.The `fapolicyd-selinux` SELinux policy now covers all file types
Previously, the `fapolicyd-selinux` SELinux policy did not cover all file types. Consequently, the `fapolicyd` service could not access files located on non-monitored locations such as `sysfs`. With this update, the `fapolicyd` service covers and analyzes all file system types.
DescriptionMasahiro Matsuya
2021-03-18 03:50:13 UTC
Description of problem:
The fapolicyd daemon exited abnormally just by running sosreport.
Mar 16 18:13:40 kvm-122-215 fapolicyd[39990]: Error reading (Permission denied)
Mar 16 18:13:40 kvm-122-215 systemd[1]: fapolicyd.service: Main process exited, code=exited, status=1/FAILURE
When this problem happened, the following selinux denials happened.
type=AVC msg=audit(1615886020.341:144): avc: denied { read open } for pid=39990 comm="fapolicyd" path="/var/tmp/sos.ii7d63yf/sosreport-kvm-122-215-2021-03-16-vnyuqau/proc/sys/vm/compact_memory" dev="dm-0" ino=441165 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0
After I made a policy to allow this operation, I got another AVC for getattr.
type=AVC msg=audit(1615886321.065:162): avc: denied { getattr } for pid=23985 comm="fapolicyd" path="/var/tmp/sos.p81ap0s1/sosreport-kvm-122-43-2021-03-16-namgmun/proc/sys/vm/compact_memory" dev="dm-0" ino=462577 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0
sosreport could not complete with the following error when the problem happened.
Operation not permitted while finalizing archive /var/tmp/sos.c_qrg1u6/sosreport-xxxxxxxxxxxxxxxxxxxxxxxx
Creating archive tarball failed.
Traceback (most recent call last):
File "/sbin/sosreport", line 19, in <module>
main(sys.argv[1:])
File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1423, in main
sos.execute()
File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1403, in execute
return self.final_work()
File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1323, in final_work
archivestat)
UnboundLocalError: local variable 'archivestat' referenced before assignment
From strace analysis, it failed to open /var/tmp/sos.xxxxxx/sosreport-xxxxxxxx/proc/sys/vm/compact_memory, which is related to the above SELinux denial. It seems that the access by sosreport was not allowed since the fapolicyd suddenly exited.
When a policy to allow those access by fapolicyd was applied, fapolicyd didn't exit suddenly, and the sosreport could complete without any problem.
Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 8.3
How reproducible:
Always
Steps to Reproduce:
1. Start fapolicyd on RHEL8.3
2. Run sosreport -o system
NOTE: -o system is to run the only needed plugin. The problem happens without "-o system", but it takes more time to reproduce it.
3. confirm that fapolicyd exits and selinux AVC in audit.log
Actual results:
fapolicyd exits abnormally.
sosreport cannot complete while fapolicyd is running.
Expected results:
fapolicyd doesn't exit abnormally.
sosreport can complete even while fapolicyd is running.
Additional info:
I will attach a selinux policy file (.pp) and .te file which I used for my test just for a reference.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (fapolicyd bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2021:1952
Description of problem: The fapolicyd daemon exited abnormally just by running sosreport. Mar 16 18:13:40 kvm-122-215 fapolicyd[39990]: Error reading (Permission denied) Mar 16 18:13:40 kvm-122-215 systemd[1]: fapolicyd.service: Main process exited, code=exited, status=1/FAILURE When this problem happened, the following selinux denials happened. type=AVC msg=audit(1615886020.341:144): avc: denied { read open } for pid=39990 comm="fapolicyd" path="/var/tmp/sos.ii7d63yf/sosreport-kvm-122-215-2021-03-16-vnyuqau/proc/sys/vm/compact_memory" dev="dm-0" ino=441165 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0 After I made a policy to allow this operation, I got another AVC for getattr. type=AVC msg=audit(1615886321.065:162): avc: denied { getattr } for pid=23985 comm="fapolicyd" path="/var/tmp/sos.p81ap0s1/sosreport-kvm-122-43-2021-03-16-namgmun/proc/sys/vm/compact_memory" dev="dm-0" ino=462577 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0 sosreport could not complete with the following error when the problem happened. Operation not permitted while finalizing archive /var/tmp/sos.c_qrg1u6/sosreport-xxxxxxxxxxxxxxxxxxxxxxxx Creating archive tarball failed. Traceback (most recent call last): File "/sbin/sosreport", line 19, in <module> main(sys.argv[1:]) File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1423, in main sos.execute() File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1403, in execute return self.final_work() File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1323, in final_work archivestat) UnboundLocalError: local variable 'archivestat' referenced before assignment From strace analysis, it failed to open /var/tmp/sos.xxxxxx/sosreport-xxxxxxxx/proc/sys/vm/compact_memory, which is related to the above SELinux denial. It seems that the access by sosreport was not allowed since the fapolicyd suddenly exited. When a policy to allow those access by fapolicyd was applied, fapolicyd didn't exit suddenly, and the sosreport could complete without any problem. Version-Release number of selected component (if applicable): Red Hat Enterprise Linux 8.3 How reproducible: Always Steps to Reproduce: 1. Start fapolicyd on RHEL8.3 2. Run sosreport -o system NOTE: -o system is to run the only needed plugin. The problem happens without "-o system", but it takes more time to reproduce it. 3. confirm that fapolicyd exits and selinux AVC in audit.log Actual results: fapolicyd exits abnormally. sosreport cannot complete while fapolicyd is running. Expected results: fapolicyd doesn't exit abnormally. sosreport can complete even while fapolicyd is running. Additional info: I will attach a selinux policy file (.pp) and .te file which I used for my test just for a reference.