Bug 2144505

Summary: SELinux is preventing /usr/bin/cdcc from map access on the file /var/lib/dcc/map.
Product: Red Hat Enterprise Linux 8 Reporter: Brian J. Murrell <brian>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: medium    
Version: 8.7CC: lvrabec, mmalik, nknazeko
Target Milestone: rcKeywords: Triaged
Target Release: 8.8Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-112.el8 Doc Type: No Doc Update
Doc Text:
If this bug requires documentation, please select an appropriate Doc Type value.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:04:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian J. Murrell 2022-11-21 14:02:24 UTC 
SELinux is preventing /usr/bin/cdcc from map access on the file /var/lib/dcc/map.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow any process to mmap any file on system with attribute file_type.
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.
You can read 'cdcc_selinux' man page for more details.
Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that cdcc should be allowed map access on the map file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cdcc' --raw | audit2allow -M my-cdcc
# semodule -X 300 -i my-cdcc.pp


Additional Information:
Source Context                system_u:system_r:cdcc_t:s0
Target Context                system_u:object_r:dcc_client_map_t:s0
Target Objects                /var/lib/dcc/map [ file ]
Source                        cdcc
Source Path                   /usr/bin/cdcc
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           dcc-2.3.168-1.el8.x86_64
Target RPM Packages           dcc-2.3.168-1.el8.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-108.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-372.32.1.el8_6.x86_64 #1 SMP Tue Oct 25
                              05:53:57 EDT 2022 x86_64 x86_64
Alert Count                   14
First Seen                    2022-05-18 11:02:18 EDT
Last Seen                     2022-11-21 01:45:19 EST
Local ID                      efad7525-c2de-4272-9e61-cacc83886642

Raw Audit Messages
type=AVC msg=audit(1669013119.191:10940): avc:  denied  { map } for  pid=613575 comm="cdcc" path="/var/lib/dcc/map" dev="dm-7" ino=10220 scontext=system_u:system_r:cdcc_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1669013119.191:10940): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=1e14 a2=3 a3=1 items=0 ppid=613567 pid=613575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cdcc exe=/usr/bin/cdcc subj=system_u:system_r:cdcc_t:s0 key=(null)                                          

Hash: cdcc,cdcc_t,dcc_client_map_t,file,map

From what I understand reading https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/new_features_security enabling domain_can_mmap_files feels like a pretty big hammer to trying to resolve this.
Comment 1 Zdenek Pytela 2022-11-28 13:16:11 UTC 
Commit to backport:
commit d4da8199131805e2e6279de80a58851e45e5c123 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed Nov 23 12:04:37 2022 +0100

    Allow cdcc mmap dcc-client-map files
Comment 11 errata-xmlrpc 2023-05-16 09:04:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965