Bug 2156155
| Summary: | F36->F37 update messed with libvirt_leasesh and virtlogd | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Germano Massullo (Thetra) <germano.massullo> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 37 | CC: | dwalsh, kinghat, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-03 10:03:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
on f36 i never received any selinux alerts but after an upgrade to f37 i get them all the time and this is one of them that shows up in the list of many(mostly snap related):
SELinux is preventing libvirt_leasesh from using the execmem access on a process.
***** Plugin allow_execmem (91.4 confidence) suggests *********************
If this issue occurred during normal system operation.
Then this alert could be a serious issue and your system could be compromised.
Do
contact your security administrator and report this issue
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that libvirt_leasesh should be allowed execmem access on processes labeled dnsmasq_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'libvirt_leasesh' --raw | audit2allow -M my-libvirtleasesh
# semodule -X 300 -i my-libvirtleasesh.pp
Additional Information:
Source Context system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
Target Context system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
Target Objects Unknown [ process ]
Source libvirt_leasesh
Source Path libvirt_leasesh
Port <Unknown>
Host kinghat-thinkpad
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch
Local Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name kinghat-thinkpad
Platform Linux kinghat-thinkpad 6.0.15-300.fc37.x86_64 #1
SMP PREEMPT_DYNAMIC Wed Dec 21 18:33:23 UTC 2022
x86_64 x86_64
Alert Count 8
First Seen 2022-12-13 11:56:47 CST
Last Seen 2022-12-26 11:42:26 CST
Local ID 541a0840-21f2-4db9-a9a1-dfa54addbfb4
Raw Audit Messages
type=AVC msg=audit(1672076546.115:725): avc: denied { execmem } for pid=28915 comm="libvirt_leasesh" scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tclass=process permissive=0
Hash: libvirt_leasesh,dnsmasq_t,dnsmasq_t,process,execmem
Please update to selinux-policy-37.17-1.fc37. *** This bug has been marked as a duplicate of bug 2122918 *** |
Description of problem: After an update from F36 to F37, SELinux is throwing many alerts about libvirt_leasesh and virtlogd. Relabeling the filesystem did not fix the problem Informazioni addizionali: Contesto della sorgente system_u:system_r:virtlogd_t:s0-s0:c0.c1023 Contesto target system_u:system_r:virtlogd_t:s0-s0:c0.c1023 Oggetti target Sconosciuto [ process ] Sorgente virtlogd Percorso della sorgente virtlogd Porta <Sconosciuto> Host machine Sorgente Pacchetti RPM Pacchetti RPM target SELinux Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch Selinux abilitato True Tipo di politica targeted Modalità Enforcing Enforcing Host Name machine Piattaforma Linux machine 6.0.14-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Dec 19 17:44:54 UTC 2022 x86_64 x86_64 Conteggio avvisi 2 Primo visto 2022-12-22 17:29:36 CET Ultimo visto 2022-12-24 13:31:26 CET Messaggi Raw Audit type=AVC msg=audit(1671885086.458:444): avc: denied { execmem } for pid=8072 comm="virtlogd" scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=process permissive=0 Hash: virtlogd,virtlogd_t,virtlogd_t,process,execmem Informazioni addizionali: Contesto della sorgente system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 Contesto target system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 Oggetti target Sconosciuto [ process ] Sorgente libvirt_leasesh Percorso della sorgente libvirt_leasesh Porta <Sconosciuto> Host machine Sorgente Pacchetti RPM Pacchetti RPM target SELinux Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch Selinux abilitato True Tipo di politica targeted Modalità Enforcing Enforcing Host Name machine Piattaforma Linux machine 6.0.14-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Dec 19 17:44:54 UTC 2022 x86_64 x86_64 Conteggio avvisi 340 Primo visto 2022-12-20 16:19:00 CET Ultimo visto 2022-12-24 16:19:40 CET Messaggi Raw Audit type=AVC msg=audit(1671895180.439:649): avc: denied { execmem } for pid=21995 comm="libvirt_leasesh" scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tclass=process permissive=0 Hash: libvirt_leasesh,dnsmasq_t,dnsmasq_t,process,execmem