Bug 1944597
| Summary: | AVC message: avc: denied { search } comm="radiusd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:radiusd_t:s0 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Filip Dvorak <fdvorak> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 34 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, pmkellly72, rharwood, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34-1.fc34 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-04-05 00:17:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The same issue is with slapd.
type=AVC msg=audit(1617043025.118:6661): avc: denied { search } for pid=254784 comm="slapd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
Filipe,
Dou you happen to know why the daemons want to get through /sys/fs/cgroup and read /proc/1/environ?
----
type=PROCTITLE msg=audit(30.3.2021 08:43:21.626:675) : proctitle=/usr/sbin/slapd -u ldap -h ldap:/// ldaps:/// ldapi:///
type=PATH msg=audit(30.3.2021 08:43:21.626:675) : item=0 name=/proc/1/environ inode=13493 dev=00:16 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(30.3.2021 08:43:21.626:675) : cwd=/
type=SYSCALL msg=audit(30.3.2021 08:43:21.626:675) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x7fff620755c0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=3871 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=slapd exe=/usr/sbin/slapd subj=system_u:system_r:slapd_t:s0 key=(null)
type=AVC msg=audit(30.3.2021 08:43:21.626:675) : avc: denied { open } for pid=3871 comm=slapd path=/proc/1/environ dev="proc" ino=13493 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
type=AVC msg=audit(30.3.2021 08:43:21.626:675) : avc: denied { read } for pid=3871 comm=slapd name=environ dev="proc" ino=13493 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(03/30/21 08:43:21.628:678) : proctitle=/usr/sbin/slapd -u ldap -h ldap:/// ldaps:/// ldapi:///
type=PATH msg=audit(03/30/21 08:43:21.628:678) : item=0 name=/sys/fs/cgroup/cgroup.events nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(03/30/21 08:43:21.628:678) : cwd=/
type=SYSCALL msg=audit(03/30/21 08:43:21.628:678) : arch=x86_64 syscall=access success=no exit=ENOENT(No such file or directory) a0=0x7f43355bf3d6 a1=F_OK a2=0x7f43355df260 a3=0xffffffff items=1 ppid=1 pid=3871 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=slapd exe=/usr/sbin/slapd subj=system_u:system_r:slapd_t:s0 key=(null)
type=AVC msg=audit(03/30/21 08:43:21.628:678) : avc: denied { search } for pid=3871 comm=slapd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(03/30/2021 09:09:43.005:726) : proctitle=/usr/sbin/radiusd -C
type=PATH msg=audit(03/30/2021 09:09:43.005:726) : item=0 name=/sys/fs/cgroup/cgroup.events nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(03/30/2021 09:09:43.005:726) : cwd=/
type=SYSCALL msg=audit(03/30/2021 09:09:43.005:726) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7f615a9b7555 a1=F_OK a2=0x7f615c46b160 a3=0xffffffff items=1 ppid=1 pid=18142 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(03/30/2021 09:09:43.005:726) : avc: denied { search } for pid=18142 comm=radiusd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----
Caught in permissive mode:
----
type=PROCTITLE msg=audit(03/30/2021 09:10:41.858:729) : proctitle=/usr/sbin/radiusd -C
type=PATH msg=audit(03/30/2021 09:10:41.858:729) : item=0 name=/proc/1/environ inode=13371 dev=00:16 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(03/30/2021 09:10:41.858:729) : cwd=/
type=SYSCALL msg=audit(03/30/2021 09:10:41.858:729) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x7ffd53209e10 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=18167 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(03/30/2021 09:10:41.858:729) : avc: denied { open } for pid=18167 comm=radiusd path=/proc/1/environ dev="proc" ino=13371 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
type=AVC msg=audit(03/30/2021 09:10:41.858:729) : avc: denied { read } for pid=18167 comm=radiusd name=environ dev="proc" ino=13371 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(03/30/2021 09:10:41.861:730) : proctitle=/usr/sbin/radiusd -C
type=PATH msg=audit(03/30/2021 09:10:41.861:730) : item=0 name= inode=13371 dev=00:16 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(03/30/2021 09:10:41.861:730) : cwd=/
type=SYSCALL msg=audit(03/30/2021 09:10:41.861:730) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x6 a1=0x7ff20831b95a a2=0x7ffd53209c10 a3=0x1000 items=1 ppid=1 pid=18167 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(03/30/2021 09:10:41.861:730) : avc: denied { getattr } for pid=18167 comm=radiusd path=/proc/1/environ dev="proc" ino=13371 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(03/30/2021 09:10:41.864:731) : proctitle=/usr/sbin/radiusd -C
type=SYSCALL msg=audit(03/30/2021 09:10:41.864:731) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x6 a1=TCGETS a2=0x7ffd53209ce0 a3=0x1000 items=0 ppid=1 pid=18167 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(03/30/2021 09:10:41.864:731) : avc: denied { ioctl } for pid=18167 comm=radiusd path=/proc/1/environ dev="proc" ino=13371 ioctlcmd=TCGETS scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(03/30/2021 09:10:41.865:732) : proctitle=/usr/sbin/radiusd -C
type=PATH msg=audit(03/30/2021 09:10:41.865:732) : item=0 name=/sys/fs/cgroup/cgroup.events nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(03/30/2021 09:10:41.865:732) : cwd=/
type=SYSCALL msg=audit(03/30/2021 09:10:41.865:732) : arch=x86_64 syscall=access success=no exit=ENOENT(No such file or directory) a0=0x7ff206529555 a1=F_OK a2=0x7ff207fdd160 a3=0xffffffff items=1 ppid=1 pid=18167 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(03/30/2021 09:10:41.865:732) : avc: denied { search } for pid=18167 comm=radiusd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
----
I wonder why is there the ioctl call.
Important thing is that the radiusd service does not start in enforcing or permissive mode: # journalctl -l -u radiusd Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Trying to enqueue job radiusd.service/start/replace Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Installed new job radiusd.service/start as 2738 Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Enqueued job radiusd.service/start as 2738 Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: About to execute /bin/chown -R radiusd.radiusd /var/run/radiusd Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Forked /bin/chown as 19064 Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Changed failed -> start-pre Mar 30 09:33:12 host-10-0-138-114 systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Child 19064 belongs to radiusd.service. Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Control process exited, code=exited, status=0/SUCCESS Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Running next control command for state start-pre. Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: About to execute /usr/sbin/radiusd -C Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Forked /usr/sbin/radiusd as 19065 Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Control group is empty. Mar 30 09:33:12 host-10-0-138-114 systemd[19065]: radiusd.service: Executing: /usr/sbin/radiusd -C Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Child 19065 belongs to radiusd.service. Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Control process exited, code=exited, status=1/FAILURE Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Got final SIGCHLD for state start-pre. Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Failed with result 'exit-code'. Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Service will not restart (restart setting) Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Changed start-pre -> failed Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Job 2738 radiusd.service/start finished, result=failed Mar 30 09:33:12 host-10-0-138-114 systemd[1]: Failed to start FreeRADIUS high performance RADIUS server.. Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Unit entered failed state. Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Consumed 95ms CPU time. Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Control group is empty. # I guess that some systemd magic is in play. Sorry, my test results come from Fedora rawhide. # rpm -qa freeradius\* selinux-policy\* | sort freeradius-3.0.21-11.fc35.x86_64 selinux-policy-3.14.8-7.fc35.noarch selinux-policy-devel-3.14.8-7.fc35.noarch selinux-policy-targeted-3.14.8-7.fc35.noarch # Hello Zdenek, sorry but I do not know it. I have asked Robbie (Freeradius devel) about it and he does not know it too. According to the backtrace obtained via `perf record -e avc:selinux_audited -a -g --call-graph dwarf`, the cgroupfs access happens via initgroups(3) (libc) -> ... -> detect_container() (libnss_systemd):
radiusd 8678 [004] 270.141023: avc:selinux_audited: requested=0x10000000 denied=0x10000000 audited=0x10000000 result=-13 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=>
ffffffffa0551293 avc_audit_post_callback+0x1d3 ([kernel.kallsyms])
ffffffffa0551293 avc_audit_post_callback+0x1d3 ([kernel.kallsyms])
ffffffffa05728b1 common_lsm_audit+0x111 ([kernel.kallsyms])
ffffffffa0551d39 slow_avc_audit+0x69 ([kernel.kallsyms])
ffffffffa05544cb audit_inode_permission+0x6b ([kernel.kallsyms])
ffffffffa0559c2a selinux_inode_permission+0x19a ([kernel.kallsyms])
ffffffffa054dc80 security_inode_permission+0x30 ([kernel.kallsyms])
ffffffffa033cf57 link_path_walk.part.0.constprop.0+0x257 ([kernel.kallsyms])
ffffffffa033d11a path_lookupat+0x3a ([kernel.kallsyms])
ffffffffa033f17b filename_lookup+0x9b ([kernel.kallsyms])
ffffffffa0327eae do_faccessat+0x6e ([kernel.kallsyms])
ffffffffa0bc58a3 do_syscall_64+0x33 ([kernel.kallsyms])
ffffffffa0c0008c entry_SYSCALL_64_after_hwframe+0x44 ([kernel.kallsyms])
7f4d3b22586b __GI___access+0xb (/usr/lib64/libc-2.33.so)
7f4d394a5680 detect_container+0xa60 (/usr/lib64/libnss_systemd.so.2)
7f4d394a5f24 setup_logging+0x414 (/usr/lib64/libnss_systemd.so.2)
7f4d3b34dc97 __pthread_once_slow+0xe7 (/usr/lib64/libpthread-2.33.so)
7f4d394aab31 _nss_systemd_initgroups_dyn+0xd1 (/usr/lib64/libnss_systemd.so.2)
7f4d3b1fd980 internal_getgrouplist+0x100 (/usr/lib64/libc-2.33.so)
7f4d3b1fdcad initgroups+0x7d (/usr/lib64/libc-2.33.so)
55ba2271d81a main_config_init+0x30a (/usr/sbin/radiusd)
55ba2270dcb4 main+0x434 (/usr/sbin/radiusd)
7f4d3b15bb74 __libc_start_main+0xd4 (/usr/lib64/libc-2.33.so)
55ba2270e3dd _start+0x2d (/usr/sbin/radiusd)
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/669 It pops up when the systemd nss module is used. Not touching the /proc/1/environ access (which appears in permissive mode only because the access to the parent directory is dontaudited) unless it was confirmed required. *** Bug 1935763 has been marked as a duplicate of this bug. *** FEDORA-2021-e221a38cfe has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e221a38cfe FEDORA-2021-e221a38cfe has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e221a38cfe` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e221a38cfe See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-e221a38cfe has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: There is an AVC message during "systemctl start radiusd". Version-Release number of selected component (if applicable): Fedora 34 selinux-policy-3.14.7-24.fc34.noarch freeradius-3.0.21-11.fc34.x86_64 How reproducible: Steps to Reproduce: 1. dnf install freeradius -y 2. systemctl start radiusd Actual results: type=AVC msg=audit(1617097648.526:2779): avc: denied { search } for pid=109628 comm="radiusd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 Expected results: --- NO AVC message --- Additional info: