Bug 2137085
Summary: | Update to selinux-policy-targeted-34.1.44-1.el9.noarch triggers bpf alerts | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | alex | ||||
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | CentOS Stream | CC: | bstinson, jwboyer, lvrabec, mmalik, nknazeko, zpytela | ||||
Target Milestone: | rc | Keywords: | Triaged | ||||
Target Release: | 9.2 | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-38.1.4-1.el9 | Doc Type: | No Doc Update | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2023-05-09 08:16:52 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
SELinux denials generated by fprintd are already reported under BZ#2134827. Sofar I had no luck reproducing them via systemd-rfkill or wpa_supplicant. Hmmm, maybe then close this bug? I can reproduce the issues I have with suspension [this is an X1 Carbon Gen 3], and add any required information to the other bug. Just for testing: [root@molly ~]# ausearch -x rf | tail ---- time->Sun Oct 23 18:00:32 2022 type=PROCTITLE msg=audit(1666540832.736:1603): proctitle="/usr/lib/systemd/systemd-rfkill" type=SYSCALL msg=audit(1666540832.736:1603): arch=c000003e syscall=54 success=yes exit=0 a0=6 a1=1 a2=1a a3=7ffdb4b21150 items=0 ppid=1 pid=95157 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-rfkill" exe="/usr/lib/systemd/systemd-rfkill" subj=system_u:system_r:systemd_rfkill_t:s0 key=(null) type=AVC msg=audit(1666540832.736:1603): avc: denied { bpf } for pid=95157 comm="systemd-rfkill" capability=39 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0 ---- time->Sun Oct 23 19:29:46 2022 type=PROCTITLE msg=audit(1666546186.664:1668): proctitle="/usr/lib/systemd/systemd-rfkill" type=SYSCALL msg=audit(1666546186.664:1668): arch=c000003e syscall=54 success=yes exit=0 a0=6 a1=1 a2=1a a3=7ffe090efbe0 items=0 ppid=1 pid=105448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-rfkill" exe="/usr/lib/systemd/systemd-rfkill" subj=system_u:system_r:systemd_rfkill_t:s0 key=(null) type=AVC msg=audit(1666546186.664:1668): avc: denied { bpf } for pid=105448 comm="systemd-rfkill" capability=39 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0 [root@molly ~]# ausearch -x rf | audit2allow #============= systemd_rfkill_t ============== allow systemd_rfkill_t self:capability2 bpf; [root@molly ~]# ausearch -x wpa | tail time->Sun Oct 23 19:29:47 2022 type=PROCTITLE msg=audit(1666546187.030:1673): proctitle=2F7573722F7362696E2F7770615F737570706C6963616E74002D63002F6574632F7770615F737570706C6963616E742F7770615F737570706C6963616E742E636F6E66002D75002D73 type=SYSCALL msg=audit(1666546187.030:1673): arch=c000003e syscall=54 success=yes exit=0 a0=c a1=1 a2=1a a3=55f15ed093a0 items=0 ppid=1 pid=1637 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1666546187.030:1673): avc: denied { bpf } for pid=1637 comm="wpa_supplicant" capability=39 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability2 permissive=0 [root@molly ~]# ausearch -x wpa | audit2allow #============= NetworkManager_t ============== allow NetworkManager_t self:capability2 bpf; .................. I'm happy to do any other testing you want. And I'm happy to continue tracking this issue on the existing bug. Cheers, Álex The denial interpreted: type=AVC msg=audit(23.10.2022 19:29:46.664:1668) : avc: denied { bpf } for pid=105448 comm=systemd-rfkill capability=bpf scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0 type=SYSCALL msg=audit(23.10.2022 19:29:46.664:1668) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x6 a1=SOL_SOCKET a2=SO_ATTACH_FILTER a3=0x7ffe090efbe0 items=0 ppid=1 pid=105448 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-rfkill exe=/usr/lib/systemd/systemd-rfkill subj=system_u:system_r:systemd_rfkill_t:s0 key=(null) (In reply to alex from comment #2) > I'm happy to do any other testing you want. And I'm happy to continue > tracking this issue on the existing bug. Hello Álex, In the end we use both the bugs. If you can reproduce the issues in Fedora, you can try https://github.com/fedora-selinux/selinux-policy/pull/1529 Checks -> Artifacts -> rpms.zip Commit to backport: commit b42deb870faaa63be41cd6b6b9d8a5846205e6ea (HEAD -> rawhide, upstream/rawhide) Author: Zdenek Pytela <zpytela> Date: Mon Dec 19 14:46:41 2022 +0100 Allow NetworkManager and wpa_supplicant the bpf capability Just did $ sudo dnf install https://kojihub.stream.centos.org/kojifiles/packages/selinux-policy/38.1.4/1.el9/noarch/selinux-policy-38.1.4-1.el9.noarch.rpm https://kojihub.stream.centos.org/kojifiles/packages/selinux-policy/38.1.4/1.el9/noarch/selinux-policy-targeted-38.1.4-1.el9.noarch.rpm I'll reboot and report back in 1-2 days, I guess. No messages anymore since the update, so good job! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2483 |
Created attachment 1919676 [details] One of the alerts I got. Description of problem: Since the last dnf update I applied to my CentOS 9 Stream workstation, I'm getting constant SELinux alerts. Version-Release number of selected component (if applicable): selinux-policy-targeted-34.1.44-1.el9.noarch How reproducible: I believe this happens in more cases, but resuming from suspend always triggers alerts, I think. Steps to Reproduce: 1. Suspend the system 2. Resume the system Actual results: I normally get three SELinux alerts; systemd-rfkill, fprintd, and wpa_supplicant try to access bpf. I have attached the details shown by the SELinux app for one of the alerts. Expected results: System should not produce SELinux alerts in normal operation.