Bug 1929259

Summary: SELinux violations for pmdakvm on debugfs
Product: [Fedora] Fedora Reporter: Katerina Koukiou <kkoukiou>
Component: pcpAssignee: Nathan Scott <nathans>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 34CC: agerstmayr, bugzilla, devin, koen.schram, me+fedoraproject, mgoodwin, mpitt, nathans, praiskup, thunderbirdtr, zpytela
Target Milestone: ---Keywords: Bugfix, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcp-5.3.1-1.fc33 pcp-5.3.1-1.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-13 01:19:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Katerina Koukiou 2021-02-16 15:04:11 UTC 
Description of problem: In our cockpit tests which we just started running against Fedora 34 detected a new SELinux violation:

audit: type=1400 audit(1613478021.402:346): avc:  denied  { integrity } for  pid=808 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=lockdown permissive=0

Version-Release number of selected component (if applicable):
pcp-5.2.3-2.fc34.x86_64.rpm
pcp-selinux-5.2.3-2.fc34.x86_64.rpm
selinux-policy-3.14.8-1.fc35.noarch

kernel version == 5.11.0-0.rc7.20210212git291009f656e8.151.fc35.x86_64

How reproducible:
I am not sure what in our tests exactly causes this, but it's happening to the majority of them.

If that is legitimate activity, please reassign to selinux-policy and adjust the policy accordingly.

I attach the full journal here [1], in case it's useful. (Our test logs get cleaned up after a few weeks)

[1] https://logs.cockpit-project.org/logs/pull-1685-20210216-120946-834fccca-fedora-34-cockpit-project-cockpit/TestApps-testBasic-fedora-34-127.0.0.2-2501-FAIL.log.gz
Comment 1 Nathan Scott 2021-02-18 06:23:22 UTC 
Hi Katerina,

Could you paste/attach the contents of /sys/kernel/security/lockdown and /var/log/pcp/pmcd/kvm.log from this machine?

Thanks!
Comment 2 Katerina Koukiou 2021-02-18 07:42:00 UTC 
Hi Nathan,

[root@m1 ~]# cat /sys/kernel/security/lockdown
[none] integrity confidentiality

[root@m1 ~]# cat /var/log/pcp/pmcd/kvm.log
Log for pmdakvm on m1.cockpit.lan started Thu Feb 18 07:34:06 2021

Let me know if I can help somehow else.
Comment 3 Pavel Raiskup 2021-02-25 13:04:23 UTC 
I'm also getting this (after upgrade F33=>F34) periodically:
type=AVC msg=audit(1614257948.307:5442): avc:  denied  { integrity } for  pid=1568 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=lockdown permissive=0
Comment 4 Nathan Scott 2021-03-23 02:42:24 UTC 
Fix is upstream, will arrive via next PCP update (pcp-5.3.0).

commit 53e1e75d9dbec73b5da2904732b9d83efb4e642c
Author: Nathan Scott <nathans>
Date:   Tue Mar 23 13:28:38 2021 +1100

    selinux: add conditional lockdown policy access by pmdakvm
Comment 5 Fedora Update System 2021-04-16 03:17:42 UTC 
FEDORA-2021-bdd9ac9a83 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-bdd9ac9a83
Comment 6 Fedora Update System 2021-04-16 03:17:43 UTC 
FEDORA-2021-7df3eeacf8 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-7df3eeacf8
Comment 7 Fedora Update System 2021-04-16 14:38:23 UTC 
FEDORA-2021-bdd9ac9a83 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-bdd9ac9a83`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-bdd9ac9a83

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2021-04-16 15:04:07 UTC 
FEDORA-2021-a62f9adc26 has been pushed to the Fedora 32 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a62f9adc26`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a62f9adc26

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2021-04-16 16:25:07 UTC 
FEDORA-2021-7df3eeacf8 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-7df3eeacf8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-7df3eeacf8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Martin Pitt 2021-04-23 05:19:44 UTC 
This also has crept into RHEL 9 beta now. Do you want a separate bug for tracking this, or do you plan to update 9beta anyway? Thank you!
Comment 11 Nathan Scott 2021-04-23 05:48:34 UTC 
There was a new PCP build in el9 just yesterday, so it may be fixed already - what PCP version do you have there Martin?  No need for a new BZ as further updates are planned too.

cheers.
Comment 12 Martin Pitt 2021-04-23 05:58:05 UTC 
I just did an image refresh in https://github.com/cockpit-project/bots/pull/1955 which is how I noticed that. This has pcp-5.2.5-5.el9.x86_64, which is the most current version in el9 according to brew (built on April 17 6 days ago). Yesterday I only see a RHEL 8 build (pcp-5.3.0-3.el8)
Comment 13 Nathan Scott 2021-04-23 06:44:36 UTC 
My mistake, I was thinking of the el8 build - we'll push through an el9 build early next week.  Thanks Martin!
Comment 14 Dmitriy Kargapolov 2021-04-28 01:30:46 UTC 
(In reply to Fedora Update System from comment #9)
> FEDORA-2021-7df3eeacf8 has been pushed to the Fedora 34 testing repository.
> Soon you'll be able to install the update with the following command:
> `sudo dnf upgrade --enablerepo=updates-testing
> --advisory=FEDORA-2021-7df3eeacf8`
> You can provide feedback for this update here:
> https://bodhi.fedoraproject.org/updates/FEDORA-2021-7df3eeacf8
> 
> See also https://fedoraproject.org/wiki/QA:Updates_Testing for more
> information on how to test updates.

I have tried the suggested update on the Fedora 34 (just upgraded from 33) and it didn't fix the problem. I still see this:

Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:system_r:pcp_pmcd_t:s0
Target Objects                Unknown [ lockdown ]
Source                        pmdakvm
Source Path                   pmdakvm
Port                          <Unknown>
Host                          home
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.3-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.3-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     home
Platform                      Linux home 5.11.15-300.fc34.x86_64 #1 SMP Fri Apr
                              16 13:41:48 UTC 2021 x86_64 x86_64
Alert Count                   59
First Seen                    2021-04-27 20:17:34 EDT
Last Seen                     2021-04-27 21:25:48 EDT
Local ID                      4e29def5-d4f2-4c7c-8af0-5061dafba77f

Raw Audit Messages
type=AVC msg=audit(1619573148.625:803): avc:  denied  { integrity } for  pid=1585 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=lockdown permissive=0
Comment 15 Nathan Scott 2021-04-29 07:25:02 UTC 
Yep, I'm seeing it too - looking into it now, thanks.
Comment 16 Nathan Scott 2021-04-30 01:27:11 UTC 
Fixed upstream, will arrive in pcp-5.3.1

commit e4523aa66ad9e3381086f2ba8c0e07cfa3661e51 (HEAD -> main)
Author: Nathan Scott <nathans>
Date:   Fri Apr 30 11:25:56 2021 +1000

    selinux: fix detection of lockdown policy class
    
    Resolves Fedora BZ #1929259
Comment 17 Zdenek Pytela 2021-05-12 09:03:19 UTC 
Hi pcp folks,

FYI the same bug was reported on selinux-policy and has a fix on the way, too:

bz#1947749
Comment 18 Fedora Update System 2021-06-05 01:09:23 UTC 
FEDORA-2021-002f2eabcc has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-002f2eabcc`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-002f2eabcc

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 19 Fedora Update System 2021-06-05 01:57:09 UTC 
FEDORA-2021-84cefda88c has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-84cefda88c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-84cefda88c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 20 Fedora Update System 2021-06-13 01:19:44 UTC 
FEDORA-2021-84cefda88c has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 21 Fedora Update System 2021-06-13 01:49:52 UTC 
FEDORA-2021-002f2eabcc has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.