Bug 1757050

Summary: the systemd-bootchart service triggers a SELinux denial
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Richard Fiľo <rfilo>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 31CC: dwalsh, lvrabec, mgrepl, msekleta, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.4-52.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-05 02:39:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2019-09-30 13:12:52 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-31.fc31.noarch
selinux-policy-targeted-3.14.4-31.fc31.noarch
systemd-243~rc2-1.fc31.x86_64
systemd-bootchart-233-5.fc31.x86_64
systemd-libs-243~rc2-1.fc31.x86_64
systemd-pam-243~rc2-1.fc31.x86_64
systemd-rpm-macros-243~rc2-1.fc31.noarch
systemd-udev-243~rc2-1.fc31.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 30 or 31 machine (targeted policy is active)
2. start the systemd-bootchart service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(09/30/2019 09:07:52.662:349) : proctitle=@usr/lib/systemd/systemd-bootchart -r 
type=SYSCALL msg=audit(09/30/2019 09:07:52.662:349) : arch=x86_64 syscall=write success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x559b400f59a7 a2=0x2 a3=0x0 items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-bootcha exe=/usr/lib/systemd/systemd-bootchart subj=system_u:system_r:systemd_bootchart_t:s0 key=(null) 
type=AVC msg=audit(09/30/2019 09:07:52.662:349) : avc:  denied  { sys_admin } for  pid=2159 comm=systemd-bootcha capability=sys_admin  scontext=system_u:system_r:systemd_bootchart_t:s0 tcontext=system_u:system_r:systemd_bootchart_t:s0 tclass=capability permissive=0 
----

Expected results:
 * no SELinux denials

Additional info:
 * the SELinux denial does not prevent the service from running
Comment 1 Richard Fiľo 2019-09-30 16:03:24 UTC 
Is it actually necessary capability for running this service?

Because allow sys_admin capability is very powerful from the perspective of SELinux policy.
Comment 2 Michal Sekletar 2020-02-04 16:59:56 UTC 
systemd-bootchart when running as root tries to get additional information about scheduling from /proc/schedstats. However, this needs to be enabled by appropriate sysctl (kernel.sched_schedstats). Altering sysctl options requires CAP_SYS_ADMIN. I'd say that service is generally more useful if it can take this additional data into consideration.
Comment 3 Richard Fiľo 2020-05-18 12:36:17 UTC 
In my opinion that can be allowed. I created a scratch build with fix and pull request.

Link to scratch build: https://download.copr.fedorainfracloud.org/results/rfilo/Selinux-policy-f31/fedora-31-x86_64/01381709-selinux-policy/

PR: https://github.com/fedora-selinux/selinux-policy/pull/355
Comment 4 Lukas Vrabec 2020-05-18 13:02:14 UTC 
commit 6d966941f05ea6148bd91886e7bf91d7ae59690c (HEAD -> rawhide, origin/rawhide)
Author: Richard Filo <rfilo>
Date:   Wed May 13 11:42:23 2020 +0200

    Allow sys_admin capability for domain labeled systemd_bootchart_t
    
    fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1757050
Comment 5 Fedora Update System 2020-05-20 13:47:30 UTC 
FEDORA-2020-6d33cc238c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c
Comment 6 Fedora Update System 2020-05-21 04:16:10 UTC 
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6d33cc238c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Milos Malik 2020-05-21 08:46:33 UTC 
# rpm -qa selinux\* systemd\* | sort
selinux-policy-3.14.6-13.fc33.noarch
selinux-policy-targeted-3.14.6-13.fc33.noarch
systemd-245.2-1.fc33.x86_64
systemd-bootchart-233-6.fc32.x86_64
systemd-libs-245.2-1.fc33.x86_64
systemd-pam-245.2-1.fc33.x86_64
systemd-rpm-macros-245.2-1.fc33.noarch
systemd-udev-245.2-1.fc33.x86_64
# sesearch -s systemd_bootchart_t -t systemd_bootchart_t -c capability -p sys_admin -A --dontaudit
#

The following SELinux denial still appears after starting the systemd-bootchart service:
----
type=PROCTITLE msg=audit(05/21/2020 04:42:25.718:271) : proctitle=@usr/lib/systemd/systemd-bootchart -r 
type=SYSCALL msg=audit(05/21/2020 04:42:25.718:271) : arch=x86_64 syscall=write success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x557eb9bac198 a2=0x2 a3=0x0 items=0 ppid=1 pid=2121 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-bootcha exe=/usr/lib/systemd/systemd-bootchart subj=system_u:system_r:systemd_bootchart_t:s0 key=(null) 
type=AVC msg=audit(05/21/2020 04:42:25.718:271) : avc:  denied  { sys_admin } for  pid=2121 comm=systemd-bootcha capability=sys_admin  scontext=system_u:system_r:systemd_bootchart_t:s0 tcontext=system_u:system_r:systemd_bootchart_t:s0 tclass=capability permissive=0 
----
Comment 10 Fedora Update System 2020-06-05 02:39:53 UTC 
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.