Bug 1782092
| Summary: | SELinux errors since update to kernel-5.4 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ryan <stealthcipher> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 33 | CC: | agurenko, airlied, andrew, bskeggs, catalinfest, dimitris.on.linux, dwalsh, fedora, grepl.miroslav, hdegoede, ichavero, itamar, jarodwilson, jeremy, jerry.hoemann, jglisse, john.j5live, jonathan, josef, jwadodson, kernel-maint, linville, lvrabec, mark, masami256, mchehab, mjg59, mmalik, omerusta, omosnace, plautrba, sharefun010407, steved, thomas, vmojzis, voj-tech, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.7-20.fc34 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-02-23 19:31:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ryan
2019-12-11 07:02:05 UTC
note that this also occurs for kernel-5.4.5-300.fc31.x86_64 I believe this is actually an SELinux policy issue, I'm going to adjust the component I logged this bug against. Basically the policy doesn't cover these items and so just allows them. version of selinux-policy-targeted is 3.14.4-43.fc31 still happening with 5.4.10-200.fc31.x86_64 and selinux-policy 3.14.4-44 2020.02.02 - same issue for selinux-policy-targeted.noarch the version 3.14.4-45.fc31 [root@desk mythcat]# uname -a Linux desk 5.4.14-200.fc31.x86_64 #1 SMP Thu Jan 23 13:06:12 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux [root@desk mythcat]# dnf search selinux-policy-targeted Last metadata expiration check: 2:14:53 ago on Sun 02 Feb 2020 01:28:54 PM EET. =========================================== Name Exactly Matched: selinux-policy-targeted ============================================ selinux-policy-targeted.noarch : SELinux targeted base policy [root@desk mythcat]# dnf list selinux-policy-targeted.noarch Last metadata expiration check: 2:18:07 ago on Sun 02 Feb 2020 01:28:54 PM EET. Installed Packages selinux-policy-targeted.noarch 3.14.4-45.fc31 @updates Still happens on 5.4.17-200.fc31.x86_64, BUT NOT on a system built originally with fc30. So perhaps it's related to something leftover from older installs. I'll look further when I have some time. Can be reproduce on a fresh F31 install with selinux-policy-targeted 3.14.4-49 on kernel 5.5.8-200. This is still happening on 5.5.9-200 still happening on 5.6.6-200.fc31.x86_64 still occuring in 5.6.14-300.fc32.x86_64 still happening 5.6.15-300.fc32.x86_64 and selinux-policy 3.14.5-39.fc32 I can confirm this bug also exist in rawhide The only place I can find all the "keywords" in these errors mentioned is the file,
/etc/selinux/targeted/policy/policy.31
on an FC31 machine.
& I assume that will be the case for FC32/rawhide etc.
I'm reminded of it at every reboot of a number of machines that all have
different policy.31 files.
Folks, The reason is that kernel already supports watch permission, but they haven't been included in the policy yet. Wow! Thanks - at last an admission that what we are seeing is not really a problem but an artefact of a change we don't & are probably not expected to understand! (yet) It would have been nice to have had this information 6 months ago when the problem was originally reported, everyone would have been a lot more relaxed about it! Maybe there should be a "kernel development suppression list of errors" on mainline kernels, that are really only relevant to rawhide? Or if it's defined in the policy the error should be "not implemented in kernel - yet"? Seems to me they are in the /etc/selinux/targeted/policy/policy.31 file Ryan, you've changed the component but not the assignee. Currently, it's still assigned to the Kernel Maintainer List. Since it's a selinux policy issue perhaps there is a more appropriate assignee for it, as well? (In reply to Georg Sauthoff from comment #17) > Ryan, you've changed the component but not the assignee. > > Currently, it's still assigned to the Kernel Maintainer List. > > Since it's a selinux policy issue perhaps there is a more appropriate > assignee for it, as well? I agree, however I have no access to modify the assignee...perhaps someone on the Kernel Maintainer List can re-assign it appropriately? Also this issue is still present in the current version of selinux and the 5.7 series kerenl. Still happening in 5.9.2-300.x86_64.fc33 and selinux-policy-targeted 3.14.6-29.fc33. The permissions should be added to the policy soon. Resolved in Fedora 34 since selinux-policy-3.14.7-20.fc34. ok...but this is not resolved in F33 yet. F34 isn't due for release until approx April and we don't have selinux-policy-3.14.7 in F33. Further the bug was lodged against F33, so when are we going to get the policy update in the current active version of Fedora [33]? correction, the bug was lodged against F31...but it's currently flagged against 33 You are right the new permissions were introduced into kernel way earlier than to selinux-policy. The changes in selinux-policy though were quite big so we do not plan to backport them to older releases in order not to break any existing setup - once the permission is defined in the policy, it is evaluated, so it is possible some services would stop working and we don't want to make it happen in the middle of the release cycle. Changing the status to more appropriate value. Summary of the changes: https://fedoraproject.org/wiki/Changes/Make_selinux_policy_uptodate_with_current_kernel (In reply to Zdenek Pytela from comment #25) > Changing the status to more appropriate value. > Summary of the changes: > https://fedoraproject.org/wiki/Changes/ > Make_selinux_policy_uptodate_with_current_kernel My target is to use Linux Kernel 5.4 with SELinux enabled in enforcing mode, and the default handling of unknown classes is to deny. The "watch" will then be denied. If I have to solve this problem, which one do you recommend? 1. To allow all unknown classes. 2. To upgrade to the latest selinux-policy I'm unfamiliar with the development strategy of selinux-policy, is it safe/useful to use the latest policy on an older kernel? |