Bug 2088257
| Summary: | [RHEL-9.1] avc denied seen while provisioning | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | zguo <zguo> |
| Component: | selinux-policy | Assignee: | Nikola Knazekova <nknazeko> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | apeetham, kheib, lvrabec, mmalik, mschmidt, nknazeko, ssekidde |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 9.1 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.1.40-1.el9 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: SELinux prevents systemd-modules-load write to the kernel messages device and send a message to syslogd over a unix domain datagram socket
Consequence: Failing tests
Fix: Allow systemd_modules_load_t write to the kernel messages device and send a message to syslogd over a unix domain datagram socket
Result: No AVC
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 11:13:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 2088258 has been marked as a duplicate of this bug. *** (In reply to Zdenek Pytela from comment #1) > Hi, > > Do you happen to know which conditions are required to trigger these denials? > > The denials interpreted: > ---- > type=PROCTITLE msg=audit(05/19/2022 04:46:29.636:43) : > proctitle=/lib/systemd/systemd-modules-load /etc/rdma/modules/iwarp.conf > type=AVC msg=audit(05/19/2022 04:46:29.636:43) : avc: denied { sendto } > for pid=867 comm=systemd-modules path=/run/systemd/journal/socket > scontext=system_u:system_r:systemd_modules_load_t:s0 > tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 > type=SYSCALL msg=audit(05/19/2022 04:46:29.636:43) : arch=x86_64 > syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 > a1=0x7f7b67df0060 a2=0x1e a3=0x7ffcaead12a0 items=0 ppid=1 pid=867 > auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root > sgid=root fsgid=root tty=(none) ses=unset comm=systemd-modules > exe=/usr/lib/systemd/systemd-modules-load > subj=system_u:system_r:systemd_modules_load_t:s0 key=(null) > ---- > type=PROCTITLE msg=audit(05/19/2022 04:46:29.636:44) : > proctitle=/lib/systemd/systemd-modules-load /etc/rdma/modules/iwarp.conf > type=AVC msg=audit(05/19/2022 04:46:29.636:44) : avc: denied { write } for > pid=867 comm=systemd-modules name=kmsg dev="devtmpfs" ino=10 > scontext=system_u:system_r:systemd_modules_load_t:s0 > tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 > type=SYSCALL msg=audit(05/19/2022 04:46:29.636:44) : arch=x86_64 > syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD > a1=0x7f7b67dee7c8 a2=O_WRONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=0 ppid=1 > pid=867 auid=unset uid=root gid=root euid=root suid=root fsuid=root > egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-modules > exe=/usr/lib/systemd/systemd-modules-load > subj=system_u:system_r:systemd_modules_load_t:s0 key=(null) > ---- I am not clear, but at least it might need a machine which is with iWarp device installed. Looping RDMA developers for info. Following SELinux denials appeared in enforcing mode:
----
type=PROCTITLE msg=audit(05/19/2022 12:12:50.249:249) : proctitle=/usr/lib/systemd/systemd-modules-load
type=SYSCALL msg=audit(05/19/2022 12:12:50.249:249) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7f51dd53f060 a2=0x1e a3=0x7fff99401f20 items=0 ppid=1 pid=40491 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-modules exe=/usr/lib/systemd/systemd-modules-load subj=system_u:system_r:systemd_modules_load_t:s0 key=(null)
type=AVC msg=audit(05/19/2022 12:12:50.249:249) : avc: denied { sendto } for pid=40491 comm=systemd-modules path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0
----
type=PROCTITLE msg=audit(05/19/2022 12:12:50.249:250) : proctitle=/usr/lib/systemd/systemd-modules-load
type=SYSCALL msg=audit(05/19/2022 12:12:50.249:250) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f51dd53d7c8 a2=O_WRONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=40491 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-modules exe=/usr/lib/systemd/systemd-modules-load subj=system_u:system_r:systemd_modules_load_t:s0 key=(null)
type=AVC msg=audit(05/19/2022 12:12:50.249:250) : avc: denied { write } for pid=40491 comm=systemd-modules name=kmsg dev="devtmpfs" ino=10 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
----
*** Bug 2088258 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8283 |
Hi, Do you happen to know which conditions are required to trigger these denials? The denials interpreted: ---- type=PROCTITLE msg=audit(05/19/2022 04:46:29.636:43) : proctitle=/lib/systemd/systemd-modules-load /etc/rdma/modules/iwarp.conf type=AVC msg=audit(05/19/2022 04:46:29.636:43) : avc: denied { sendto } for pid=867 comm=systemd-modules path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 type=SYSCALL msg=audit(05/19/2022 04:46:29.636:43) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7f7b67df0060 a2=0x1e a3=0x7ffcaead12a0 items=0 ppid=1 pid=867 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-modules exe=/usr/lib/systemd/systemd-modules-load subj=system_u:system_r:systemd_modules_load_t:s0 key=(null) ---- type=PROCTITLE msg=audit(05/19/2022 04:46:29.636:44) : proctitle=/lib/systemd/systemd-modules-load /etc/rdma/modules/iwarp.conf type=AVC msg=audit(05/19/2022 04:46:29.636:44) : avc: denied { write } for pid=867 comm=systemd-modules name=kmsg dev="devtmpfs" ino=10 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 type=SYSCALL msg=audit(05/19/2022 04:46:29.636:44) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f7b67dee7c8 a2=O_WRONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=867 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-modules exe=/usr/lib/systemd/systemd-modules-load subj=system_u:system_r:systemd_modules_load_t:s0 key=(null) ----