Bug 2175516

Summary: [RHEL 9] avc: denied { search } for pid=21104 comm="rpc.statd" name="net" dev="proc"
Product: Red Hat Enterprise Linux 9 Reporter: Zhi Li <yieli>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: NEW --- QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.2CC: lvrabec, mmalik, xzhou, yoyang, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zhi Li 2023-03-05 14:03:29 UTC 
Description of problem:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-38.1.8-1.el9.noarch
----
time->Wed Mar  1 08:23:45 2023
type=PROCTITLE msg=audit(1677677025.236:151): proctitle="/usr/sbin/rpc.statd"
type=SYSCALL msg=audit(1677677025.236:151): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffc8ff7d990 a2=80100 a3=0 items=0 ppid=1 pid=21104 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1677677025.236:151): avc:  denied  { search } for  pid=21104 comm="rpc.statd" name="net" dev="proc" ino=34064 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
nfs-utils-2.5.4-18.el9.x86_64
selinux-policy-38.1.8-1.el9.noarch


How reproducible:
once


Actual results:
AVC denied

Expected results:
No AVC denied for defined operations

Additional info:
beaker job:
https://beaker.engineering.redhat.com/recipes/13475947#task156886730
Comment 1 Milos Malik 2023-03-06 15:22:54 UTC 
Found 4 occurrences of the SELinux denial in the beaker job.
Comment 6 Nikola Knazekova 2023-06-14 14:28:40 UTC 
PR: https://github.com/fedora-selinux/selinux-policy/pull/1740
Comment 12 Nikola Knazekova 2023-08-01 15:51:38 UTC 
Hi,

Can you reproduce the issue in permissive mode with full auditing enabled?

Permissive mode:
# setenforce 0

Full audit:
1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Thank you
Comment 14 Zhi Li 2023-08-07 09:51:53 UTC 
(In reply to Nikola Knazekova from comment #12)
> Hi,
> 
> Can you reproduce the issue in permissive mode with full auditing enabled?
> 
> Permissive mode:
> # setenforce 0
> 
> Full audit:
> 1) Open the /etc/audit/rules.d/audit.rules file in an editor.
> 2) Remove the following line if it exists:
> -a task,never
> 3) Add the following line to the end of the file:
> -w /etc/shadow -p w
> 4) Restart the audit daemon:
>   # service auditd restart
> 5) Re-run your scenario.
> 6) Collect AVC denials:
>   # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
> 
> Thank you

The SELinux denial was not reproduced in loose mode with full auditing enabled, but this problem
did not find a valid trigger step, and it was not 100% reproducible in my test scenario.

[root@ibm-x3650m4-01-vm-11 ]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
<no matches>