Bug 2142021

Summary:	AVC denials when running regression tests
Product:	Red Hat Enterprise Linux 8	Reporter:	michal novacek <mnovacek>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED MIGRATED	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.7	CC:	lvrabec, mmalik, nknazeko, xzhou, yoyang
Target Milestone:	rc	Keywords:	MigratedToJIRA, Triaged
Target Release:	8.9	Flags:	zpytela: needinfo? (mnovacek)
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-08-16 17:30:18 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description michal novacek 2022-11-11 12:19:28 UTC

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-3.14.3-108.el8.noarch
----
time->Fri Nov 11 08:46:33 2022
type=PROCTITLE msg=audit(1668152793.326:1167): proctitle=73686F776D6F756E74002D2D6578706F727473006C6F63616C686F7374
type=SYSCALL msg=audit(1668152793.326:1167): arch=c000003e syscall=21 success=no exit=-13 a0=7ffd468b26a0 a1=4 a2=8 a3=0 items=0 ppid=84633 pid=84634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="showmount" exe="/usr/sbin/showmount" subj=system_u:system_r:showmount_t:s0 key=(null)
type=AVC msg=audit(1668152793.326:1167): avc:  denied  { read } for  pid=84634 comm="showmount" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:showmount_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
----
time->Fri Nov 11 08:46:33 2022
type=PROCTITLE msg=audit(1668152793.435:1170): proctitle=73686F776D6F756E74002D2D6578706F727473006C6F63616C686F7374
type=SYSCALL msg=audit(1668152793.435:1170): arch=c000003e syscall=21 success=no exit=-13 a0=7ffd3f06ecf0 a1=4 a2=8 a3=0 items=0 ppid=84638 pid=84639 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="showmount" exe="/usr/sbin/showmount" subj=system_u:system_r:showmount_t:s0 key=(null)
type=AVC msg=audit(1668152793.435:1170): avc:  denied  { read } for  pid=84639 comm="showmount" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:showmount_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
----
time->Fri Nov 11 08:46:33 2022
type=PROCTITLE msg=audit(1668152793.546:1173): proctitle=73686F776D6F756E74002D2D6578706F727473006C6F63616C686F7374
type=SYSCALL msg=audit(1668152793.546:1173): arch=c000003e syscall=21 success=no exit=-13 a0=7ffe6aee89d0 a1=4 a2=8 a3=0 items=0 ppid=84643 pid=84644 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="showmount" exe="/usr/sbin/showmount" subj=system_u:system_r:showmount_t:s0 key=(null)
type=AVC msg=audit(1668152793.546:1173): avc:  denied  { read } for  pid=84644 comm="showmount" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:showmount_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
----
time->Fri Nov 11 08:49:05 2022
type=PROCTITLE msg=audit(1668152945.468:1564): proctitle=73686F776D6F756E74002D2D6578706F727473006C6F63616C686F7374
type=SYSCALL msg=audit(1668152945.468:1564): arch=c000003e syscall=21 success=no exit=-13 a0=7ffe45c270b0 a1=4 a2=8 a3=0 items=0 ppid=89391 pid=89392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="showmount" exe="/usr/sbin/showmount" subj=system_u:system_r:showmount_t:s0 key=(null)
type=AVC msg=audit(1668152945.468:1564): avc:  denied  { read } for  pid=89392 comm="showmount" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:showmount_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
----
time->Fri Nov 11 08:49:05 2022
type=PROCTITLE msg=audit(1668152945.589:1567): proctitle=73686F776D6F756E74002D2D6578706F727473006C6F63616C686F7374
type=SYSCALL msg=audit(1668152945.589:1567): arch=c000003e syscall=21 success=no exit=-13 a0=7ffcec024bc0 a1=4 a2=8 a3=0 items=0 ppid=89396 pid=89397 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="showmount" exe="/usr/sbin/showmount" subj=system_u:system_r:showmount_t:s0 key=(null)
type=AVC msg=audit(1668152945.589:1567): avc:  denied  { read } for  pid=89397 comm="showmount" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:showmount_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
----
time->Fri Nov 11 08:49:05 2022
type=PROCTITLE msg=audit(1668152945.693:1570): proctitle=73686F776D6F756E74002D2D6578706F727473006C6F63616C686F7374
type=SYSCALL msg=audit(1668152945.693:1570): arch=c000003e syscall=21 success=no exit=-13 a0=7fff39b666e0 a1=4 a2=8 a3=0 items=0 ppid=89401 pid=89402 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="showmount" exe="/usr/sbin/showmount" subj=system_u:system_r:showmount_t:s0 key=(null)
type=AVC msg=audit(1668152945.693:1570): avc:  denied  { read } for  pid=89402 comm="showmount" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:showmount_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0

Comment 1 Yongcheng Yang 2022-11-14 03:36:46 UTC

I never see this and maybe we need more information about it.
E.g. Is it new or always there? How to trigger this warning?

Comment 3 Zdenek Pytela 2022-11-15 14:17:44 UTC

Michale,

Can you help us identify which configuration changes are needed to trigger these issues?

Comment 6 Zdenek Pytela 2023-01-04 14:07:05 UTC

I see only 2 auto transitions to the showmount_t domain:

rhel88# sesearch -T -t showmount_exec_t -c process
type_transition automount_t showmount_exec_t:process showmount_t;
type_transition sysadm_t showmount_exec_t:process showmount_t;

So perhaps automount is required to be configured to trigger the denial?
An explicit transition seems to be unlikely.

Comment 7 Zdenek Pytela 2023-01-24 18:38:35 UTC

Retargetting to the next release as reproducing steps or other relevant information are still missing.

Comment 11 Zdenek Pytela 2023-07-20 15:14:28 UTC

Michale,

Can you gather additional debugging data or give me access to a system where the issue reproduces?