Bug 2275266
| Summary: | avc: denied { getattr } for pid=79656 comm="selinux-autorel" path="/etc/passwd" dev="dm-0" ino=17705170 scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Bruno Goncalves <bgoncalv> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | amessina, dwalsh, knazekovan, lvrabec, mikhail.v.gavrilov, mmalik, nixuser, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-04-26 10:40:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
and example with audit enabled:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
selinux-policy-40.16-1.fc41.noarch
----
time->Mon Apr 15 10:18:34 2024
type=PROCTITLE msg=audit(1713190714.691:152): proctitle=2F7573722F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F73656C696E75782D6175746F72656C6162656C2D67656E657261746F722E7368002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E
type=SYSCALL msg=audit(1713190714.691:152): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffee5903f70 a2=7f4739d77ea0 a3=0 items=0 ppid=2121 pid=2124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="selinux-autorel" exe="/usr/bin/bash" subj=system_u:system_r:selinux_autorelabel_generator_t:s0 key=(null)
type=AVC msg=audit(1713190714.691:152): avc: denied { getattr } for pid=2124 comm="selinux-autorel" path="/etc/passwd" dev="dm-0" ino=16948602 scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Mon Apr 15 10:18:44 2024
type=PROCTITLE msg=audit(1713190724.117:246): proctitle=2F7573722F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F73656C696E75782D6175746F72656C6162656C2D67656E657261746F722E7368002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E
type=SYSCALL msg=audit(1713190724.117:246): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc17cce920 a2=7f428f21dea0 a3=0 items=0 ppid=2786 pid=2789 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="selinux-autorel" exe="/usr/bin/bash" subj=system_u:system_r:selinux_autorelabel_generator_t:s0 key=(null)
type=AVC msg=audit(1713190724.117:246): avc: denied { getattr } for pid=2789 comm="selinux-autorel" path="/etc/passwd" dev="dm-0" ino=16948602 scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
Thanks for the report. This issue does not manifest in enforcing mode though. (In reply to Bruno Goncalves from comment #0) > The following avc denials shows often during our tests: > > avc: denied { getattr } for pid=79656 comm="selinux-autorel" > path="/etc/passwd" dev="dm-0" ino=17705170 > scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 > tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 > > > Reproducible: Always > > Steps to Reproduce: > 1.I'm not sure exactly how to reproduce it, but we have been hitting this > often It should be as easy as systemctl daemon-reload This is the current state: f41# sesearch -A --dontaudit -s selinux_autorelabel_generator_t -t passwd_file_t -c file ... dontaudit selinux_autorelabel_generator_t passwd_file_t:file { open read }; The confined generator was tested only in enforcing mode. *** Bug 2276240 has been marked as a duplicate of this bug. *** *** Bug 2275863 has been marked as a duplicate of this bug. *** |
The following avc denials shows often during our tests: avc: denied { getattr } for pid=79656 comm="selinux-autorel" path="/etc/passwd" dev="dm-0" ino=17705170 scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 Reproducible: Always Steps to Reproduce: 1.I'm not sure exactly how to reproduce it, but we have been hitting this often example: https://datawarehouse.cki-project.org/kcidb/tests/12048573 test source: https://gitlab.com/redhat/centos-stream/tests/kernel/kernel-tests/-/tree/main/stress/stress-ng?ref_type=heads But it affects multiple tests that we run: https://datawarehouse.cki-project.org/issue/2656#tests