Bug 2148561

Summary: SELinux is preventing /usr/bin/ipmitool from ioctl access on the chr_file /dev/ipmi0.
Product: Red Hat Enterprise Linux 8 Reporter: cweather
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 8.7CC: daniel.j.arevalo.civ, jafiala, lvrabec, mmalik, nknazeko, zpytela
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.8Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-114.el8 Doc Type: Bug Fix
Doc Text:
.The SELinux policy now allows confined administrators to access `ipmi` devices when IPMItool runs Previously, the SELinux policy did not allow confined administrators to read and write `ipmi` devices when the IPMItool utility is run. As a consequence, when a confined administrator ran `ipmitool`, it failed. This update adds allow rules to `selinux-policy` for administrators assigned to the `sysadm_r` SELinux role. As a result, if a confined administrator runs `ipmitool` it works correctly.
 Story Points: ---
Clone Of:
: 2158419 (view as bug list) Environment:
Last Closed: 2023-05-16 09:04:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2158419    

Description cweather 2022-11-25 22:48:00 UTC 
Description of problem:
SELinux is preventing /usr/bin/ipmitool from ioctl access on the chr_file /dev/ipmi0.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-108.el8.noarch                        Wed Nov  9 11:19:25 2022
ipmitool-1.8.18-18.el8.x86_64                               Wed Nov 23 07:55:32 2022
Linux cauchy.sd.spawar.navy.mil 4.18.0-425.3.1.el8.x86_64 

How reproducible:
Always

Steps to Reproduce:
1.  Use ipmitool
2.  Recent version of selinux policy
3.  SELinux enabled

Actual results:
Receive AVC denials in /var/log/messages

Expected results:
No AVC denials

Additional info:
The default SELinux policy does not provide the necessary permissions for admins operating under the sysadm_t label to use ipmitool. 

Missing permission appear to be open, read, write, and ioctl on chr_file class with the ipmi_device_t label.

Context: system_u:object_r:ipmi_device_t:s0 /dev/ipmi0
Comment 1 Zdenek Pytela 2022-11-28 16:04:25 UTC 
Commit to backport:
commit d74ec4955e90e4938da7a197438ff5db9704df19 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Mon Nov 28 16:16:06 2022 +0100

    Allow sysadm read ipmi devices
Comment 9 Zdenek Pytela 2023-01-12 10:17:13 UTC 
To backport:
commit 650edec42cc5d5bf7d8562eddbadb0efc6f42a24
Author: Zdenek Pytela <zpytela>
Date:   Wed Jan 4 17:36:09 2023 +0100

    Allow sysadm_t read/write ipmi devices
Comment 23 errata-xmlrpc 2023-05-16 09:04:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965