Bug 1934719
| Summary: | SELinux is preventing pesignd from 'read' accesses on the plik /var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Julian Sikorski <belegdol> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 42 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:541853d863189f649942d46a1fa6cb60303ddcf28b7dcf28be1ff7bc7ea2fa5e;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Julian Sikorski
2021-03-03 17:49:58 UTC
A few other errors have popped up during the build:
SELinux powstrzymuje pesignd przed dostępem write w plik /var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/vmlinuz.tmp.
***** Wtyczka catchall (100. zaufania) sugeruje ***************************
Aby pesignd powinno mieć domyślnie write dostęp do vmlinuz.tmp file.
Wtedy proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Wykonać
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# ausearch -c 'pesignd' --raw | audit2allow -M my-pesignd
# semodule -X 300 -i my-pesignd.pp
Dodatkowe informacje:
Kontekst źródłowy system_u:system_r:pesign_t:s0
Kontekst docelowy unconfined_u:object_r:mock_var_lib_t:s0
Obiekty docelowe /var/lib/mock/fedora-33-x86_64/root/builddir/build
/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.
x86_64/vmlinuz.tmp [ file ]
Źródło pesignd
Ścieżka źródłowa pesignd
Port <Nieznane>
Komputer (removed)
Źródłowe pakiety RPM
Docelowe pakiety RPM
Pakiet RPM polityki SELinuksa selinux-policy-targeted-3.14.6-34.fc33.noarch
Lokalny pakiet RPM polityki selinux-policy-targeted-3.14.6-34.fc33.noarch
SELinux jest włączony True
Typ polityki targeted
Tryb wymuszania Enforcing
Nazwa komputera (removed)
Platforma Linux napoleon2 5.10.19-200.fc33.x86_64 #1 SMP Fri
Feb 26 16:21:30 UTC 2021 x86_64 x86_64
Liczba alarmów 3
Po raz pierwszy 2021-03-03 17:37:36 CET
Po raz ostatni 2021-03-03 18:24:35 CET
Lokalny identyfikator a004caa9-33b9-4ed1-95ae-c58c7d4367f2
Surowe komunikaty audytu
type=AVC msg=audit(1614792275.801:2084): avc: denied { write } for pid=1457161 comm="pesignd" path="/var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/vmlinuz.tmp" dev="dm-0" ino=5128851 scontext=system_u:system_r:pesign_t:s0 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=1
Hash: pesignd,pesign_t,mock_var_lib_t,file,write
SELinux powstrzymuje pesignd przed dostępem getattr w plik /var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage.
***** Wtyczka catchall (100. zaufania) sugeruje ***************************
Aby pesignd powinno mieć domyślnie getattr dostęp do bzImage file.
Wtedy proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Wykonać
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# ausearch -c 'pesignd' --raw | audit2allow -M my-pesignd
# semodule -X 300 -i my-pesignd.pp
Dodatkowe informacje:
Kontekst źródłowy system_u:system_r:pesign_t:s0
Kontekst docelowy unconfined_u:object_r:mock_var_lib_t:s0
Obiekty docelowe /var/lib/mock/fedora-33-x86_64/root/builddir/build
/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.
x86_64/arch/x86/boot/bzImage [ file ]
Źródło pesignd
Ścieżka źródłowa pesignd
Port <Nieznane>
Komputer napoleon2
Źródłowe pakiety RPM
Docelowe pakiety RPM
Pakiet RPM polityki SELinuksa selinux-policy-targeted-3.14.6-34.fc33.noarch
Lokalny pakiet RPM polityki selinux-policy-targeted-3.14.6-34.fc33.noarch
SELinux jest włączony True
Typ polityki targeted
Tryb wymuszania Enforcing
Nazwa komputera napoleon2
Platforma Linux napoleon2 5.10.19-200.fc33.x86_64 #1 SMP Fri
Feb 26 16:21:30 UTC 2021 x86_64 x86_64
Liczba alarmów 1
Po raz pierwszy 2021-03-03 18:24:35 CET
Po raz ostatni 2021-03-03 18:24:35 CET
Lokalny identyfikator 1574dfce-2148-4255-b287-d5de8bac40fe
Surowe komunikaty audytu
type=AVC msg=audit(1614792275.801:2085): avc: denied { getattr } for pid=1457161 comm="pesignd" path="/var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage" dev="dm-0" ino=5663890 scontext=system_u:system_r:pesign_t:s0 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=1
Hash: pesignd,pesign_t,mock_var_lib_t,file,getattr
SELinux powstrzymuje pesignd przed dostępem map w plik /var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage.
***** Wtyczka catchall_boolean (89.3 zaufania) sugeruje *******************
Aby allow domain to can mmap files
Wtedy należy powiadomić o tym SELinuksa włączając zmienną logiczną „domain_can_mmap_files”.
Wykonać
setsebool -P domain_can_mmap_files 1
***** Wtyczka catchall (11.6 zaufania) sugeruje ***************************
Aby pesignd powinno mieć domyślnie map dostęp do bzImage file.
Wtedy proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Wykonać
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# ausearch -c 'pesignd' --raw | audit2allow -M my-pesignd
# semodule -X 300 -i my-pesignd.pp
Dodatkowe informacje:
Kontekst źródłowy system_u:system_r:pesign_t:s0
Kontekst docelowy unconfined_u:object_r:mock_var_lib_t:s0
Obiekty docelowe /var/lib/mock/fedora-33-x86_64/root/builddir/build
/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.
x86_64/arch/x86/boot/bzImage [ file ]
Źródło pesignd
Ścieżka źródłowa pesignd
Port <Nieznane>
Komputer napoleon2
Źródłowe pakiety RPM
Docelowe pakiety RPM
Pakiet RPM polityki SELinuksa selinux-policy-targeted-3.14.6-34.fc33.noarch
Lokalny pakiet RPM polityki selinux-policy-targeted-3.14.6-34.fc33.noarch
SELinux jest włączony True
Typ polityki targeted
Tryb wymuszania Enforcing
Nazwa komputera napoleon2
Platforma Linux napoleon2 5.10.19-200.fc33.x86_64 #1 SMP Fri
Feb 26 16:21:30 UTC 2021 x86_64 x86_64
Liczba alarmów 1
Po raz pierwszy 2021-03-03 18:24:35 CET
Po raz ostatni 2021-03-03 18:24:35 CET
Lokalny identyfikator 0534beb9-57e7-41bb-ae65-7129ae3b8505
Surowe komunikaty audytu
type=AVC msg=audit(1614792275.801:2086): avc: denied { map } for pid=1457161 comm="pesignd" path="/var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage" dev="dm-0" ino=5663890 scontext=system_u:system_r:pesign_t:s0 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=1
Hash: pesignd,pesign_t,mock_var_lib_t,file,map
This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This message is a reminder that Fedora Linux 35 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '35'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 35 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle. Changing version to 38. This message is a reminder that Fedora Linux 38 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 38 on 2024-05-21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '38'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 38 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle. Changing version to 42. |