Bug 2213571
Summary: | selinux is logging a new denial with a new systemd | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jelle van der Waa <jvanderwaa> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 38 | CC: | dwalsh, lvrabec, mmalik, msekleta, nknazeko, omosnacek, pkoncity, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | CockpitTest | ||
Fixed In Version: | selinux-policy-38.20-1.fc38 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-07-01 01:45:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jelle van der Waa
2023-06-08 15:12:26 UTC
Found in the systemd journal: Jun 08 14:12:54 fedora kernel: audit: type=1400 audit(1686247974.521:4): avc: denied { audit_control } for pid=1 comm="systemd" capability=30 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability permissive=0 Jun 08 14:04:59 fedora kernel: audit: type=1400 audit(1686247499.666:4): avc: denied { audit_control } for pid=1 comm="systemd" capability=30 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability permissive=0 Not present in the audit.log. # rpm -qa systemd\* selinux-policy\* | sort selinux-policy-38.15-1.fc38.noarch selinux-policy-targeted-38.15-1.fc38.noarch systemd-253.5-1.fc38.x86_64 systemd-container-253.5-1.fc38.x86_64 systemd-libs-253.5-1.fc38.x86_64 systemd-networkd-253.5-1.fc38.x86_64 systemd-oomd-defaults-253.5-1.fc38.noarch systemd-pam-253.5-1.fc38.x86_64 systemd-resolved-253.5-1.fc38.x86_64 systemd-rpm-macros-253.5-1.fc38.noarch systemd-udev-253.5-1.fc38.x86_64 # The SELinux denial should not appear anymore after enabling the init_audit_control boolean: # sesearch -s init_t -c capability -p audit_control -A allow init_t init_t:capability audit_control; [ init_audit_control ]:True # getsebool -a | grep init_audit_control init_audit_control --> off # I can confirm that new SELinux denials do not appear during reboot if the init_audit_control boolean is enabled: # setsebool -P init_audit_control on Ondrej, Systemd probably wants nothing but find out if it is in the initial namespace: https://github.com/systemd/systemd-stable/commit/4be604e75a38cb0ddbde3f2ade6ae65664fe77be#diff-e026a4ebb58e7e8ce98d24f4046f809063ff019827d92d2f9a0a3dab97ee397eR130 https://github.com/torvalds/linux/blob/master/kernel/audit.c#L1035 Do you think there is more clever way to get that information? Well, they could try to send AUDIT_LIST (or any deprecated/invalid message ID) instead of AUDIT_GET_FEATURE and it should work (they get either EOPNOTSUPP/EINVAL or ECONNREFUSED), though it may not be fully future-proof. I don't know if there is a better way to check specifically if the current process runs in the init userns. Michale, This is probably just FYI, I am going to allow the permission in the policy. FEDORA-2023-ba070ee6ba has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ba070ee6ba FEDORA-2023-ba070ee6ba has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-ba070ee6ba` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-ba070ee6ba See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-ba070ee6ba has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |