Bug 1929259
Summary: | SELinux violations for pmdakvm on debugfs | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Katerina Koukiou <kkoukiou> |
Component: | pcp | Assignee: | Nathan Scott <nathans> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 34 | CC: | agerstmayr, bugzilla, devin, koen.schram, me+fedoraproject, mgoodwin, mpitt, nathans, praiskup, thunderbirdtr, zpytela |
Target Milestone: | --- | Keywords: | Bugfix, Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pcp-5.3.1-1.fc33 pcp-5.3.1-1.fc34 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-13 01:19:44 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Katerina Koukiou
2021-02-16 15:04:11 UTC
Hi Katerina, Could you paste/attach the contents of /sys/kernel/security/lockdown and /var/log/pcp/pmcd/kvm.log from this machine? Thanks! Hi Nathan, [root@m1 ~]# cat /sys/kernel/security/lockdown [none] integrity confidentiality [root@m1 ~]# cat /var/log/pcp/pmcd/kvm.log Log for pmdakvm on m1.cockpit.lan started Thu Feb 18 07:34:06 2021 Let me know if I can help somehow else. I'm also getting this (after upgrade F33=>F34) periodically: type=AVC msg=audit(1614257948.307:5442): avc: denied { integrity } for pid=1568 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=lockdown permissive=0 Fix is upstream, will arrive via next PCP update (pcp-5.3.0). commit 53e1e75d9dbec73b5da2904732b9d83efb4e642c Author: Nathan Scott <nathans> Date: Tue Mar 23 13:28:38 2021 +1100 selinux: add conditional lockdown policy access by pmdakvm FEDORA-2021-bdd9ac9a83 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-bdd9ac9a83 FEDORA-2021-7df3eeacf8 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-7df3eeacf8 FEDORA-2021-bdd9ac9a83 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-bdd9ac9a83` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-bdd9ac9a83 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-a62f9adc26 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a62f9adc26` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a62f9adc26 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-7df3eeacf8 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-7df3eeacf8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-7df3eeacf8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. This also has crept into RHEL 9 beta now. Do you want a separate bug for tracking this, or do you plan to update 9beta anyway? Thank you! There was a new PCP build in el9 just yesterday, so it may be fixed already - what PCP version do you have there Martin? No need for a new BZ as further updates are planned too. cheers. I just did an image refresh in https://github.com/cockpit-project/bots/pull/1955 which is how I noticed that. This has pcp-5.2.5-5.el9.x86_64, which is the most current version in el9 according to brew (built on April 17 6 days ago). Yesterday I only see a RHEL 8 build (pcp-5.3.0-3.el8) My mistake, I was thinking of the el8 build - we'll push through an el9 build early next week. Thanks Martin! (In reply to Fedora Update System from comment #9) > FEDORA-2021-7df3eeacf8 has been pushed to the Fedora 34 testing repository. > Soon you'll be able to install the update with the following command: > `sudo dnf upgrade --enablerepo=updates-testing > --advisory=FEDORA-2021-7df3eeacf8` > You can provide feedback for this update here: > https://bodhi.fedoraproject.org/updates/FEDORA-2021-7df3eeacf8 > > See also https://fedoraproject.org/wiki/QA:Updates_Testing for more > information on how to test updates. I have tried the suggested update on the Fedora 34 (just upgraded from 33) and it didn't fix the problem. I still see this: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:pcp_pmcd_t:s0 Target Objects Unknown [ lockdown ] Source pmdakvm Source Path pmdakvm Port <Unknown> Host home Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name home Platform Linux home 5.11.15-300.fc34.x86_64 #1 SMP Fri Apr 16 13:41:48 UTC 2021 x86_64 x86_64 Alert Count 59 First Seen 2021-04-27 20:17:34 EDT Last Seen 2021-04-27 21:25:48 EDT Local ID 4e29def5-d4f2-4c7c-8af0-5061dafba77f Raw Audit Messages type=AVC msg=audit(1619573148.625:803): avc: denied { integrity } for pid=1585 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=lockdown permissive=0 Yep, I'm seeing it too - looking into it now, thanks. Fixed upstream, will arrive in pcp-5.3.1 commit e4523aa66ad9e3381086f2ba8c0e07cfa3661e51 (HEAD -> main) Author: Nathan Scott <nathans> Date: Fri Apr 30 11:25:56 2021 +1000 selinux: fix detection of lockdown policy class Resolves Fedora BZ #1929259 Hi pcp folks, FYI the same bug was reported on selinux-policy and has a fix on the way, too: bz#1947749 FEDORA-2021-002f2eabcc has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-002f2eabcc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-002f2eabcc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-84cefda88c has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-84cefda88c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-84cefda88c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-84cefda88c has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-002f2eabcc has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |