Bug 1955466

Summary: RHVH 4.4.6 based on RHEL 8.4: There are AVC denied errors in audit.log after upgrade related to NetworkManager, kdump and dracut
Product: Red Hat Enterprise Linux 8 Reporter: Sandro Bonazzola <sbonazzo>
Component: selinux-policyAssignee: Lev Veyde <lveyde>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 8.4CC: lveyde, lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-10 09:43:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1955415, 2020997, 2111410    

Description Sandro Bonazzola 2021-04-30 07:50:44 UTC 
This bug was initially created as a copy of Bug #1955415

I am copying this bug because: NetworkManager related denial seems to require selinux-policy fix. The gluster related denial will be handled on bug #1955461
Please consider including in 8.4 batch update or async.


Description of problem:
After RHVH is upgraded to the latest 4.4.6, there are AVC denied errors in audit.log

Version-Release number of selected component (if applicable):
RHVM: 4.4.6.5-0.17.el8ev
RHVH: redhat-virtualization-host-4.4.6-20210426.0.el8_4

SELinux related packages included:
glusterfs-selinux-1.0-4.el8rhgs.noarch
ipa-selinux-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
libselinux-2.9-5.el8.x86_64
libselinux-utils-2.9-5.el8.x86_64
openvswitch-selinux-extra-policy-1.0-28.el8fdp.noarch
python3-libselinux-2.9-5.el8.x86_64
rpm-plugin-selinux-4.14.3-13.el8.x86_64
selinux-policy-3.14.3-67.el8.noarch
selinux-policy-targeted-3.14.3-67.el8.noarch


How reproducible
100%

Steps to Reproduce:
1. Install RHVH-4.4-20210331.0-RHVH-x86_64-dvd1.iso
2. Add host to RHVM
3. Login to host, setup local repos and point to "redhat-virtualization-host-4.4.6-20210426.0.el8_4"
4. Remove audit.log before upgrade
   # mv /var/log/audit/audit.log /var/log/audit/audit.log.bak
5. Upgrade the host via RHVM
6. Check avc denied info in audit.log after upgrade
   # grep 'avc:  denied' /var/log/audit/audit.log

Actual results:
There are AVC denied errors in audit.log
~~~~~~
# grep 'avc:  denied' /var/log/audit/audit.log
type=AVC msg=audit(1619768225.841:76): avc:  denied  { create } for  pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1619768225.841:77): avc:  denied  { create } for  pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1619753841.383:100): avc:  denied  { write } for  pid=5708 comm="NetworkManager" path="/var/tmp/dracut.bN9njs/systemd-cat" dev="dm-8" ino=12583537 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0
~~~~~~

Expected results:
After upgrade, there is no AVC denied error in audit.log 

Additional info:
Comment 2 Zdenek Pytela 2021-05-11 20:04:33 UTC 
(In reply to Sandro Bonazzola from comment #0)
> There are AVC denied errors in audit.log
> ~~~~~~
> # grep 'avc:  denied' /var/log/audit/audit.log
> type=AVC msg=audit(1619768225.841:76): avc:  denied  { create } for 
> pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0
> tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket
> permissive=0
> type=AVC msg=audit(1619768225.841:77): avc:  denied  { create } for 
> pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0
> tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket
> permissive=0
> type=AVC msg=audit(1619753841.383:100): avc:  denied  { write } for 
> pid=5708 comm="NetworkManager" path="/var/tmp/dracut.bN9njs/systemd-cat"
> dev="dm-8" ino=12583537 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0
The second denial is dontaudited in current version of selinux-policy, namely since 3.14.3-62.

The first one needs to be addressed in gluster-selinux.
I've found the PR
https://github.com/gluster/glusterfs-selinux/pull/18
and 
https://bugzilla.redhat.com/show_bug.cgi?id=1937300
Fixed In Version: glusterfs-selinux-1.0-3

The latest selinux-policy and glusterfs-selinux packages need to be installed to address the denials.

Given this information:
> SELinux related packages included:
> glusterfs-selinux-1.0-4.el8rhgs.noarch
> selinux-policy-3.14.3-67.el8.noarch
> selinux-policy-targeted-3.14.3-67.el8.noarch

can you check the timestamps of the audit records? It looks they may have been audited prior to the updated packages installation.
Comment 3 Zdenek Pytela 2021-06-02 19:38:15 UTC 
Sandro,

Have you got the chance to take a look at the notes in #c2, especially compare the timestamps of the AVCs and time of the update?

It can also possibly be related to bz#1949517.
Comment 4 Sandro Bonazzola 2021-06-03 09:58:17 UTC 
Redirecting question to Lev Veyde who was looking into the selinux issues on RHV-H recently.
Comment 5 Lev Veyde 2021-06-10 09:31:24 UTC 
(In reply to Zdenek Pytela from comment #3)
> Sandro,
> 
> Have you got the chance to take a look at the notes in #c2, especially
> compare the timestamps of the AVCs and time of the update?
> 
> It can also possibly be related to bz#1949517.

No, the issue is real and is certainly there even after cleaning the audit log file and rebooting.

I sent fixes for imgbased, and we'l test these in the latest version of RHV-H/node-ng.
Comment 6 Lev Veyde 2021-06-10 09:35:06 UTC 
(In reply to Zdenek Pytela from comment #3)
> Sandro,
> 
> Have you got the chance to take a look at the notes in #c2, especially
> compare the timestamps of the AVCs and time of the update?
> 
> It can also possibly be related to bz#1949517.

Also, it can't be related to the bz#1949517 as the issue here is not wrong labels, but rather missing allow rules in the compiled policy.
Comment 7 Lev Veyde 2021-06-10 09:43:06 UTC 
This bug seems to be a clone of https://bugzilla.redhat.com/1955415

*** This bug has been marked as a duplicate of bug 1955415 ***