771 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/01/2019 13:20:02.020:136) : item=1 name=/bin/bash inode=1135 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/01/2019 13:20:02.020:136) : item=0 name=/usr/libexec/chrony-helper inode=8434376 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/01/2019 13:20:02.020:136) : cwd=/
type=SYSCALL msg=audit(04/01/2019 13:20:02.020:136) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x5568be9c9b40 a1=0x5568be9c98d0 a2=0x5568be9c87b0 a3=0x8 items=3 ppid=1141 pid=1147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:chronyd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(04/01/2019 13:20:02.020:136) : avc: denied { map } for pid=1147 comm=chrony-helper path=/usr/bin/bash dev="sda2" ino=1135 scontext=system_u:system_r:chronyd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
----
----
type=PROCTITLE msg=audit(04/01/2019 13:20:02.112:138) : proctitle=/bin/bash /usr/bin/kdumpctl start
type=PATH msg=audit(04/01/2019 13:20:02.112:138) : item=0 name=/boot inode=96 dev=08:01 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:boot_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/01/2019 13:20:02.112:138) : cwd=/
type=SYSCALL msg=audit(04/01/2019 13:20:02.112:138) : arch=x86_64 syscall=faccessat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x560aca675a10 a2=W_OK a3=0x7ffc658898fc items=1 ppid=1134 pid=1142 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kdumpctl exe=/usr/bin/bash subj=system_u:system_r:kdumpctl_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(04/01/2019 13:20:02.112:138) : avc: denied { dac_override } for pid=1142 comm=kdumpctl capability=dac_override scontext=system_u:system_r:kdumpctl_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kdumpctl_t:s0-s15:c0.c1023 tclass=capability permissive=0
----
and a ton of SELinux denials generated by tuned_t.
Following SELinux denials appear in the journal on MLS machine:
# dmesg | grep -i avc
[ 2.160916] audit: type=1400 audit(1554119614.992:4): avc: denied { map } for pid=1 comm="systemd" path="/usr/lib/modules/4.18.0-64.el8.x86_64/modules.dep.bin" dev="sda2" ino=26059525 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
[ 2.293906] audit: type=1400 audit(1554119615.125:5): avc: denied { write } for pid=466 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=8761 scontext=system_u:system_r:systemd_gpt_generator_t:s0-s15:c0.c1023 tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file permissive=0
[ 2.301855] audit: type=1400 audit(1554119615.133:6): avc: denied { read } for pid=466 comm="systemd-gpt-aut" name="sda" dev="devtmpfs" ino=12554 scontext=system_u:system_r:systemd_gpt_generator_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file permissive=0
[ 3.055429] audit: type=1400 audit(1554119615.887:7): avc: denied { map } for pid=515 comm="systemd-udevd" path="/usr/lib/modules/4.18.0-64.el8.x86_64/modules.dep.bin" dev="sda2" ino=26059525 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
[ 3.202910] audit: type=1400 audit(1554119616.034:8): avc: denied { module_load } for pid=522 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=system permissive=0
[ 3.227463] audit: type=1400 audit(1554119616.059:9): avc: denied { module_load } for pid=524 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=system permissive=0
[ 3.238429] audit: type=1400 audit(1554119616.070:10): avc: denied { module_load } for pid=523 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=system permissive=0
#
commit d9025072d033957bf981250fc18af993404ff9cc (HEAD -> rhel8.1-base)
Author: Lukas Vrabec <lvrabec>
Date: Mon Apr 1 14:05:45 2019 +0200
Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files
Resolves: rhbz#1673107
commit 2f8b6c9cd7e3f28d98eac3abc2827f99a6c21c44
Author: Lukas Vrabec <lvrabec>
Date: Tue Apr 2 16:02:44 2019 +0200
Allow chronyd_t domain to exec shell
Resolves: rhbz#1673107
commit ae5a161b2b694470da89b24f75785b0a9a357aed (HEAD -> rhel8.1-base, origin/rhel8.1-base)
Author: Lukas Vrabec <lvrabec>
Date: Tue Apr 2 15:41:09 2019 +0200
Allow kmod_t domain to mmap modules_dep_t files.
Resolves: rhbz#1673107
commit 1fc142d33309c68e2984d0c0ad8f1c8c6016fec8 (HEAD -> rhel8.1-contrib, origin/rhel8.1-contrib)
Author: Lukas Vrabec <lvrabec>
Date: Tue Apr 2 17:02:57 2019 +0200
Add dac_override capability for kdumpctl_t process domain
*** Bug 1719025 has been marked as a duplicate of this bug. *** *** Bug 1697894 has been marked as a duplicate of this bug. *** *** Bug 1657800 has been marked as a duplicate of this bug. *** *** Bug 1702255 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |
Following record appeared in the journal after selinuxpolicy update: Apr 01 09:16:48 localhost.localdomain kernel: audit: type=1400 audit(1554103007.295:4): avc: denied { map } for pid=1 comm="systemd" path="/usr/lib/modules/4.18.0-80.el8.x86_64/modules.dep.bin" dev="sda2" ino=17707098 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 # rpm -qa selinux-policy\* | sort selinux-policy-3.14.2-99.el8.1.noarch selinux-policy-devel-3.14.2-99.el8.1.noarch selinux-policy-doc-3.14.2-99.el8.1.noarch selinux-policy-minimum-3.14.2-99.el8.1.noarch selinux-policy-mls-3.14.2-99.el8.1.noarch selinux-policy-sandbox-3.14.2-99.el8.1.noarch selinux-policy-targeted-3.14.2-99.el8.1.noarch # matchpathcon /usr/lib/modules/4.18.0-80.el8.x86_64/modules.dep.bin /usr/lib/modules/4.18.0-80.el8.x86_64/modules.dep.bin system_u:object_r:modules_dep_t:s0 #