Bug 1392161 - SELinux is preventing (ostnamed) from 'mounton' accesses on the directory /proc/irq.
Summary: SELinux is preventing (ostnamed) from 'mounton' accesses on the directory /pr...
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 26
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b67442336fefc433297f5b63447...
Keywords:
Depends On:
Blocks: F26FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2016-11-05 12:42 UTC by Nicolas Mailhot
Modified: 2017-03-04 04:23 UTC (History)
17 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-03-04 04:23:44 UTC


Attachments (Terms of Use)

Description Nicolas Mailhot 2016-11-05 12:42:27 UTC
Description of problem:
SELinux is preventing (ostnamed) from 'mounton' accesses on the directory /proc/irq.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que (ostnamed) devrait être autorisé à accéder mounton sur irq directory par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
allow this access for now by executing:
# ausearch -c '(ostnamed)' --raw | audit2allow -M my-ostnamed
# semodule -X 300 -i my-ostnamed.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:sysctl_irq_t:s0
Target Objects                /proc/irq [ dir ]
Source                        (ostnamed)
Source Path                   (ostnamed)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-222.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.0-1.fc26.x86_64 #1 SMP Mon Oct
                              3 14:09:56 UTC 2016 x86_64 x86_64
Alert Count                   8
First Seen                    2016-11-04 19:15:31 CET
Last Seen                     2016-11-04 22:00:41 CET
Local ID                      e515b0ae-36d7-4120-9a82-cd045650911e

Raw Audit Messages
type=AVC msg=audit(1478293241.618:1111): avc:  denied  { mounton } for  pid=4004 comm="(-localed)" path="/proc/irq" dev="proc" ino=4026531858 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=0


Hash: (ostnamed),init_t,sysctl_irq_t,dir,mounton

Version-Release number of selected component:
selinux-policy-3.13.1-222.fc26.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.0-1.fc26.x86_64
type:           libreport

Comment 1 Geoffrey Marr 2017-01-10 21:02:31 UTC
Description of problem:
Installed Fedora-Workstation-Live-x86_64-Rawhide-20170110.n.0.iso. As soon as the system booted the first time, was issued this SELinux denial alert.

Version-Release number of selected component:
selinux-policy-3.13.1-233.fc26.noarch

Additional info:
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.10.0-0.rc3.git0.1.fc26.x86_64
type:           libreport

Comment 2 Fedora Blocker Bugs Application 2017-01-10 22:50:46 UTC
Proposed as a Blocker for 26-final by Fedora user coremodule using the blocker tracking app because:

 This bug violates the following F26 Final criteria:

"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

Comment 3 Fnoob 2017-01-11 05:58:21 UTC
Description of problem:
Updated Rawhide 26.  AVC regarding truncated 'ostnamed' after logging in.  Duplicate of 1392161.  Looks like 1361809 , 1367292 .  Last comment on 1367292 said "If problems still persist, please make note of it in this bug report."

Version-Release number of selected component:
selinux-policy-3.13.1-231.fc26.noarch

Additional info:
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.10.0-0.rc2.git4.1.fc26.x86_64
type:           libreport

Comment 4 Lukas Slebodnik 2017-01-13 13:03:40 UTC
And attached audit log with permissive mode

type=AVC msg=audit(1484227039.425:11726): avc:  denied  { mounton } for  pid=19024 comm="(ostnamed)" path="/proc/irq" dev="proc" ino=4026531858 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1484227039.425:11727): avc:  denied  { mounton } for  pid=19024 comm="(ostnamed)" path="/proc/mtrr" dev="proc" ino=4026531973 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file permissive=1
type=SERVICE_START msg=audit(1484227039.463:11728): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Comment 5 Adam Williamson 2017-01-15 21:33:32 UTC
Nearly every openQA test is running into this in recent composes. +1 blocker.

Comment 6 Stephen Gallagher 2017-01-16 13:06:26 UTC
+1 blocker

Comment 7 Kamil Páral 2017-01-16 15:13:30 UTC
Description of problem:
Simply booted a freshly installed Rawhide VM and logged in.

Version-Release number of selected component:
selinux-policy-3.13.1-233.fc26.noarch

Additional info:
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.10.0-0.rc3.git4.1.fc26.x86_64
type:           libreport

Comment 8 Michal Sekletar 2017-01-17 13:59:48 UTC
AVC is generated because systemd-hostnamed.service has option ProtectKernelTunables set to yes. If this option is enabled for the service then systemd will disable sysctl syscall by installing seccomp filter. Also the service will be spawned in its own mount namespace where some filesystem paths that are otherwise write-able by root will become read-only. This is done by recursively bind mounting those paths into the same locations and then remounting bind mounts as read-only.

If you want to get rid of AVC then either allow systemd to do remounting or remove ProtectKernelTunables=yes from systemd-hostnamed.service. Note that that localed, resolved, timesyncd and timedated unit files also contain ProtectKernelTunables=yes option.

I think it would make sense to adjust our SELinux policy because otherwise services can't take full advantage of this new systemd security feature.

Comment 9 Lukas Slebodnik 2017-01-17 14:11:28 UTC
(In reply to Adam Williamson from comment #5)
> Nearly every openQA test is running into this in recent composes. +1 blocker.

(In reply to Stephen Gallagher from comment #6)
> +1 blocker

It super nice that you gave +1 for harmless AVC bug.
IMHO there are different bugs which should get blocker.  (BZ1413075 and maybe related/duplicate BZ1413047)

Comment 10 Stephen Gallagher 2017-01-17 14:31:26 UTC
It's hard to know which one is at fault, but SELinux is preventing the system from working *at all* on Fedora 26/Rawhide right now. This looked likely to be the culprit. If this one is indeed harmless and the problem is elsewhere, please advise.

Comment 11 Stephen Gallagher 2017-01-17 14:31:26 UTC
It's hard to know which one is at fault, but SELinux is preventing the system from working *at all* on Fedora 26/Rawhide right now. This looked likely to be the culprit. If this one is indeed harmless and the problem is elsewhere, please advise.

Comment 12 Lukas Slebodnik 2017-01-17 14:35:48 UTC
I can see this AVC even on older kernel but it does not cause such problem as I reported in different bugs(BZ1413075 BZ1413047)

Comment 13 Michal Sekletar 2017-01-17 15:32:42 UTC
FWIW, filesystem paths that systemd may try to remount due to use of new security related features can be found in respective tables here,

https://github.com/systemd/systemd/blob/master/src/core/namespace.c

Comment 14 Lukas Vrabec 2017-01-17 16:50:17 UTC
Michal, 
Thank you. Fixed. Build will be available ASAP.

Comment 15 Adam Williamson 2017-01-20 23:28:30 UTC
Any news on that build?

Comment 16 Zbigniew Jędrzejewski-Szmek 2017-02-01 16:31:29 UTC
commit 08645ba5ed6467bee8218bec32015ef4f1c70fa0
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Jan 17 17:47:55 2017 +0100

    Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)

Comment 17 Lukas Vrabec 2017-02-01 16:44:53 UTC
Adam, 
Issue is fixed here:
https://koji.fedoraproject.org/koji/buildinfo?buildID=834475

Comment 18 Lukas Slebodnik 2017-02-02 15:32:47 UTC
I think that this change caused another bug @see BZ1418682

Comment 19 Geoffrey Marr 2017-02-13 20:30:10 UTC
Discussed during the 2017-02-13 blocker review meeting: [1]

The decision was made to classify this bug as an AcceptedBlocker was made as it violates the following Final criteria:

"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-02-13/f26-blocker-review.2017-02-13-18.01.txt

Comment 20 Adam Williamson 2017-02-14 21:04:59 UTC
A similar AVC still shows up in Fedora-Rawhide-20170214.n.0 testing, e.g.:

https://openqa.fedoraproject.org/tests/56815#step/_console_avc_crash/9

it now seems to be complaining about /proc/mtrr .

Comment 21 Fedora End Of Life 2017-02-28 10:33:48 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 22 Adam Williamson 2017-03-04 04:23:44 UTC
There's another report for the /proc/mtrr one:
https://bugzilla.redhat.com/show_bug.cgi?id=1411360
so let's close this.


Note You need to log in before you can comment on or make changes to this bug.