Bug 2213571

Summary:	selinux is logging a new denial with a new systemd
Product:	[Fedora] Fedora	Reporter:	Jelle van der Waa <jvanderwaa>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	38	CC:	dwalsh, lvrabec, mmalik, msekleta, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	CockpitTest
Fixed In Version:	selinux-policy-38.20-1.fc38	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-07-01 01:45:52 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jelle van der Waa 2023-06-08 15:12:26 UTC

When booting a system with a new systemd an SELinux denial is logged

audit: type=1400 audit(1686228244.891:4): avc:  denied  { audit_control } for  pid=1 comm="systemd" capability=30  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tcl
ass=capability permissive=0

Reproducible: Always

Steps to Reproduce:
1. Boot a machine with fedora-testing enabled



This issue was caught as a new regression by Cockpit CI. Notable package updates where:

  systemd (253.4-1.fc38 -> 253.5-1.fc38)
  systemd-container (253.4-1.fc38 -> 253.5-1.fc38)
  systemd-libs (253.4-1.fc38 -> 253.5-1.fc38)
  systemd-networkd (253.4-1.fc38 -> 253.5-1.fc38)
  systemd-oomd-defaults (253.4-1.fc38 -> 253.5-1.fc38)
  systemd-pam (253.4-1.fc38 -> 253.5-1.fc38)
  systemd-resolved (253.4-1.fc38 -> 253.5-1.fc38)
  systemd-rpm-macros (253.4-1.fc38 -> 253.5-1.fc38)
  systemd-udev (253.4-1.fc38 -> 253.5-1.fc38)
  container-selinux (2:2.216.0-1.fc38 -> 2:2.218.0-1.fc38)

Comment 1 Milos Malik 2023-06-08 18:17:16 UTC

Found in the systemd journal:

Jun 08 14:12:54 fedora kernel: audit: type=1400 audit(1686247974.521:4): avc:  denied  { audit_control } for  pid=1 comm="systemd" capability=30  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability permissive=0
Jun 08 14:04:59 fedora kernel: audit: type=1400 audit(1686247499.666:4): avc:  denied  { audit_control } for  pid=1 comm="systemd" capability=30  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability permissive=0

Not present in the audit.log.

Comment 2 Milos Malik 2023-06-08 18:28:54 UTC

# rpm -qa systemd\* selinux-policy\* | sort
selinux-policy-38.15-1.fc38.noarch
selinux-policy-targeted-38.15-1.fc38.noarch
systemd-253.5-1.fc38.x86_64
systemd-container-253.5-1.fc38.x86_64
systemd-libs-253.5-1.fc38.x86_64
systemd-networkd-253.5-1.fc38.x86_64
systemd-oomd-defaults-253.5-1.fc38.noarch
systemd-pam-253.5-1.fc38.x86_64
systemd-resolved-253.5-1.fc38.x86_64
systemd-rpm-macros-253.5-1.fc38.noarch
systemd-udev-253.5-1.fc38.x86_64
#

The SELinux denial should not appear anymore after enabling the init_audit_control boolean:

# sesearch -s init_t -c capability -p audit_control -A
allow init_t init_t:capability audit_control; [ init_audit_control ]:True
# getsebool -a | grep init_audit_control
init_audit_control --> off
#

Comment 3 Milos Malik 2023-06-08 18:32:18 UTC

I can confirm that new SELinux denials do not appear during reboot if the init_audit_control boolean is enabled:

# setsebool -P init_audit_control on

Comment 4 Zdenek Pytela 2023-06-15 07:37:34 UTC

Ondrej,

Systemd probably wants nothing but find out if it is in the initial namespace:

https://github.com/systemd/systemd-stable/commit/4be604e75a38cb0ddbde3f2ade6ae65664fe77be#diff-e026a4ebb58e7e8ce98d24f4046f809063ff019827d92d2f9a0a3dab97ee397eR130
https://github.com/torvalds/linux/blob/master/kernel/audit.c#L1035

Do you think there is more clever way to get that information?

Comment 5 Ondrej Mosnáček 2023-06-16 11:03:49 UTC

Well, they could try to send AUDIT_LIST (or any deprecated/invalid message ID) instead of AUDIT_GET_FEATURE and it should work (they get either EOPNOTSUPP/EINVAL or ECONNREFUSED), though it may not be fully future-proof. I don't know if there is a better way to check specifically if the current process runs in the init userns.

Comment 6 Zdenek Pytela 2023-06-27 16:41:00 UTC

Michale,

This is probably just FYI, I am going to allow the permission in the policy.

Comment 7 Fedora Update System 2023-06-29 16:14:42 UTC

FEDORA-2023-ba070ee6ba has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ba070ee6ba

Comment 8 Fedora Update System 2023-06-30 01:40:19 UTC

FEDORA-2023-ba070ee6ba has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-ba070ee6ba`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-ba070ee6ba

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2023-07-01 01:45:52 UTC

FEDORA-2023-ba070ee6ba has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.