Bug 2265391

Summary: SELinux is preventing sulogin from using the 'checkpoint_restore' capabilities.
Product: [Fedora] Fedora Reporter: Dirk Gottschalk <dirk.gottschalk1980>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: low    
Version: 39CC: amessina, daltonminer, dirk.gottschalk1980, dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:cf16d801ac72f30813c355191c6942dffc466411ee5aafdf487c747ced402dfd;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-39.6-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-10 01:04:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: description
none
File: os_info none

Description Dirk Gottschalk 2024-02-21 20:23:50 UTC 
Description of problem:
SELinux is preventing sulogin from using the 'checkpoint_restore' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

Wenn Sie denken, dass sulogin standardmäßig checkpoint_restore Berechtigung haben sollten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'sulogin' --raw | audit2allow -M my-sulogin
# semodule -X 300 -i my-sulogin.pp

Additional Information:
Source Context                system_u:system_r:sulogin_t:s0-s0:c0.c1023
Target Context                system_u:system_r:sulogin_t:s0-s0:c0.c1023
Target Objects                Unbekannt [ capability2 ]
Source                        sulogin
Source Path                   sulogin
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-39.4-1.fc39.noarch
Local Policy RPM              selinux-policy-targeted-39.4-1.fc39.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.7.4-200.fc39.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Feb 5 22:21:14 UTC 2024 x86_64
Alert Count                   3
First Seen                    2024-02-14 00:28:06 CET
Last Seen                     2024-02-21 13:33:10 CET
Local ID                      39fe8ca8-fb67-4918-8161-8f776d4ce138

Raw Audit Messages
type=AVC msg=audit(1708518790.257:1208): avc:  denied  { checkpoint_restore } for  pid=220682 comm="sulogin" capability=40  scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tclass=capability2 permissive=0


Hash: sulogin,sulogin_t,sulogin_t,capability2,checkpoint_restore

Version-Release number of selected component:
selinux-policy-targeted-39.4-1.fc39.noarch

Additional info:
reporter:       libreport-2.17.11
reason:         SELinux is preventing sulogin from using the 'checkpoint_restore' capabilities.
package:        selinux-policy-targeted-39.4-1.fc39.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.7.4-200.fc39.x86_64
component:      selinux-policy
Comment 1 Dirk Gottschalk 2024-02-21 20:23:53 UTC 
Created attachment 2018036 [details]
File: description
Comment 2 Dirk Gottschalk 2024-02-21 20:23:54 UTC 
Created attachment 2018037 [details]
File: os_info
Comment 3 Zdenek Pytela 2024-02-22 10:10:01 UTC 
Dirk,

Do you know when this issue appears?
Comment 4 Dirk Gottschalk 2024-02-26 11:27:10 UTC 
Unfortunately I can't. It could have been triggered by using sudo, I guess.

It is a FreeIPA client, if this helps.
Comment 5 Zdenek Pytela 2024-02-26 13:35:50 UTC 
I was unable to reproduce this issue with our freeipa test.

However, sulogin is used when the system fails to boot regularly and requests root's password to proceed - wasn't it this case?
Did it work successfully afterwards?
Comment 6 Dirk Gottschalk 2024-02-26 22:18:54 UTC 
Yes, right, I had a filesystem problem and was able to repair ist using the emergency shell.
Comment 7 Zdenek Pytela 2024-02-27 15:23:21 UTC 
(In reply to Dirk Gottschalk from comment #6)
> Yes, right, I had a filesystem problem and was able to repair ist using the
> emergency shell.

OK, so did the rescueing go well and only thing you are concerned with is this denial?
Comment 8 Milos Malik 2024-03-22 11:34:32 UTC 
Test coverage for this bug exists in a form of PR:
 * https://src.fedoraproject.org/tests/selinux/pull-request/483

The PR waits for a review.
Comment 9 Milos Malik 2024-03-22 11:51:31 UTC 
Steps to Reproduce before applying any bug fix:
# service rescue start
# service rescue stop

SELinux denials caught in enforcing mode:
----
type=PROCTITLE msg=audit(03/22/2024 07:49:15.117:336) : proctitle=/usr/sbin/sulogin 
type=SYSCALL msg=audit(03/22/2024 07:49:15.117:336) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x3 a1=0x5457 a2=0x7ffddf7ec870 a3=0x8 items=0 ppid=1427 pid=1428 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=unset comm=sulogin exe=/usr/sbin/sulogin subj=system_u:system_r:sulogin_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(03/22/2024 07:49:15.117:336) : avc:  denied  { checkpoint_restore } for  pid=1428 comm=sulogin capability=checkpoint_restore  scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 
----
type=PROCTITLE msg=audit(03/22/2024 07:49:20.034:337) : proctitle=/usr/sbin/sulogin 
type=PATH msg=audit(03/22/2024 07:49:20.034:337) : item=0 name=(null) inode=20 dev=00:05 mode=character,620 ouid=root ogid=tty rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/22/2024 07:49:20.034:337) : cwd=/root 
type=SYSCALL msg=audit(03/22/2024 07:49:20.034:337) : arch=x86_64 syscall=fsetxattr success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7f0dbd81c197 a2=0x55762fa45f60 a3=0x22 items=1 ppid=1427 pid=1428 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sulogin exe=/usr/sbin/sulogin subj=system_u:system_r:sulogin_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(03/22/2024 07:49:20.034:337) : avc:  denied  { relabelfrom } for  pid=1428 comm=sulogin name=tty1 dev="devtmpfs" ino=20 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 
----

SELinux denials caught in permissive mode:
----
type=PROCTITLE msg=audit(03/22/2024 07:50:31.556:342) : proctitle=/usr/sbin/sulogin 
type=SYSCALL msg=audit(03/22/2024 07:50:31.556:342) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x3 a1=0x5457 a2=0x7ffe2c4d7d50 a3=0x8 items=0 ppid=1447 pid=1448 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=unset comm=sulogin exe=/usr/sbin/sulogin subj=system_u:system_r:sulogin_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(03/22/2024 07:50:31.556:342) : avc:  denied  { checkpoint_restore } for  pid=1448 comm=sulogin capability=checkpoint_restore  scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tclass=capability2 permissive=1 
----
type=PROCTITLE msg=audit(03/22/2024 07:50:38.458:343) : proctitle=/usr/sbin/sulogin 
type=PATH msg=audit(03/22/2024 07:50:38.458:343) : item=0 name=(null) inode=20 dev=00:05 mode=character,620 ouid=root ogid=tty rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/22/2024 07:50:38.458:343) : cwd=/root 
type=SYSCALL msg=audit(03/22/2024 07:50:38.458:343) : arch=x86_64 syscall=fsetxattr success=yes exit=0 a0=0x3 a1=0x7f9e30a19197 a2=0x55fab9038f60 a3=0x22 items=1 ppid=1 pid=1448 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sulogin exe=/usr/sbin/sulogin subj=system_u:system_r:sulogin_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(03/22/2024 07:50:38.458:343) : avc:  denied  { relabelto } for  pid=1448 comm=sulogin name=tty1 dev="devtmpfs" ino=20 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=1 
type=AVC msg=audit(03/22/2024 07:50:38.458:343) : avc:  denied  { relabelfrom } for  pid=1448 comm=sulogin name=tty1 dev="devtmpfs" ino=20 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=1 
----
Comment 10 Fedora Update System 2024-04-24 12:09:38 UTC 
FEDORA-2024-98cd1ec226 (selinux-policy-39.6-1.fc39) has been submitted as an update to Fedora 39.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-98cd1ec226
Comment 11 Fedora Update System 2024-04-25 02:21:47 UTC 
FEDORA-2024-98cd1ec226 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-98cd1ec226`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-98cd1ec226

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 12 Fedora Update System 2024-05-10 01:04:35 UTC 
FEDORA-2024-98cd1ec226 (selinux-policy-39.6-1.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.