Bug 2073265
| Summary: | various avc denials for comm="sss_cache" path="pipe:[18908]" dev="pipefs" | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Chris Murphy <bugzilla> | ||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 36 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela | ||||
| Target Milestone: | --- | Keywords: | Triaged | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-36.17-1.fc36 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2022-12-23 01:20:09 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Chris, Do you happen to know at which moment this denial appears? Created attachment 1871474 [details]
journal.log
Happens right as cloudinit starts up. While it does happen on the first boot of the image using virt-install, it doesn't happen for subsequent boots, but the journal for these boots also doesn't show cloud-init running.
FEDORA-2022-e7d50924ec has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e7d50924ec FEDORA-2022-e7d50924ec has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-e7d50924ec` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-e7d50924ec See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-e7d50924ec has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: Multiple AVC errors on first boot. Version-Release number of selected component (if applicable): selinux-policy-36.5-1.fc36.noarch Fedora-Cloud-Base-36-20220405.n.0.x86_64.raw How reproducible: Always Steps to Reproduce: 1. Boot the image, check for AVC errors 2. 3. Actual results: Apr 08 05:08:21 fedora audit[810]: AVC avc: denied { read } for pid=810 comm="sss_cache" path="pipe:[18908]" dev="pipefs" ino=18908 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 Apr 08 05:08:21 fedora audit[810]: AVC avc: denied { write } for pid=810 comm="sss_cache" path="pipe:[18909]" dev="pipefs" ino=18909 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 Apr 08 05:08:21 fedora audit[810]: AVC avc: denied { write } for pid=810 comm="sss_cache" path="pipe:[18910]" dev="pipefs" ino=18910 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 Apr 08 05:08:21 fedora audit[812]: AVC avc: denied { read } for pid=812 comm="sss_cache" path="pipe:[18908]" dev="pipefs" ino=18908 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 Apr 08 05:08:21 fedora audit[812]: AVC avc: denied { write } for pid=812 comm="sss_cache" path="pipe:[18909]" dev="pipefs" ino=18909 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 Apr 08 05:08:21 fedora audit[812]: AVC avc: denied { write } for pid=812 comm="sss_cache" path="pipe:[18910]" dev="pipefs" ino=18910 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 Expected results: I expect no AVC denials on first boot of a cloud image Additional info: # find / -inum 18908 /sys/devices/platform/i8042/serio0/wakeup/wakeup28/uevent /var/lib/selinux/targeted/active/modules/100/jetty/cil # find / -inum 18909 /sys/devices/platform/i8042/serio0/wakeup/wakeup28/subsystem /var/lib/selinux/targeted/active/modules/100/jetty/hll # find / -inum 18910 /sys/devices/platform/i8042/serio0/wakeup/wakeup28/device /var/lib/selinux/targeted/active/modules/100/jetty/lang_ext I can't tell there are any consequences for these denials.