Bug 2415644
| Summary: | access to /proc/sysinfo blocked for systemd-ssh-iss | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dan Horák <dan> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | s390x | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-11-20 18:38:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
setting as "High" as it blocks Testing Farm from using s390x systems in beaker FYI the domain is permissive which means no action is actually denied (In reply to Zdenek Pytela from comment #2) > FYI the domain is permissive which means no action is actually denied ah, right, so the 10_avc_check in beaker should be updated as well, so it won't fail on messages like this Thanks, no more AVCs with selinux-policy-42.16-1.fc44.noarch |
Looks like the policy is blocking access to the /proc/sysinfo file which is specific to s390x for the systemd-ssh-issue process. Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc: denied { read } for pid=815 comm="systemd-ssh-iss" name="sysinfo" dev="proc" ino=4026531943 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1 Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc: denied { open } for pid=815 comm="systemd-ssh-iss" path="/proc/sysinfo" dev="proc" ino=4026531943 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1 Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc: denied { getattr } for pid=815 comm="systemd-ssh-iss" path="/proc/sysinfo" dev="proc" ino=4026531943 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1 Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc: denied { ioctl } for pid=815 comm="systemd-ssh-iss" path="/proc/sysinfo" dev="proc" ino=4026531943 ioctlcmd=0x542a scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1 At least F-43 and Rawhide are affected, haven't checked F<43 yet. Likely related to 2399623 and 2391966 Reproducible: Always