Bug 1927599
| Summary: | avahi-daemon watch denials on /etc/avahi with selinux-policy-3.14.7-18.fc34 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matt Fagnani <matt.fagnani> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 34 | CC: | dwalsh, grepl.miroslav, lvrabec, mikhail.v.gavrilov, mmalik, nixuser, omosnace, plautrba, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.7-25.fc34 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-16 00:28:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thank you for reporting, I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/572 *** Bug 1927901 has been marked as a duplicate of this bug. *** FEDORA-2021-ccd3bb057b has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ccd3bb057b FEDORA-2021-ccd3bb057b has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ccd3bb057b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ccd3bb057b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-1cb3d5cac1 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1cb3d5cac1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1cb3d5cac1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1e99f2ed79` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: I updated a Fedora 34 KDE Plasma installation with sudo dnf upgrade. The update included selinux-policy-3.14.7-18.fc34. I rebooted. avahi-daemon was denied watch accesses on directories listed as /services and / which I think were /etc/avahi/services and /etc/avahi because avahi-daemon called chroot() and the directories were labelled etc_t as /etc/avahi is. journalctl -b --no-hostname | grep avahi Feb 11 00:19:07 avahi-daemon[782]: Found user 'avahi' (UID 70) and group 'avahi' (GID 70). Feb 11 00:19:07 avahi-daemon[782]: Successfully dropped root privileges. Feb 11 00:19:07 avahi-daemon[782]: avahi-daemon 0.8 starting up. Feb 11 00:19:07 audit[782]: AVC avc: denied { watch } for pid=782 comm="avahi-daemon" path="/services" dev="dm-0" ino=3408127 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Feb 11 00:19:07 audit[782]: AVC avc: denied { watch } for pid=782 comm="avahi-daemon" path="/" dev="dm-0" ino=3407906 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Feb 11 00:19:07 avahi-daemon[782]: Successfully called chroot(). Feb 11 00:19:07 avahi-daemon[782]: Successfully dropped remaining capabilities. Feb 11 00:19:07 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=avahi-daemon comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 11 00:19:07 avahi-daemon[782]: No service file found in /etc/avahi/services. Feb 11 00:19:07 avahi-daemon[782]: System host name is set to 'localhost'. This is not a suitable mDNS host name, looking for alternatives. Feb 11 00:19:07 avahi-daemon[782]: Joining mDNS multicast group on interface lo.IPv6 with address ::1. Feb 11 00:19:07 avahi-daemon[782]: New relevant interface lo.IPv6 for mDNS. Feb 11 00:19:07 avahi-daemon[782]: Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1. Feb 11 00:19:07 avahi-daemon[782]: New relevant interface lo.IPv4 for mDNS. Feb 11 00:19:07 avahi-daemon[782]: Network interface enumeration completed. Feb 11 00:19:07 avahi-daemon[782]: Registering new address record for ::1 on lo.*. Feb 11 00:19:07 avahi-daemon[782]: Registering new address record for 127.0.0.1 on lo.IPv4. Feb 11 00:19:08 avahi-daemon[782]: Server startup complete. Host name is linux.local. Local service cookie is 2565993485. Feb 11 00:19:15 avahi-daemon[782]: Joining mDNS multicast group on interface enp1s0.IPv6 with address fe80::265c:5b24:c7aa:102b. Feb 11 00:19:15 avahi-daemon[782]: New relevant interface enp1s0.IPv6 for mDNS. Feb 11 00:19:15 avahi-daemon[782]: Registering new address record for fe80::265c:5b24:c7aa:102b on enp1s0.*. Feb 11 00:20:00 avahi-daemon[782]: Withdrawing address record for fe80::265c:5b24:c7aa:102b on enp1s0. Feb 11 00:20:00 avahi-daemon[782]: Leaving mDNS multicast group on interface enp1s0.IPv6 with address fe80::265c:5b24:c7aa:102b. Feb 11 00:20:00 avahi-daemon[782]: Interface enp1s0.IPv6 no longer relevant for mDNS. Feb 11 00:20:00 avahi-daemon[782]: Joining mDNS multicast group on interface enp1s0.IPv6 with address fe80::265c:5b24:c7aa:102b. Feb 11 00:20:00 avahi-daemon[782]: New relevant interface enp1s0.IPv6 for mDNS. Feb 11 00:20:00 avahi-daemon[782]: Registering new address record for fe80::265c:5b24:c7aa:102b on enp1s0.*. Feb 11 00:20:00 setroubleshoot[841]: SELinux is preventing avahi-daemon from watch access on the directory /services. For complete SELinux messages run: sealert -l 9104c4df-e283-4ec4-bcbf-5cf82c530cab Feb 11 00:20:00 setroubleshoot[841]: SELinux is preventing avahi-daemon from watch access on the directory /services. If you believe that avahi-daemon should be allowed watch access on the services directory by default. # ausearch -c 'avahi-daemon' --raw | audit2allow -M my-avahidaemon # semodule -X 300 -i my-avahidaemon.pp Feb 11 00:20:05 setroubleshoot[841]: SELinux is preventing avahi-daemon from watch access on the directory /. For complete SELinux messages run: sealert -l 9104c4df-e283-4ec4-bcbf-5cf82c530cab Feb 11 00:20:05 setroubleshoot[841]: SELinux is preventing avahi-daemon from watch access on the directory /. If you believe that avahi-daemon should be allowed watch access on the directory by default. # ausearch -c 'avahi-daemon' --raw | audit2allow -M my-avahidaemon # semodule -X 300 -i my-avahidaemon.pp Feb 11 00:20:34 avahi-daemon[782]: Joining mDNS multicast group on interface enp1s0.IPv4 with address 192.168.2.10. Feb 11 00:20:34 avahi-daemon[782]: New relevant interface enp1s0.IPv4 for mDNS. Feb 11 00:20:34 avahi-daemon[782]: Registering new address record for 192.168.2.10 on enp1s0.IPv4. Version-Release number of selected component (if applicable): selinux-policy-3.14.7-18.fc34 avahi-0.8-6.fc34 How reproducible: These denials have happened on each of a few boots. Steps to Reproduce: 1. Boot a Fedora 34 KDE Plasma installation updated to 2021-2-11 2. Log in to Plasma 3. sudo dnf upgrade --refresh 4. Reboot Actual results: avahi-daemon watch denials on /etc/avahi with selinux-policy-3.14.7-18.fc34 Expected results: No denials would happen. Additional info: I'm using the targeted policy in enforcing mode. The denials didn't happen with selinux-policy-3.14.7-17.fc34 or earlier