Bug 2144501

Summary: SELinux is preventing systemctl from getattr access on the filesystem /.
Product: Red Hat Enterprise Linux 8 Reporter: Brian J. Murrell <brian>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: medium    
Version: 8.7CC: lvrabec, mmalik, nknazeko
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.8   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-112.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:04:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian J. Murrell 2022-11-21 13:52:53 UTC 
SELinux is preventing systemctl from getattr access on the filesystem /.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemctl should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
# semodule -X 300 -i my-systemctl.pp


Additional Information:
Source Context                system_u:system_r:spamd_update_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                / [ filesystem ]
Source                        systemctl
Source Path                   systemctl
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           
Target RPM Packages           filesystem-3.8-6.el8.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-108.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-372.32.1.el8_6.x86_64 #1 SMP Tue Oct 25
                              05:53:57 EDT 2022 x86_64 x86_64
Alert Count                   6
First Seen                    2022-11-19 00:33:37 EST
Last Seen                     2022-11-21 01:45:15 EST
Local ID                      7a355dbb-e393-41b1-b0ee-3b1c65801892

Raw Audit Messages
type=AVC msg=audit(1669013115.838:10938): avc:  denied  { getattr } for  pid=613568 comm="systemctl" name="/" dev="dm-4" ino=2 scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0


Hash: systemctl,spamd_update_t,fs_t,filesystem,getattr
Comment 1 Milos Malik 2022-11-21 15:23:21 UTC 
One of our automated tests finds the SELinux denial as well:
----
type=PROCTITLE msg=audit(10/24/2022 19:27:35.904:3855) : proctitle=systemctl condrestart spamassassin.service 
type=SYSCALL msg=audit(10/24/2022 19:27:35.904:3855) : arch=aarch64 syscall=fstatfs success=no exit=EACCES(Permission denied) a0=0x3 a1=0xffffff1981b0 a2=0xffffa64ffb88 a3=0x0 items=0 ppid=584811 pid=585375 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:spamd_update_t:s0 key=(null) 
type=AVC msg=audit(10/24/2022 19:27:35.904:3855) : avc:  denied  { getattr } for  pid=585375 comm=systemctl name=/ dev="dm-0" ino=128 scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 
----
Comment 4 Zdenek Pytela 2022-11-28 14:15:49 UTC 
To backport:
commit 5cfc3f33e3dec62c6c9417166211b432c4225035 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Thu Nov 24 13:22:52 2022 +0100

    Allow the spamd_update_t domain get generic filesystem attributes
Comment 16 Zdenek Pytela 2023-01-09 14:33:13 UTC 
*** Bug 2159019 has been marked as a duplicate of this bug. ***
Comment 18 Brian J. Murrell 2023-05-03 15:08:14 UTC 
selinux-policy-3.14.3-112.el8 sure has been a long time in coming.  Why does it take over 4 months for it to be released?
Comment 19 Brian J. Murrell 2023-05-03 15:09:06 UTC 
I'm just noticing "Target Release: 8.8".  Is this really the sort of thing that can only happen on a minor update cadence?
Comment 20 Zdenek Pytela 2023-05-03 18:46:03 UTC 
(In reply to Brian J. Murrell from comment #19)
> I'm just noticing "Target Release: 8.8".  Is this really the sort of thing
> that can only happen on a minor update cadence?

Every RHEL bz follows the workflow which delivers the resolved bzs in the future active minor release [1]. Backport can be requested via the regular Red Hat support channels. Additionally, centos stream can be used as the packages source repository.

[1] How am I supported on a specific RHEL release?
    https://access.redhat.com/articles/64664
Comment 21 Brian J. Murrell 2023-05-03 19:02:56 UTC 
But we do see updates on a much more frequent basis than just minor point releases.  Almost daily but most certainly at least weekly.

How does that happen when this one has to wait for a minor point release update?
Comment 23 errata-xmlrpc 2023-05-16 09:04:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965