Bug 2031356
Summary: | SELinux is preventing systemd-coredum from 'sys_admin' accesses on the cap_userns labeled systemd_coredump_t. | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> | |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 35 | CC: | 8ru2u4gz, bgoncalv, dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, vondruch, zbyszek, zpytela | |
Target Milestone: | --- | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Unspecified | |||
Whiteboard: | abrt_hash:a878df327c13e55dc37c5d725a8b64927bbee679c6f06ef5c67e4876e8a6a512;VARIANT_ID=workstation; | |||
Fixed In Version: | selinux-policy-35.10-1.fc35 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2057435 (view as bug list) | Environment: | ||
Last Closed: | 2022-01-19 02:11:28 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2057435 |
Description
Mikhail
2021-12-11 09:46:14 UTC
More denials as reported using a different channel: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-35.6-1.fc36.noarch ---- time->Sat Dec 11 07:40:54 2021 type=AVC msg=audit(1639204854.117:978): avc: denied { sys_admin } for pid=322547 comm="systemd-coredum" capability=21 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=cap_userns permissive=1 ---- time->Sat Dec 11 07:40:54 2021 type=AVC msg=audit(1639204854.127:979): avc: denied { mounton } for pid=322548 comm="(sd-parse-elf)" path="/" dev="vda3" ino=256 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 ---- time->Sat Dec 11 07:40:54 2021 type=AVC msg=audit(1639204854.127:980): avc: denied { dac_read_search } for pid=322548 comm="(sd-parse-elf)" capability=2 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=cap_userns permissive=1 ---- time->Sat Dec 11 07:40:54 2021 type=AVC msg=audit(1639204854.127:981): avc: denied { dac_override } for pid=322548 comm="(sd-parse-elf)" capability=1 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=cap_userns permissive=1 systemd-coredump forks a child process to perform core file analysis (comm=(sd-parse-elf)), and before doing the actual analysis, it sets up some sandbox, using mount and user namespaces. So all this is expected and should be allowed. See https://github.com/systemd/systemd/commit/61aea456c1 for the upstream change. Similar problem has been detected: Happens every time when crashed /usr/libexec/tracker-extract-3 process. hashmarkername: setroubleshoot kernel: 5.16.0-0.rc5.20211217git6441998e2e37.38.fc36.x86_64 package: selinux-policy-targeted-35.7-1.fc36.noarch reason: SELinux is preventing systemd-coredum from 'sys_admin' accesses on the cap_userns labeled systemd_coredump_t. type: libreport I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/999 *** Bug 2039983 has been marked as a duplicate of this bug. *** *** Bug 2039985 has been marked as a duplicate of this bug. *** *** Bug 2039986 has been marked as a duplicate of this bug. *** FEDORA-2022-41fa7610dd has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-41fa7610dd FEDORA-2022-41fa7610dd has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. *** Bug 2043739 has been marked as a duplicate of this bug. *** |