Bug 1808736

Summary: the lttng-sessiond service triggers SELinux denials
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Richard Fiľo <rfilo>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: dwalsh, grepl.miroslav, lvrabec, plautrba, rfilo, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.5-39.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-26 03:12:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2020-02-29 19:36:38 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
lttng-tools-2.11.1-1.fc32.x86_64
lttng-ust-2.11.0-4.fc32.x86_64
selinux-policy-3.14.5-28.fc32.noarch
selinux-policy-devel-3.14.5-28.fc32.noarch
selinux-policy-targeted-3.14.5-28.fc32.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 32 machine (targeted policy is active)
2. start the lttng-sessiond service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=PROCTITLE msg=audit(02/29/2020 14:05:20.752:373) : proctitle=/usr/bin/lttng-sessiond -d 
type=PATH msg=audit(02/29/2020 14:05:20.752:373) : item=0 name=/dev/random inode=10536 dev=00:06 mode=character,666 ouid=root ogid=root rdev=01:08 obj=system_u:object_r:random_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:05:20.752:373) : cwd=/ 
type=SYSCALL msg=audit(02/29/2020 14:05:20.752:373) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7feaf62ad034 a1=R_OK a2=0x7ffec15e0320 a3=0x7ffec15e0180 items=1 ppid=1 pid=5502 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:05:20.752:373) : avc:  denied  { read } for  pid=5502 comm=lttng-sessiond name=random dev="devtmpfs" ino=10536 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(02/29/2020 14:05:30.592:387) : proctitle=/sbin/modprobe lttng-ring-buffer-client-discard 
type=PATH msg=audit(02/29/2020 14:05:30.592:387) : item=0 name=/lib/modules/5.6.0-0.rc2.git0.1.fc32.x86_64/modules.alias.bin inode=393521 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:modules_dep_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:05:30.592:387) : cwd=/ 
type=SYSCALL msg=audit(02/29/2020 14:05:30.592:387) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffe9b2d7f30 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=6080 pid=6084 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:05:30.592:387) : avc:  denied  { read } for  pid=6084 comm=modprobe name=modules.alias.bin dev="vda1" ino=393521 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/29/2020 14:05:30.594:388) : proctitle=/usr/bin/lttng-sessiond -d 
type=PATH msg=audit(02/29/2020 14:05:30.594:388) : item=0 name=/var/run/lttng/sessiond-notification inode=33825 dev=00:19 mode=socket,660 ouid=root ogid=tracing rdev=00:00 obj=system_u:object_r:lttng_sessiond_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:05:30.594:388) : cwd=/ 
type=SOCKADDR msg=audit(02/29/2020 14:05:30.594:388) : saddr={ saddr_fam=local path=/var/run/lttng/sessiond-notification } 
type=SYSCALL msg=audit(02/29/2020 14:05:30.594:388) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x30 a1=0x7f694881a8b0 a2=0x6e a3=0x6f items=1 ppid=6079 pid=6080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:05:30.594:388) : avc:  denied  { connectto } for  pid=6080 comm=lttng-sessiond path=/run/lttng/sessiond-notification scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:system_r:lttng_sessiond_t:s0 tclass=unix_stream_socket permissive=0 
----
type=PROCTITLE msg=audit(02/29/2020 14:05:30.595:389) : proctitle=/usr/bin/lttng-sessiond -d 
type=MMAP msg=audit(02/29/2020 14:05:30.595:389) : fd=49 flags=MAP_SHARED 
type=SYSCALL msg=audit(02/29/2020 14:05:30.595:389) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=6079 pid=6080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:05:30.595:389) : avc:  denied  { map } for  pid=6080 comm=lttng-sessiond path=/dev/shm/lttng-ust-wait-8 dev="tmpfs" ino=32970 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:lttng_sessiond_tmpfs_t:s0 tclass=file permissive=0 
----

Expected results:
 * no SELinux denials
Comment 1 Milos Malik 2020-02-29 19:40:20 UTC 
Actual results (permissive mode):
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.488:421) : proctitle=/usr/bin/lttng-sessiond -d 
type=PATH msg=audit(02/29/2020 14:38:07.488:421) : item=0 name=/dev/random inode=10536 dev=00:06 mode=character,666 ouid=root ogid=root rdev=01:08 obj=system_u:object_r:random_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:38:07.488:421) : cwd=/ 
type=SYSCALL msg=audit(02/29/2020 14:38:07.488:421) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7f6143f7e034 a1=R_OK a2=0x7ffebe248000 a3=0x7ffebe247e60 items=1 ppid=1 pid=14984 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.488:421) : avc:  denied  { read } for  pid=14984 comm=lttng-sessiond name=random dev="devtmpfs" ino=10536 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.497:422) : proctitle=/sbin/modprobe lttng-ring-buffer-client-discard 
type=PATH msg=audit(02/29/2020 14:38:07.497:422) : item=0 name=/lib/modules/5.6.0-0.rc2.git0.1.fc32.x86_64/modules.softdep inode=393522 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:modules_dep_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:38:07.497:422) : cwd=/ 
type=SYSCALL msg=audit(02/29/2020 14:38:07.497:422) : arch=x86_64 syscall=openat success=yes exit=4 a0=0xffffff9c a1=0x7ffc53e96800 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=14985 pid=14989 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.497:422) : avc:  denied  { open } for  pid=14989 comm=modprobe path=/usr/lib/modules/5.6.0-0.rc2.git0.1.fc32.x86_64/modules.softdep dev="vda1" ino=393522 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/29/2020 14:38:07.497:422) : avc:  denied  { read } for  pid=14989 comm=modprobe name=modules.softdep dev="vda1" ino=393522 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.498:423) : proctitle=/sbin/modprobe lttng-ring-buffer-client-discard 
type=SYSCALL msg=audit(02/29/2020 14:38:07.498:423) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7ffc53e96490 a2=0x7ffc53e96490 a3=0x0 items=0 ppid=14985 pid=14989 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.498:423) : avc:  denied  { getattr } for  pid=14989 comm=modprobe path=/usr/lib/modules/5.6.0-0.rc2.git0.1.fc32.x86_64/modules.softdep dev="vda1" ino=393522 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.498:424) : proctitle=/sbin/modprobe lttng-ring-buffer-client-discard 
type=MMAP msg=audit(02/29/2020 14:38:07.498:424) : fd=4 flags=MAP_PRIVATE 
type=SYSCALL msg=audit(02/29/2020 14:38:07.498:424) : arch=x86_64 syscall=mmap success=yes exit=139953097527296 a0=0x0 a1=0x8a1f8 a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=14985 pid=14989 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.498:424) : avc:  denied  { map } for  pid=14989 comm=modprobe path=/usr/lib/modules/5.6.0-0.rc2.git0.1.fc32.x86_64/modules.dep.bin dev="vda1" ino=393519 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.499:425) : proctitle=/usr/bin/lttng-sessiond -d 
type=PATH msg=audit(02/29/2020 14:38:07.499:425) : item=0 name=/var/run/lttng/sessiond-notification inode=42428 dev=00:19 mode=socket,660 ouid=root ogid=tracing rdev=00:00 obj=system_u:object_r:lttng_sessiond_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:38:07.499:425) : cwd=/ 
type=SOCKADDR msg=audit(02/29/2020 14:38:07.499:425) : saddr={ saddr_fam=local path=/var/run/lttng/sessiond-notification } 
type=SYSCALL msg=audit(02/29/2020 14:38:07.499:425) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x31 a1=0x7f6133ffe8b0 a2=0x6e a3=0x6f items=1 ppid=14984 pid=14985 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.499:425) : avc:  denied  { connectto } for  pid=14985 comm=lttng-sessiond path=/run/lttng/sessiond-notification scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:system_r:lttng_sessiond_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.500:426) : proctitle=/usr/bin/lttng-sessiond -d 
type=MMAP msg=audit(02/29/2020 14:38:07.500:426) : fd=52 flags=MAP_SHARED 
type=SYSCALL msg=audit(02/29/2020 14:38:07.500:426) : arch=x86_64 syscall=mmap success=yes exit=140055729643520 a0=0x0 a1=0x1000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=14984 pid=14985 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.500:426) : avc:  denied  { map } for  pid=14985 comm=lttng-sessiond path=/dev/shm/lttng-ust-wait-8 dev="tmpfs" ino=32970 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:lttng_sessiond_tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:13.342:429) : proctitle=/usr/bin/lttng-sessiond -d 
type=PATH msg=audit(02/29/2020 14:38:13.342:429) : item=0 name=/dev/random inode=10536 dev=00:06 mode=character,666 ouid=root ogid=root rdev=01:08 obj=system_u:object_r:random_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:38:13.342:429) : cwd=/ 
type=SYSCALL msg=audit(02/29/2020 14:38:13.342:429) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7fb10eb3b034 a1=R_OK a2=0x7ffec8ae6320 a3=0x7ffec8ae6180 items=1 ppid=1 pid=15581 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:13.342:429) : avc:  denied  { read } for  pid=15581 comm=lttng-sessiond name=random dev="devtmpfs" ino=10536 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 
----
Comment 2 Richard Fiľo 2020-05-13 16:32:55 UTC 
It should be fixed in the selinux-policy package.

Link to PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/245
Comment 3 Lukas Vrabec 2020-05-15 11:38:27 UTC 
commit f2f4cfc80091299dd5eb58748032535d752853eb (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Richard Filo <rfilo>
Date:   Wed May 13 13:51:36 2020 +0200

    Add allow rules for lttng-sessiond domain
    
    Allow lttng-sessiond domain to map files labeled lttng_sessiond_tmpfs_t,
    to connect to unix stream sockets,
    to read from random number generator devices
    and to read the dependencies of kernel modules.
    
    fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1808736


Backported to F32.
Comment 4 Fedora Update System 2020-05-20 11:52:37 UTC 
FEDORA-2020-886cc9af08 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-886cc9af08
Comment 5 Fedora Update System 2020-05-21 05:23:24 UTC 
FEDORA-2020-886cc9af08 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-886cc9af08`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-886cc9af08

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2020-05-26 03:12:46 UTC 
FEDORA-2020-886cc9af08 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.