Bug 1767714

Summary: SELinux denials when a confined user logs in
Product: [Fedora] Fedora Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-09 15:08:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1767779    

Description Zdenek Pytela 2019-11-01 08:01:50 UTC 
Description of problem:
SELinux denials when a confined user user_u or staff_u logs in

Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-11.fc32.noarch

How reproducible:
always

Steps to Reproduce:
1. A confined user logs in

Actual results:
AVC's audited:
----
type=PROCTITLE msg=audit(11/01/19 08:56:29.489:2527) : proctitle=(systemd) 
type=SYSCALL msg=audit(11/01/19 08:56:29.489:2527) : arch=x86_64 syscall=bpf success=yes exit=8 a0=BPF_PROG_LOAD a1=0x7ffec917c120 a2=0x70 a3=0x55cb9d79df70 items=0 ppid=1 pid=35538 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=(none) ses=203 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(11/01/19 08:56:29.489:2527) : avc:  denied  { prog_run } for  pid=35538 comm=systemd scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=bpf permissive=1 
type=AVC msg=audit(11/01/19 08:56:29.489:2527) : avc:  denied  { prog_load } for  pid=35538 comm=systemd scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=bpf permissive=1 
Fri Nov  1 08:56:34 CET 2019

In enforcing mode, only prog_load appears.

Expected results:
No avc

Additional info:
These permissions are allowed:
# sesearch -A -c bpf -p prog_load|grep -w -e user_t -e staff_t -e sysadm_t -e root -e unconfined_t -e guest_u -e xguest_u
allow sysadm_t init_t:bpf { map_create map_read map_write prog_load prog_run };
allow sysadm_t sysadm_t:bpf { map_create map_read map_write prog_load prog_run };
allow unconfined_t init_t:bpf { map_create map_read map_write prog_load prog_run };
allow unconfined_t unconfined_t:bpf { map_create map_read map_write prog_load prog_run };
Comment 1 Ben Cotton 2020-02-11 17:49:41 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.
Comment 2 Zdenek Pytela 2020-03-09 15:14:45 UTC 
Resolved with the following rawhide/base commit:

commit b1f64ef6da0d4cd5fa6f34358c945bf1e29c0780
Author: Lukas Vrabec <lvrabec>
Date:   Wed Nov 6 10:20:12 2019 +0100

    Allow users using template userdom_unpriv_user_template() to run bpf
    tool
    
    Resolves: rhbz#1769228

and is present in the policy since version 3.14.5-13.