Bug 2137085

Summary: Update to selinux-policy-targeted-34.1.44-1.el9.noarch triggers bpf alerts
Product: Red Hat Enterprise Linux 9 Reporter: alex
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: CentOS StreamCC: bstinson, jwboyer, lvrabec, mmalik, nknazeko, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 9.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.4-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:16:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
One of the alerts I got. none

Description alex 2022-10-23 08:24:35 UTC 
Created attachment 1919676 [details]
One of the alerts I got.

Description of problem:

Since the last dnf update I applied to my CentOS 9 Stream workstation, I'm getting constant SELinux alerts.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-34.1.44-1.el9.noarch

How reproducible:

I believe this happens in more cases, but resuming from suspend always triggers alerts, I think.

Steps to Reproduce:

1. Suspend the system
2. Resume the system

Actual results:

I normally get three SELinux alerts; systemd-rfkill, fprintd, and wpa_supplicant try to access bpf.

I have attached the details shown by the SELinux app for one of the alerts.

Expected results:

System should not produce SELinux alerts in normal operation.
Comment 1 Milos Malik 2022-10-23 17:25:51 UTC 
SELinux denials generated by fprintd are already reported under BZ#2134827.

Sofar I had no luck reproducing them via systemd-rfkill or wpa_supplicant.
Comment 2 alex 2022-10-23 17:32:46 UTC 
Hmmm, maybe then close this bug? I can reproduce the issues I have with suspension [this is an X1 Carbon Gen 3], and add any required information to the other bug.

Just for testing:

[root@molly ~]# ausearch -x rf | tail
----
time->Sun Oct 23 18:00:32 2022
type=PROCTITLE msg=audit(1666540832.736:1603): proctitle="/usr/lib/systemd/systemd-rfkill"
type=SYSCALL msg=audit(1666540832.736:1603): arch=c000003e syscall=54 success=yes exit=0 a0=6 a1=1 a2=1a a3=7ffdb4b21150 items=0 ppid=1 pid=95157 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-rfkill" exe="/usr/lib/systemd/systemd-rfkill" subj=system_u:system_r:systemd_rfkill_t:s0 key=(null)
type=AVC msg=audit(1666540832.736:1603): avc:  denied  { bpf } for  pid=95157 comm="systemd-rfkill" capability=39  scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0
----
time->Sun Oct 23 19:29:46 2022
type=PROCTITLE msg=audit(1666546186.664:1668): proctitle="/usr/lib/systemd/systemd-rfkill"
type=SYSCALL msg=audit(1666546186.664:1668): arch=c000003e syscall=54 success=yes exit=0 a0=6 a1=1 a2=1a a3=7ffe090efbe0 items=0 ppid=1 pid=105448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-rfkill" exe="/usr/lib/systemd/systemd-rfkill" subj=system_u:system_r:systemd_rfkill_t:s0 key=(null)
type=AVC msg=audit(1666546186.664:1668): avc:  denied  { bpf } for  pid=105448 comm="systemd-rfkill" capability=39  scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0

[root@molly ~]# ausearch -x rf | audit2allow


#============= systemd_rfkill_t ==============
allow systemd_rfkill_t self:capability2 bpf;

[root@molly ~]# ausearch -x wpa | tail
time->Sun Oct 23 19:29:47 2022
type=PROCTITLE msg=audit(1666546187.030:1673): proctitle=2F7573722F7362696E2F7770615F737570706C6963616E74002D63002F6574632F7770615F737570706C6963616E742F7770615F737570706C6963616E742E636F6E66002D75002D73
type=SYSCALL msg=audit(1666546187.030:1673): arch=c000003e syscall=54 success=yes exit=0 a0=c a1=1 a2=1a a3=55f15ed093a0 items=0 ppid=1 pid=1637 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1666546187.030:1673): avc:  denied  { bpf } for  pid=1637 comm="wpa_supplicant" capability=39  scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability2 permissive=0


[root@molly ~]# ausearch -x wpa | audit2allow


#============= NetworkManager_t ==============
allow NetworkManager_t self:capability2 bpf;


..................

I'm happy to do any other testing you want. And I'm happy to continue tracking this issue on the existing bug.

Cheers,

Álex
Comment 3 Zdenek Pytela 2022-12-15 13:32:07 UTC 
The denial interpreted:

type=AVC msg=audit(23.10.2022 19:29:46.664:1668) : avc:  denied  { bpf } for  pid=105448 comm=systemd-rfkill capability=bpf  scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0
type=SYSCALL msg=audit(23.10.2022 19:29:46.664:1668) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x6 a1=SOL_SOCKET a2=SO_ATTACH_FILTER a3=0x7ffe090efbe0 items=0 ppid=1 pid=105448 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-rfkill exe=/usr/lib/systemd/systemd-rfkill subj=system_u:system_r:systemd_rfkill_t:s0 key=(null)
Comment 4 Zdenek Pytela 2022-12-19 13:59:02 UTC 
(In reply to alex from comment #2)
> I'm happy to do any other testing you want. And I'm happy to continue
> tracking this issue on the existing bug.
Hello Álex,

In the end we use both the bugs. If you can reproduce the issues in Fedora, you can try
https://github.com/fedora-selinux/selinux-policy/pull/1529
Checks -> Artifacts -> rpms.zip
Comment 5 Zdenek Pytela 2022-12-19 15:47:51 UTC 
Commit to backport:
commit b42deb870faaa63be41cd6b6b9d8a5846205e6ea (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Mon Dec 19 14:46:41 2022 +0100

    Allow NetworkManager and wpa_supplicant the bpf capability
Comment 11 alex 2023-01-15 10:59:07 UTC 
Just did

$ sudo dnf install https://kojihub.stream.centos.org/kojifiles/packages/selinux-policy/38.1.4/1.el9/noarch/selinux-policy-38.1.4-1.el9.noarch.rpm https://kojihub.stream.centos.org/kojifiles/packages/selinux-policy/38.1.4/1.el9/noarch/selinux-policy-targeted-38.1.4-1.el9.noarch.rpm

I'll reboot and report back in 1-2 days, I guess.
Comment 12 alex 2023-01-20 20:56:54 UTC 
No messages anymore since the update, so good job!
Comment 15 errata-xmlrpc 2023-05-09 08:16:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483