Bug 2231861

Summary:	SELinux Policy sets selinuxuser_execmod=off on ppc64le
Product:	Red Hat Enterprise Linux 9	Reporter:	Jeremy Poulin <jpoulin>
Component:	selinux-policy	Assignee:	Daniel Walsh <dwalsh>
Status:	NEW ---	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	9.2	CC:	lvrabec, mmalik, mtarsel, zpytela
Target Milestone:	rc
Target Release:	---
Hardware:	ppc64le
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jeremy Poulin 2023-08-14 13:30:00 UTC

Description of problem:
selinux-policy seems to set selinuxuser_execmod=off by default on Power systems

This results in issues when running OpenShift with privileged pods.

sh-5.1# rpm -q container-selinux
container-selinux-2.219.0-1.rhaos4.13.el9.noarch
sh-5.1# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent -i | audit2allow


#============= spc_t ==============

#!!!! This avc can be allowed using the boolean 'selinuxuser_execmod'
allow spc_t container_ro_file_t:file execmod;

See https://bugzilla.redhat.com/show_bug.cgi?id=2230462 for the error in the package consumed by OpenShift.

Version-Release number of selected component (if applicable):


How reproducible:
We've been running openshift-tests on Power systems with the latest builds of RHCOS.

Steps to Reproduce:
1. Deploy openshift
2. Run openShift tests
3. Audit results for selinux denials

Actual results:

sh-5.1# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent -i | audit2allow


#============= spc_t ==============

#!!!! This avc can be allowed using the boolean 'selinuxuser_execmod'
allow spc_t container_ro_file_t:file execmod;

Expected results:
No errors


Additional info:
This seems only to be set off on Power. Other architectures are able to run privileged containers without issue.

Comment 1 Jeremy Poulin 2023-08-14 13:35:03 UTC

As an aside - Dan provided a full list of differences between the architecture defaults (between x86_64 and ppc64le)

x86 settings
selinuxuser_direct_dri_enabled --> on
selinuxuser_execheap --> off
selinuxuser_execmod --> on
selinuxuser_execstack --> on
selinuxuser_mysql_connect_enabled --> off
selinuxuser_ping --> on
selinuxuser_postgresql_connect_enabled --> off
selinuxuser_rw_noexattrfile --> on
selinuxuser_share_music --> off
selinuxuser_tcp_server --> off
selinuxuser_udp_server --> off
selinuxuser_use_ssh_chroot --> off

(See https://redhat-internal.slack.com/archives/C017UFPQA4X/p1692019449004529?thread_ts=1690991302.943759&cid=C017UFPQA4X)

Not sure if any of these should be set for power as well.