Bug 2415644

Summary: access to /proc/sysinfo blocked for systemd-ssh-iss
Product: [Fedora] Fedora Reporter: Dan Horák <dan>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: s390x   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-11-20 18:38:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Horák 2025-11-18 15:54:48 UTC 
Looks like the policy is blocking access to the /proc/sysinfo file which is specific to s390x for the systemd-ssh-issue process.

Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc:  denied  { read } for  pid=815 comm="systemd-ssh-iss" name="sysinfo" dev="proc" ino=4026531943 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1
Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc:  denied  { open } for  pid=815 comm="systemd-ssh-iss" path="/proc/sysinfo" dev="proc" ino=4026531943 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1
Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc:  denied  { getattr } for  pid=815 comm="systemd-ssh-iss" path="/proc/sysinfo" dev="proc" ino=4026531943 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1
Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc:  denied  { ioctl } for  pid=815 comm="systemd-ssh-iss" path="/proc/sysinfo" dev="proc" ino=4026531943 ioctlcmd=0x542a scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1

At least F-43 and Rawhide are affected, haven't checked F<43 yet.

Likely related to 2399623 and 2391966

Reproducible: Always
Comment 1 Dan Horák 2025-11-18 15:58:10 UTC 
setting as "High" as it blocks Testing Farm from using s390x systems in beaker
Comment 2 Zdenek Pytela 2025-11-18 18:03:46 UTC 
FYI the domain is permissive which means no action is actually denied
Comment 3 Dan Horák 2025-11-18 18:16:15 UTC 
(In reply to Zdenek Pytela from comment #2)
> FYI the domain is permissive which means no action is actually denied

ah, right, so the 10_avc_check in beaker should be updated as well, so it won't fail on messages like this
Comment 4 Dan Horák 2025-11-21 10:53:05 UTC 
Thanks, no more AVCs with selinux-policy-42.16-1.fc44.noarch