Bug 1968371

Summary: denied { getattr } name="/" dev="proc"
Product: Red Hat Enterprise Linux 8 Reporter: Marius Vollmer <mvollmer>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: lvrabec, mmalik, mpitt, plautrba, ssekidde
Target Milestone: betaKeywords: Triaged
Target Release: 8.5   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-08 10:04:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marius Vollmer 2021-06-07 08:33:18 UTC 
We get tons of denials like this:

audit: type=1400 audit(1623047623.550:9): avc:  denied  { getattr } for  pid=1492 comm="sssd_be" name="/" dev="proc" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0

selinux-policy-targeted-3.14.3-68.el8.noarch
Comment 1 Marius Vollmer 2021-06-07 08:35:04 UTC 
Example journal messages: https://logs.cockpit-project.org/logs/pull-2085-20210607-060805-cb5ba903-rhel-8-5-cockpit-project-cockpit-machines/TestMachinesConsoles-testExternalConsole-rhel-8-5-127.0.0.2-2201-FAIL.log.gz
Comment 2 Martin Pitt 2021-06-07 08:52:47 UTC 
It's not specific to sssd -- we also get e.g. these:

audit: type=1400 audit(1623048358.340:103): avc:  denied  { getattr } for  pid=24798 comm="cockpit-session" name="/" dev="proc" ino=1 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
audit: type=1400 audit(1623048358.463:105): avc:  denied  { getattr } for  pid=24801 comm="unix_chkpwd" name="/" dev="proc" ino=1 scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
Comment 3 Milos Malik 2021-06-07 11:05:00 UTC 
I believe this bug is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1967125
Comment 4 Zdenek Pytela 2021-06-08 10:04:43 UTC 
Milos is right, will be allowed for all domains.

*** This bug has been marked as a duplicate of bug 1967125 ***