Bug 2112044

Summary: lldpad causing AVC messages starting with selinux-policy--targeted 34.1.32
Product: Red Hat Enterprise Linux 9 Reporter: Matt Lucius <malucius>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.1CC: guazhang, lvrabec, mmalik, nknazeko
Target Milestone: rcKeywords: Triaged
Target Release: 9.2   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.44-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:16:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Lucius 2022-07-28 18:13:20 UTC 
Description of problem:
When running lldpad regression tests (specifically that for BZ647020) under RHEL 9.1 beaker is picking up AVC messages during the run (pasted below). These errors do not occur with the RHEL-9.0 distro. 

Doing a sweep with successive versions of the selinux-policy-targeted RPM from 34.1.29 (RHEL-9.0) to 34.1.37 (the RHEL-9.1 distro I was using), the AVC messages started appearing with 34.1.32.

Starting with lldpad in case something needs to be updated, and this can be kicked elsewhere if required.

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-34.1.37-1.el9.noarch
----
time->Wed Jul 27 08:34:02 2022
type=PROCTITLE msg=audit(1658925242.581:134): proctitle=2F7573722F7362696E2F6C6C64706164002D74
type=SYSCALL msg=audit(1658925242.581:134): arch=c000003e syscall=44 success=no exit=-13 a0=3 a1=562fe3b20a50 a2=4 a3=0 items=0 ppid=1 pid=21019 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lldpad" exe="/usr/sbin/lldpad" subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(1658925242.581:134): avc:  denied  { sendto } for  pid=21019 comm="lldpad" path=002F636F6D2F696E74656C2F6C6C647061642F3231303337 scontext=system_u:system_r:lldpad_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0


Version-Release number of selected component (if applicable):
RHEL-9.1 from 20220718
selinux-policy-targeted 34.1.32 and higher
lldpad lldpad-1.1.0-4.git85e5583.el9.x86_64

How reproducible:
Always

Steps to Reproduce:
1.Run lldpad regression tests for BZ647020 under beaker

Actual results:
Test passes with no issues

Expected results:
Beaker picks up AVC error as pasted above (lldpad functionality itself seems to work)

Additional info:
One of the failing runs: https://beaker.engineering.redhat.com/jobs/6858075
Comment 1 Aaron Conole 2022-09-14 15:40:01 UTC 
Nothing changed from lldpad side.  Can selinux folks please advise?
Comment 2 Milos Malik 2022-09-14 19:15:12 UTC 
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(09/14/2022 21:11:41.132:354) : proctitle=/usr/sbin/lldpad -t 
type=SOCKADDR msg=audit(09/14/2022 21:11:41.132:354) : saddr={ saddr_fam=local path=/com/intel/lldpad/3270 } 
type=SYSCALL msg=audit(09/14/2022 21:11:41.132:354) : arch=x86_64 syscall=sendto success=no exit=EACCES(Permission denied) a0=0x3 a1=0x5603959e0840 a2=0x4 a3=0x0 items=0 ppid=1 pid=1217 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null) 
type=AVC msg=audit(09/14/2022 21:11:41.132:354) : avc:  denied  { sendto } for  pid=1217 comm=lldpad path=/com/intel/lldpad/3270 scontext=system_u:system_r:lldpad_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 
----

One of reproducers:

# service lldpad restart
Redirecting to /bin/systemctl restart lldpad.service
# lldptool 
lldptool v1.1.0
Copyright (c) 2007-2010, Intel Corporation

Substantially modified from:  hostapd_cli v 0.5.7
Copyright (c) 2004-2007, Jouni Malinen <j> and contributors

This program is free software. You can distribute it and/or modify it
under the terms of the GNU General Public License version 2.



timeout
Warning: Failed to attach to lldpad.

Interactive mode

...
Comment 3 Milos Malik 2022-09-14 19:22:47 UTC 
Caught in permissive mode:
----
type=PROCTITLE msg=audit(09/14/2022 21:16:30.227:479) : proctitle=/usr/sbin/lldpad -t 
type=SOCKADDR msg=audit(09/14/2022 21:16:30.227:479) : saddr={ saddr_fam=local path=/com/intel/lldpad/5435 } 
type=SYSCALL msg=audit(09/14/2022 21:16:30.227:479) : arch=x86_64 syscall=sendto success=yes exit=12 a0=0x3 a1=0x55f1d821aae0 a2=0xc a3=0x0 items=0 ppid=1 pid=4979 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null) 
type=AVC msg=audit(09/14/2022 21:16:30.227:479) : avc:  denied  { sendto } for  pid=4979 comm=lldpad path=/com/intel/lldpad/5435 scontext=system_u:system_r:lldpad_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 
----

The same reproducer:

# service lldpad restart
Redirecting to /bin/systemctl restart lldpad.service
# lldptool 
lldptool v1.1.0
Copyright (c) 2007-2010, Intel Corporation

Substantially modified from:  hostapd_cli v 0.5.7
Copyright (c) 2004-2007, Jouni Malinen <j> and contributors

This program is free software. You can distribute it and/or modify it
under the terms of the GNU General Public License version 2.




Interactive mode

>
Comment 14 Nikola Knazekova 2022-10-24 11:25:43 UTC 
*** Bug 2136481 has been marked as a duplicate of this bug. ***
Comment 17 errata-xmlrpc 2023-05-09 08:16:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483