Bug 1950267

Summary: Allow unconfined_service_t confidentiality and integrity lockdown permissions
Product: Red Hat Enterprise Linux 9 Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 9.0CC: bgoncalv, bugproxy, hkrzesin, honli, jkaluza, jwboyer, lvrabec, mmalik, omosnace, plautrba, ssekidde, than, zpytela
Target Milestone: betaKeywords: Triaged
Target Release: 9.0 Beta   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1945581 Environment:
Last Closed: 2021-12-07 21:35:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1945581    
Bug Blocks: 1939095    
Attachments:
Description Flags
sosreport none

Description Zdenek Pytela 2021-04-16 09:21:01 UTC 
+++ This bug was initially created as a clone of Bug #1945581 +++

When booting using mentioned kernel, following AVCs appear:

type=AVC msg=audit(1617223787.476:141): avc:  denied  { confidentiality } for  pid=792 comm="modprobe" lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0

This blocks the RTT tests needed for 9.0.0-beta compose promotion to nightly compose.

Beaker job: https://beaker.engineering.redhat.com//recipes/9794454#task124163973

Note that the selinux-policy update done as part of https://bugzilla.redhat.com/show_bug.cgi?id=1937682 is so far in gating. Maybe it would fix this issue, but I'm not sure.

--- Additional comment from Jan Kaluža on 2021-04-01 12:41:05 CEST ---

I'm going to untag kernel from rhel-9.0.0-beta-candidate and rhel-9.0.0-beta-pending to unblock composes given it is Thursday before long weekend in Europe.

--- Additional comment from Zdenek Pytela on 2021-04-01 12:53:56 CEST ---

More data needed to asses if it should be addressed in selinux-policy, full auditing enabled and a list of processes:

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today


ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_service_t

--- Additional comment from Ondrej Mosnacek on 2021-04-01 13:14:46 CEST ---

Seems to be caused by this commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bf8e602186ec402ed937b2cbd6c39a34c0029757

...which doesn't play well with SELinux's implementation of lockdown hooks, causing false positive denials when someone tries to load a module that creates some tracefs entries... Not sure yet how to fix it, but reassigning to myself for now.

--- Additional comment from Herton R. Krzesinski on 2021-04-05 16:26:35 CEST ---

(In reply to Ondrej Mosnacek from comment #3)
> Seems to be caused by this commit:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=bf8e602186ec402ed937b2cbd6c39a34c0029757
> 
> ...which doesn't play well with SELinux's implementation of lockdown hooks,
> causing false positive denials when someone tries to load a module that
> creates some tracefs entries... Not sure yet how to fix it, but reassigning
> to myself for now.

If that's the case, I wonder why only now this became an issue. Because the
commit above is from 2019 and went into kernel 5.4:

$ git log v5.3..v5.4 | grep bf8e602186ec402ed937b2cbd6c39a34c0029757
commit bf8e602186ec402ed937b2cbd6c39a34c0029757

--- Additional comment from Herton R. Krzesinski on 2021-04-08 00:09:24 CEST ---

So I was able to reproduce the issue with a p9z-* system I reserved on beaker.
From investigation now I see why this appears now only with the 5.12 kernel,
and should reproduce only on ppc.

The problem happens when the hcn-init.service service starts on boot or if you
start it manually. It comes from the powerpc-utils-core package:

# rpm -qf /usr/lib/systemd/system/hcn-init.service
powerpc-utils-core-1.3.8-7.el9.ppc64le

One of the things the service above does, is "modprobe bonding":

Apr 07 16:46:42 ... systemd[1]: Condition check resulted in Crash recovery kernel arming being skipped.
Apr 07 16:46:42 ... hcnmgr[761]: =======================04-07-2021 16:46:42============================
Apr 07 16:46:42 ... hcnmgr[761]: [DEBUG]:hcnmgr enter
Apr 07 16:46:42 ... hcnmgr[761]: [DEBUG]:HCNMGR: Bonding module not loaded, load module ...

Before, in the 5.11 kernel, the bonding module did not have any dependency.

But with 5.12, now the bonding module depends on the "tls" module. The tls module
seems to be the one which creates some tracefs entries involved in the issue.

The start of the service and its "modprobe bonding" makes tls module to be loaded and
that is resulting the AVC denials problem we see:

Apr 07 17:11:35 ... audit[763]: AVC avc:  denied  { confidentiality } for  pid=763 comm="modprobe" lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service
_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0
Apr 07 17:11:35 ... audit[763]: SYSCALL arch=c0000015 syscall=128 success=yes exit=0 a0=7fffa4120010 a1=28010 a2=105507fd8 a3=1002e682 items=16 ppid=743 pid=763 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
Apr 07 17:11:35 ... audit: KERN_MODULE name="tls"
Apr 07 17:11:35 ... audit: CWD cwd="/"
Apr 07 17:11:35 ... audit: PATH item=0 name=(null) inode=2076 dev=00:0c mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=0 cap_fi=0
 cap_fe=0 cap_fver=0 cap_frootid=0
Apr 07 17:11:35 ... audit: PATH item=1 name=(null) inode=481 dev=00:0c mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 
cap_fe=0 cap_fver=0 cap_frootid=0
...
Apr 07 17:11:35 ... audit: PROCTITLE proctitle=6D6F6470726F626500626F6E64696E67
Apr 07 17:11:35 ... kernel: Could not create tracefs 'tls/filter' entry
Apr 07 17:11:35 ... kernel: Could not create tracefs 'enable' entry
Apr 07 17:11:35 ... kernel: Could not create tracefs 'enable' entry
...

However, and this is important, the AVC denials only happen when hcn-init.service
is started, either on boot or manually. If I do a "modprobe bonding" manually on
the command line, the AVC denials do not happen, and I do not get the "Could not
create tracefs ..." in dmesg.

--- Additional comment from Herton R. Krzesinski on 2021-04-08 00:13:00 CEST ---

(In reply to Zdenek Pytela from comment #2)
> More data needed to asses if it should be addressed in selinux-policy, full
> auditing enabled and a list of processes:
> 
> 1) Open the /etc/audit/rules.d/audit.rules file in an editor.
> 2) Remove the following line if it exists:
> -a task,never
> 3) Add the following line to the end of the file:
> -w /etc/shadow -p w
> 4) Restart the audit daemon:
>   # service auditd restart
> 5) Re-run your scenario.
> 6) Collect AVC denials:
>   # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
> 
> 
> ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_service_t

This is the ausearch output:

----
type=AVC msg=audit(04/07/21 16:46:42.832:142) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:143) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:144) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:145) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:146) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:147) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:148) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:149) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:150) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:151) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:152) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:153) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:154) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:155) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:156) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:157) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:158) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:159) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:160) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:161) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:162) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:163) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:164) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:165) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:166) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:167) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:168) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:169) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:170) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:171) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
----
type=AVC msg=audit(04/07/21 16:46:42.832:172) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:173) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:174) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:175) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:176) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:177) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:178) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:179) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:180) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:181) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:182) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:183) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:184) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:185) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=PROCTITLE msg=audit(04/07/21 17:11:35.871:146) : proctitle=modprobe bonding 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=15 name=(null) inode=488 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=14 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=13 name=(null) inode=487 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=12 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=11 name=(null) inode=486 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=10 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=9 name=(null) inode=485 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=8 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=7 name=(null) inode=484 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=6 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=5 name=(null) inode=483 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=4 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=3 name=(null) inode=482 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=2 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=1 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=0 name=(null) inode=2076 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(04/07/21 17:11:35.871:146) : cwd=/ 
type=KERN_MODULE msg=audit(04/07/21 17:11:35.871:146) : name=tls 
type=SYSCALL msg=audit(04/07/21 17:11:35.871:146) : arch=ppc64le syscall=init_module success=yes exit=0 a0=0x7fffa4120010 a1=0x28010 a2=0x105507fd8 a3=0x1002e682 items=16 ppid=743 pid=763 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:unconfined_service_t:s0 key=(null) 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0
...

--- Additional comment from Ondrej Mosnacek on 2021-04-13 10:19:13 CEST ---

Started a discussion upstream to seek the right solution for this:
https://lore.kernel.org/selinux/CAFqZXNs4eRC6kjFRe6CdwA-sng-w6bcJZf5io+hoLKwM98TVSA@mail.gmail.com/T/

Also setting priority to "urgent" as this seems to block a lot of things...

--- Additional comment from Herton R. Krzesinski on 2021-04-16 00:56:17 CEST ---

Trying to unblock the kernel meanwhile while we wait the upstream response etc., would make sense as a temporary workaround to disable the hcn-init.service to start automatically on boot on the powerpc-utils-core package?

Than, adding you here since seems you're the maintainer of powerpc-utils. Do you know how important is to have hcn-init.service started on boot, and if an workaround like disabling its automatic start on boot would be acceptable. The start of this service is generating an selinux AVC (for more context see description and #comment 5).

--- Additional comment from Zdenek Pytela on 2021-04-16 11:16:10 CEST ---

I am going to clone this BZ for selinux-policy component to allow the permission for one particular domain. The problem still needs to be addressed in kernel.
Comment 1 Zdenek Pytela 2021-04-16 13:51:31 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/696
Comment 2 Zdenek Pytela 2021-04-20 17:33:50 UTC 
Merged in rawhide:
commit a34ebcf284186001f7ef360f6a8d57c3773fed05 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Fri Apr 16 15:45:38 2021 +0200

    Allow unconfined_service_t confidentiality and integrity lockdown

    Allow unconfined_service_t the confidentiality and integrity lockdown
    permissions. Currently, the permissions are allowed for unconfined_t,
    but not for the unconfined_service_t domain with similar behaviour
    expectations, so this change is merely for the sake of consistency.
Comment 9 Zdenek Pytela 2021-05-12 11:34:30 UTC 
*** Bug 1957490 has been marked as a duplicate of this bug. ***
Comment 10 IBM Bug Proxy 2021-05-12 11:50:14 UTC 
------- Comment From cdeadmin.com 2021-05-06 08:35 EDT-------
<Note by ravikiran, 2021/05/06 07:23:48 seq: 17  rel: 0 action: assign>
Comment 11 IBM Bug Proxy 2021-05-26 07:10:54 UTC 
------- Comment From Geetika.Moolchandani1 2021-05-26 03:02 EDT-------
> Hi,
> The required permissions will be added to the policy. We cannot, however,
> confirm the scenario in this bz description works and no other denials are
> triggered. Could you insert a local policy module and verify it?
> # cat local_lockdown.cil
> (allow unconfined_service_t unconfined_service_t (lockdown (confidentiality
> integrity)))
> # semodule -i local_lockdown.cil
> <run the tests>
>
> # semodule -r local_lockdown

Following the above comment, here's what I tried.

1. Check Initial Status

[root@ltcfleet8-lp6 ~]# firewall-cmd --stat
not running
[root@ltcfleet8-lp6 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[root@ltcfleet8-lp6 ~]# lssrc -a
Subsystem         Group            PID     Status
ctrmc            rsct             1275    active
IBM.MgmtDomainRM rsct_rm          1400    active
IBM.HostRM       rsct_rm          1462    active
IBM.ServiceRM    rsct_rm          1502    active
IBM.DRM          rsct_rm          1552    active
ctcas            rsct                     inoperative
IBM.ERRM         rsct_rm                  inoperative
IBM.AuditRM      rsct_rm                  inoperative
IBM.SensorRM     rsct_rm                  inoperative

Check RMC connection from HMC : inactive

hscroot@ltchmcv4:~> lssyscfg -r lpar -m ltcfleet8 -F name,rmc_state,rmc_ipaddr,rmc_osshutdown_capable,dlpar_mem_capable,dlpar_proc_capable,dlpar_io_capable
ltcfleet8-lp6,none,,0,0,0,0

2. Modifying local policy

[root@ltcfleet8-lp6 ~]# vi local_lockdown.cil
[root@ltcfleet8-lp6 ~]# cat local_lockdown.cil
(allow unconfined_service_t unconfined_service_t (lockdown (confidentiality
integrity)))

[root@ltcfleet8-lp6 ~]# semodule -i local_lockdown.cil
----<dmesg>----
[  407.965076] SELinux:  policy capability network_peer_controls=1
[  407.965085] SELinux:  policy capability open_perms=1
[  407.965089] SELinux:  policy capability extended_socket_class=1
[  407.965094] SELinux:  policy capability always_check_network=0
[  407.965098] SELinux:  policy capability cgroup_seclabel=1
[  407.965102] SELinux:  policy capability nnp_nosuid_transition=1
[  407.965106] SELinux:  policy capability genfs_seclabel_symlinks=0
-----<dmesg>----
[root@ltcfleet8-lp6 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[root@ltcfleet8-lp6 ~]#

3. Check RMC connection status : still inactive.

hscroot@ltchmcv4:~> lssyscfg -r lpar -m ltcfleet8 -F name,rmc_state,rmc_ipaddr,rmc_osshutdown_capable,dlpar_mem_capable,dlpar_proc_capable,dlpar_io_capable
ltcfleet8-lp6,none,,0,0,0,0

The above seems to make no difference, the RMC connection remains inactive.

------- Comment From kalshett.com 2021-05-26 03:08 EDT-------
(In reply to comment #27)
> This issue has already been resolved in selinux-policy-34.1.2-1.el9.noarch.
>
> IBM people: please update to this package version or use the custom policy
> module from #c6 to verify your issue is gone.
>
> *** This bug has been marked as a duplicate of bug 1950267 ***

As per the last comment from Geetika ii.e comment 29 , the custom policy did not work.  So can you provide "selinux-policy-34.1.2-1.el9.noarch" package for test team to try?
Comment 12 IBM Bug Proxy 2021-05-26 07:11:17 UTC 
Created attachment 1787109 [details]
sosreport
Comment 13 IBM Bug Proxy 2021-08-11 08:21:12 UTC 
------- Comment From kalshett.com 2021-08-11 04:19 EDT-------
Base on comment #34, it is working fine with RHEL-9.0 Beta builds, hence closing.
Comment 16 IBM Bug Proxy 2022-11-01 14:21:50 UTC 
------- Comment From cdeadmin.com 2022-11-01 10:13 EDT-------
cde00 (cdeadmin.com) added native attachment /tmp/AIXOS13381983/sosreport-ltcden13-lp4-2021-04-20-ldzmrel.tar.xz on 2022-11-01 09:13:25