Bug 2164845
| Summary: | SELinux prevents the NM iscsid dispatcher from reading the /proc/cpuinfo file | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jan Stodola <jstodola> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.2 | CC: | lvrabec, mmalik, nknazeko, tbajer, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 9.2 | Flags: | pm-rhel:
mirror+
|
| Hardware: | aarch64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-38.1.6-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-09 08:17:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2129768 | ||
This is similar to bz#2158746, but for a different plugin: ---- type=PROCTITLE msg=audit(26.1.2023 15:30:09.370:39) : proctitle=/bin/systemctl --no-block reload iscsi.service type=SYSCALL msg=audit(26.1.2023 15:30:09.370:39) : arch=aarch64 syscall=newfstatat success=yes exit=0 a0=0x3 a1=0xffffb5fa3fa0 a2=0xffffd825a1d8 a3=0x1000 items=0 ppid=1091 pid=1095 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 key=(null) type=AVC msg=audit(26.1.2023 15:30:09.370:39) : avc: denied { getattr } for pid=1095 comm=systemctl path=/proc/cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(26.1.2023 15:30:09.970:47) : proctitle=/bin/systemctl --no-block reload iscsi.service type=SYSCALL msg=audit(26.1.2023 15:30:09.970:47) : arch=aarch64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0xffff9b8f5170 a2=O_RDONLY a3=0x0 items=0 ppid=1186 pid=1188 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 key=(null) type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc: denied { open } for pid=1188 comm=systemctl path=/proc/cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc: denied { read } for pid=1188 comm=systemctl name=cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 ---- *** Bug 2158746 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2483 |
Description of problem: The following AVC appeared in audit.log after the default package set installation on aarch64 in FIPS mode ("fips=1" on the kernel command line): type=AVC msg=audit(1674742919.572:45): avc: denied { read } for pid=1003 comm="systemctl" name="cpuinfo" dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): RHEL-9.2.0-20230125.12 selinux-policy-38.1.4-1.el9 How reproducible: Always on aach64 Steps to Reproduce: 1. Run installation on aarch64 with "fips=1" on the kernel command line. Install the default package set. 2. Check /var/log/audit/audit.log on the installed system. Actual results: AVC denials Expected results: No AVC Additional info: So far reproduced just on aarch64 and only in FIPS mode.