Bug 1961311

Summary: allow fapolicyd_t rpm_var_lib_t:dir write (openscap on rhel-8 converted from centos)
Product: Red Hat Enterprise Linux 8 Reporter: Alois Mahdal <amahdal>
Component: fapolicydAssignee: Radovan Sroka <rsroka>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: dapospis, lvrabec, mmalik, plautrba, ssekidde
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-08 22:24:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alois Mahdal 2021-05-17 16:48:51 UTC 
Description of problem
======================

After converting the system from CentOS-8.3 to RHEL-8.3, we run
hardening using scap-security-guide, and get a fapolicyd denial:

    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Memory protection checking:     actual (secure)
    Max kernel policy version:      32
    selinux-policy-3.14.3-54.el8_3.4.noarch
    ----
    time->Mon May 17 18:18:28 2021
    node=sheep-41.lab.eng.brq.redhat.com type=PROCTITLE msg=audit(1621268308.287:58): proctitle="/usr/sbin/fapolicyd"
    node=sheep-41.lab.eng.brq.redhat.com type=PATH msg=audit(1621268308.287:58): item=1 name="/var/lib/rpm/.dbenv.lock" inode=201326723 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
    node=sheep-41.lab.eng.brq.redhat.com type=PATH msg=audit(1621268308.287:58): item=0 name="/var/lib/rpm/" inode=201326722 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
    node=sheep-41.lab.eng.brq.redhat.com type=CWD msg=audit(1621268308.287:58): cwd="/"
    node=sheep-41.lab.eng.brq.redhat.com type=SYSCALL msg=audit(1621268308.287:58): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=564ee1559d50 a2=42 a3=1a4 items=2 ppid=1 pid=838 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="fapolicyd" exe="/usr/sbin/fapolicyd" subj=system_u:system_r:fapolicyd_t:s0 key=(null)
    node=sheep-41.lab.eng.brq.redhat.com type=AVC msg=audit(1621268308.287:58): avc:  denied  { write } for  pid=838 comm="fapolicyd" name="rpm" dev="dm-0" ino=201326722 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=0

audit2allow says:

    allow fapolicyd_t rpm_var_lib_t:dir write


Version-Release number of selected component
============================================

selinux-policy-3.14.3-54.el8_3.4.noarch


How reproducible
================

Seen few times


Steps to Reproduce
==================

 1. Get CentOS-8.3
 2. Convett to RHEL-8.3 using convert2rhel
 3. Run hardening scripts from scap-security-guide

    as in this task:

    http://pkgs.devel.redhat.com/cgit/tests/scap-security-guide/tree/Upgrade/basic/runtest.sh

    (it contains reboot and needs to be ran with morf__stage=src).

 4. Look for AVC's


Actual results
==============

AVC's


Expected results
================

No AVC's


Additional info
===============

Quoting @mmalik:

> I believe the issue is a RHEL-8 duplicate of:
>
>  *  https://bugzilla.redhat.com/show_bug.cgi?id=1876538
Comment 1 Dalibor Pospíšil 2021-09-08 22:24:06 UTC 

*** This bug has been marked as a duplicate of bug 1944661 ***