Bug 2031668
Summary: | SELinux is preventing systemd-networkd from watch access on the directory / | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Zbigniew Jędrzejewski-Szmek <zbyszek> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 35 | CC: | dwalsh, grepl.miroslav, jon, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-35.13-1.fc35 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-02-04 01:22:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Zbigniew Jędrzejewski-Szmek
2021-12-13 07:54:43 UTC
We need more information for analysis of this issue. Please collect SELinux denials and attach them here: # ausearch -m avc -m user_avc -m selinux_err -i -ts today Thank you. 'sudo dnf install /usr/sbin/ausearch' pulls in initscripts, uggggh. Anyway, it doesn't work and ausearch always prints "<no matches>". I think audit doesn't pick up the events, because it starts too late. $ journalctl -b --grep avc|cat -- Journal begins at Sun 2021-12-12 22:24:06 CET, ends at Mon 2021-12-13 09:37:38 CET. -- Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:15 fedora-new audit[564]: AVC avc: denied { watch } for pid=564 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Dec 13 09:34:16 fedora-new audit[587]: AVC avc: denied { watch } for pid=587 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Dec 13 09:34:16 fedora-new audit[588]: AVC avc: denied { watch } for pid=588 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Dec 13 09:34:16 fedora-new audit[589]: AVC avc: denied { watch } for pid=589 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Dec 13 09:34:16 fedora-new audit[591]: AVC avc: denied { watch } for pid=591 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 (In reply to Zbigniew Jędrzejewski-Szmek from comment #2) > 'sudo dnf install /usr/sbin/ausearch' pulls in initscripts, uggggh. I suppose initscripts-service should be enough, but this anyway is a different component. Summary fixed. > Anyway, it doesn't work and ausearch always prints "<no matches>". > I think audit doesn't pick up the events, because it starts too late. Right. These ones are not related: > $ journalctl -b --grep avc|cat > -- Journal begins at Sun 2021-12-12 22:24:06 CET, ends at Mon 2021-12-13 > 09:37:38 CET. -- > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573 > scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573 > scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" > ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" > ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594 > scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594 > scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1028 FEDORA-2022-20f36a8b0e has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-20f36a8b0e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. *** Bug 2049696 has been marked as a duplicate of this bug. *** |