Bug 2224352

Summary: named AVCs in Fedora OpenQA tests
Product: [Fedora] Fedora Reporter: Alexander Bokovoy <abokovoy>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-20 15:16:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Bokovoy 2023-07-20 13:55:22 UTC 
Running FreeIPA OpenQA tests, I see new AVCs with DNS server that haven't been there before. This is visible with tests in https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76 update, for example.

https://openqa.fedoraproject.org/tests/2024112/logfile?filename=_console_avc_crash-avcs.txt contains full list of AVCs. Some of those already known and will be fixed in FreeIPA SELinux policy but named ones have to be fixed in the main SELinux policy.



Reproducible: Always




time->Thu Jul 20 08:06:44 2023
type=AVC msg=audit(1689854804.286:2011): avc:  denied  { sqpoll } for  pid=8129 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0
----
time->Thu Jul 20 08:06:44 2023
type=AVC msg=audit(1689854804.286:2012): avc:  denied  { sqpoll } for  pid=8129 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0
time->Thu Jul 20 08:15:59 2023
type=AVC msg=audit(1689855359.087:2239): avc:  denied  { ipc_lock } for  pid=9623 comm="rndc" capability=14  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=0
----
time->Thu Jul 20 08:15:59 2023
type=AVC msg=audit(1689855359.087:2240): avc:  denied  { sqpoll } for  pid=9623 comm="rndc" scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=io_uring permissive=0
----
time->Thu Jul 20 08:15:59 2023
type=AVC msg=audit(1689855359.090:2241): avc:  denied  { ipc_lock } for  pid=9623 comm="rndc" capability=14  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=0
----
time->Thu Jul 20 08:28:41 2023
type=AVC msg=audit(1689856121.389:101): avc:  denied  { sqpoll } for  pid=1071 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0
----
time->Thu Jul 20 08:28:41 2023
type=AVC msg=audit(1689856121.389:102): avc:  denied  { sqpoll } for  pid=1071 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0
Comment 1 Milos Malik 2023-07-20 14:03:42 UTC 
Based on the SELinux denials shown in comment#0, I believe this BZ is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=2223725.
Comment 2 Alexander Bokovoy 2023-07-20 14:10:45 UTC 
Thank you, Milos. I didn't check whether those already reported.

However, this is in F38, not Rawhide.
Comment 3 Zdenek Pytela 2023-07-20 15:16:04 UTC 

*** This bug has been marked as a duplicate of bug 2223725 ***