Bug 2223894

Summary: SELinux denials appear during the start of ipa-dnskeysyncd or ipa-ods-exporter services
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: abokovoy, ftrivino, ipa-maint, jhrozek, mhjacks, pvoborni, rcritten, ssorce, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2023-07-19 08:26:58 UTC 
freeipa-client-4.10.2-1.fc39.2.x86_64
freeipa-client-common-4.10.2-1.fc39.2.noarch
freeipa-common-4.10.2-1.fc39.2.noarch
freeipa-healthcheck-core-0.12-5.fc39.noarch
freeipa-selinux-4.10.2-1.fc39.2.noarch
freeipa-server-4.10.2-1.fc39.2.x86_64
freeipa-server-common-4.10.2-1.fc39.2.noarch
freeipa-server-dns-4.10.2-1.fc39.2.noarch


Reproducible: Always

Steps to Reproduce:
1. get a Fedora rawhide machine (targeted policy is active)
2. start the ipa-dnskeysyncd service (the attempt may not succeed)
3. start the ipa-ods-exporter service (the attempt may not succeed)
4. search for SELinux denials
Actual Results:  
----
type=PROCTITLE msg=audit(07/19/2023 04:22:49.595:1272) : proctitle=/usr/bin/python3 -I /usr/libexec/ipa/ipa-ods-exporter 
type=PATH msg=audit(07/19/2023 04:22:49.595:1272) : item=0 name=/sys/devices/system/cpu/possible inode=42 dev=00:15 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/19/2023 04:22:49.595:1272) : cwd=/ 
type=SYSCALL msg=audit(07/19/2023 04:22:49.595:1272) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f870a7a8a20 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=7516 auid=unset uid=ods gid=ods euid=ods suid=ods fsuid=ods egid=ods sgid=ods fsgid=ods tty=(none) ses=unset comm=ipa-ods-exporte exe=/usr/bin/python3.12 subj=system_u:system_r:ipa_ods_exporter_t:s0 key=(null) 
type=AVC msg=audit(07/19/2023 04:22:49.595:1272) : avc:  denied  { read } for  pid=7516 comm=ipa-ods-exporte name=possible dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(07/19/2023 04:22:49.596:1273) : proctitle=/usr/bin/python3 -I /usr/libexec/ipa/ipa-ods-exporter 
type=PATH msg=audit(07/19/2023 04:22:49.596:1273) : item=0 name=/proc/stat inode=4026532026 dev=00:14 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/19/2023 04:22:49.596:1273) : cwd=/ 
type=SYSCALL msg=audit(07/19/2023 04:22:49.596:1273) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f870a7a2a17 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=7516 auid=unset uid=ods gid=ods euid=ods suid=ods fsuid=ods egid=ods sgid=ods fsgid=ods tty=(none) ses=unset comm=ipa-ods-exporte exe=/usr/bin/python3.12 subj=system_u:system_r:ipa_ods_exporter_t:s0 key=(null) 
type=AVC msg=audit(07/19/2023 04:22:49.596:1273) : avc:  denied  { read } for  pid=7516 comm=ipa-ods-exporte name=stat dev="proc" ino=4026532026 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(07/19/2023 04:22:51.842:1278) : proctitle=/usr/bin/python3 -I /usr/libexec/ipa/ipa-dnskeysyncd 
type=PATH msg=audit(07/19/2023 04:22:51.842:1278) : item=0 name=/sys/devices/system/cpu/possible inode=42 dev=00:15 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/19/2023 04:22:51.842:1278) : cwd=/ 
type=SYSCALL msg=audit(07/19/2023 04:22:51.842:1278) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7eff381a8a20 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=7522 auid=unset uid=ods gid=named euid=ods suid=ods fsuid=ods egid=named sgid=named fsgid=named tty=(none) ses=unset comm=ipa-dnskeysyncd exe=/usr/bin/python3.12 subj=system_u:system_r:ipa_dnskey_t:s0 key=(null) 
type=AVC msg=audit(07/19/2023 04:22:51.842:1278) : avc:  denied  { read } for  pid=7522 comm=ipa-dnskeysyncd name=possible dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----

Expected Results:  
no SELinux denials

When full auditing is enabled, SELinux denials contain the "type=PATH" records which show the accessed files:
 * https://lukas-vrabec.com/index.php/2018/07/16/how-to-enable-full-auditing-in-audit-daemon/
Comment 1 Milos Malik 2023-07-19 08:33:01 UTC 
I'm guessing that glibc functions try to the access the files:

# ldd /usr/bin/python3.12
	linux-vdso.so.1 (0x00007ffc4edb6000)
	libpython3.12.so.1.0 => /lib64/libpython3.12.so.1.0 (0x00007fb55dc00000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fb55d800000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fb55e347000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fb55e436000)
# strings /lib64/libc.so.6 | grep possible
I/O possible
Operation not possible due to RF-kill
/sys/devices/system/cpu/possible
# strings /lib64/libc.so.6 | grep /proc/
/proc/se
/proc/self/maps
/proc/self/task/%u/comm
/proc/self/fd
/proc/mounts
/proc/sys/kernel/rtsig-max
/proc/sys/kernel/ngroups_max
/proc/stat
/proc/self/fd/
/proc/meminfo
/proc/self/loginuid
/proc/sys/vm/overcommit_memory
#
Comment 2 Alexander Bokovoy 2023-07-19 08:34:18 UTC 
Upstream issue: https://pagure.io/freeipa/issue/9386
Comment 3 Alexander Bokovoy 2023-07-19 08:35:10 UTC 
This is the same as https://github.com/fedora-selinux/selinux-policy/pull/1260, we figured out the reason couple months ago but most people were on PTO.
Comment 4 Fedora Release Engineering 2023-08-16 08:13:10 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.