Bug 1969747
| Summary: | AVC denials seen while running tests in test_integration/test_installation.py | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sudhir Menon <sumenon> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.5 | CC: | abokovoy, grajaiya, jhrozek, lslebodn, lvrabec, mmalik, mzidek, pbrezina, plautrba, rcritten, ssekidde, tscherf |
| Target Milestone: | beta | Keywords: | Regression, TestCaseProvided |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-09 08:48:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Moving to selinux-policy.
On Fedora 34 I have this:
# sesearch --source sssd_t --target proc_t --allow
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain proc_t:dir { getattr open search };
allow domain proc_t:filesystem getattr;
allow domain proc_t:lnk_file { getattr read };
allow kernel_system_state_reader proc_t:dir { ioctl lock read };
allow kernel_system_state_reader proc_t:file { getattr ioctl lock open read };
e.g. proc_t:filesystem getattr is allowed
On RHEL 8.5.0 I have this:
# sesearch --source sssd_t --target proc_t --allow
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain proc_t:dir { getattr open search };
allow domain proc_t:dir { getattr open search }; [ fips_mode ]:True
allow domain proc_t:dir { getattr open search }; [ fips_mode ]:True
allow domain proc_t:lnk_file { getattr read };
allow kernel_system_state_reader proc_t:dir { getattr ioctl lock open read search };
allow kernel_system_state_reader proc_t:file { getattr ioctl lock open read };
allow kernel_system_state_reader proc_t:lnk_file { getattr read };
allow sssd_t proc_t:dir { getattr open search };
e.g. proc_t:filesystem getattr is not allowed.
*** This bug has been marked as a duplicate of bug 1967125 *** |
Description of problem: AVC denials seen while running tests in test_integration/test_installation.py Version-Release number of selected component (if applicable): ipa-server-4.9.3-1.module+el8.5.0+10565+ae980a94.x86_64 selinux-policy-3.14.3-69.el8.noarch selinux-policy-targeted-3.14.3-69.el8.noarch 389-ds-base-1.4.3.16-13.module+el8.4.0+10307+74bbfb4e.x86_64 krb5-server-1.18.2-10.el8.x86_64 How reproducible: Always Steps to Reproduce: 1. Run upstream testsuite: test_integration/test_installation.py 2. Check AVC log. Actual results: This is a summary AVC file for pytest, for ausearch query for each host, check logs/ausearch-<host>.log ---- time->Wed Jun 9 02:11:09 2021 type=PROCTITLE msg=audit(1623219069.226:22): proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E00696D706C696369745F66696C6573002D2D7569640030002D2D6769640030002D2D6C6F676765723D66696C6573 type=SYSCALL msg=audit(1623219069.226:22): arch=c000003e syscall=138 success=no exit=-13 a0=0 a1=7ffcce63a9e0 a2=0 a3=0 items=0 ppid=734 pid=776 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1623219069.226:22): avc: denied { getattr } for pid=776 comm="sssd_be" name="/" dev="proc" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Wed Jun 9 02:11:10 2021 type=PROCTITLE msg=audit(1623219070.226:28): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D4573002F7573722F7362696E2F736574726F75626C6573686F6F7464002D66 type=SYSCALL msg=audit(1623219070.226:28): arch=c000003e syscall=138 success=no exit=-13 a0=3 a1=7ffc56387ad0 a2=0 a3=0 items=0 ppid=782 pid=783 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1623219070.226:28): avc: denied { getattr } for pid=783 comm="setroubleshootd" name="/" dev="proc" ino=1 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Wed Jun 9 02:11:10 2021 type=PROCTITLE msg=audit(1623219070.259:29): proctitle=72706D002D716C0066696C6573797374656D type=SYSCALL msg=audit(1623219070.259:29): arch=c000003e syscall=138 success=no exit=-13 a0=3 a1=7ffe0903ab40 a2=0 a3=0 items=0 ppid=783 pid=821 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="rpm" exe="/usr/bin/rpm" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1623219070.259:29): avc: denied { getattr } for pid=821 comm="rpm" name="/" dev="proc" ino=1 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive Expected results: Fix the AVD denials Additional info: