Bug 1739382

Summary: [RHEL-8] avc denied detected while running ibacm test
Product: Red Hat Enterprise Linux 8 Reporter: zguo <zguo>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: infiniband-qe, lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone: rc   
Target Release: 8.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:12:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description zguo 2019-08-09 08:27:48 UTC
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-13.el8.noarch
DISTRO=RHEL-8.1.0-20190806.2
4.18.0-128.el8.x86_64

How reproducible:


Steps to Reproduce:
1.Run test /kernel/infiniband/ibacm https://beaker.engineering.redhat.com/recipes/7205451#task97343215
  
2.
3.

Actual results:
https://beaker.engineering.redhat.com/recipes/7205451/tasks/97343215/results/447546472/logs/avc.log

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-13.el8.noarch
----
time->Thu Aug  8 06:57:41 2019
type=PROCTITLE msg=audit(1565261861.020:143): proctitle=2F7573722F7362696E2F696261636D002D2D73797374656D64
type=SYSCALL msg=audit(1565261861.020:143): arch=c000003e syscall=137 success=no exit=-13 a0=7f050bd977c0 a1=7f05078bf820 a2=7f050bfa13b0 a3=8 items=0 ppid=1 pid=44457 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ibacm" exe="/usr/sbin/ibacm" subj=system_u:system_r:ibacm_t:s0 key=(null)
type=AVC msg=audit(1565261861.020:143): avc:  denied  { getattr } for  pid=44457 comm="ibacm" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:ibacm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=0
----
time->Thu Aug  8 06:57:41 2019
type=PROCTITLE msg=audit(1565261861.021:144): proctitle=2F7573722F7362696E2F696261636D002D2D73797374656D64
type=SYSCALL msg=audit(1565261861.021:144): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=a0 a2=3 a3=1 items=0 ppid=1 pid=44457 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ibacm" exe="/usr/sbin/ibacm" subj=system_u:system_r:ibacm_t:s0 key=(null)
type=AVC msg=audit(1565261861.021:144): avc:  denied  { map } for  pid=44457 comm="ibacm" path="/run/INTEL_SA_DSC" dev="tmpfs" ino=89005 scontext=system_u:system_r:ibacm_t:s0 tcontext=system_u:object_r:ibacm_var_run_t:s0 tclass=file permissive=0
----

Expected results:

No this deny

Additional info:

Comment 1 Lukas Vrabec 2019-08-09 12:54:45 UTC
commit b7fd37c6dd892319963c1bf15f64ccfa39a7d6fc (HEAD -> rhel8.1-contrib)
Author: Lukas Vrabec <lvrabec>
Date:   Fri Aug 9 14:53:15 2019 +0200

    Update ibacm_t policy
    
    Allow ibacm_t domain to mmap own pid files
    Allow ibacm_t domain to getattr device filesystems
    Resolves: rhbz#1739382

Comment 22 Milos Malik 2019-08-21 07:55:09 UTC
Following SELinux denial appeared in the above-mentioned logs:
----
time->Tue Aug 20 18:58:02 2019
type=PROCTITLE msg=audit(1566341882.898:770): proctitle=2F7573722F7362696E2F696261636D002D2D73797374656D64
type=SYSCALL msg=audit(1566341882.898:770): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f815c4cdb30 a2=a0042 a3=1a4 items=0 ppid=1 pid=22980 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ibacm" exe="/usr/sbin/ibacm" subj=system_u:system_r:ibacm_t:s0 key=(null)
type=AVC msg=audit(1566341882.898:770): avc:  denied  { write } for  pid=22980 comm="ibacm" name="shm" dev="devtmpfs" ino=2101 scontext=system_u:system_r:ibacm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0
----

It's strange that /dev/shm is labeled device_t.

Comment 29 errata-xmlrpc 2019-11-05 22:12:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547