Bug 1643063 - SELinux is preventing (vnstatd) from using the 'nnp_transition' accesses on a process.
Summary: SELinux is preventing (vnstatd) from using the 'nnp_transition' accesses on a...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:219ec620762c367b0c13370a678...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-25 12:53 UTC by sedrubal
Modified: 2018-11-07 02:42 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.2-41.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-07 02:42:11 UTC


Attachments (Terms of Use)

Description sedrubal 2018-10-25 12:53:21 UTC
Description of problem:
SELinux is preventing (vnstatd) from using the 'nnp_transition' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (vnstatd) should be allowed nnp_transition access on processes labeled vnstatd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(vnstatd)' --raw | audit2allow -M my-vnstatd
# semodule -X 300 -i my-vnstatd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:vnstatd_t:s0
Target Objects                Unknown [ process2 ]
Source                        (vnstatd)
Source Path                   (vnstatd)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-40.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.14-300.fc29.x86_64 #1 SMP Mon
                              Oct 15 13:13:16 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-10-25 14:51:47 CEST
Last Seen                     2018-10-25 14:52:12 CEST
Local ID                      626925ab-2bb7-439e-8476-3301d499e7c4

Raw Audit Messages
type=AVC msg=audit(1540471932.509:3109): avc:  denied  { nnp_transition } for  pid=30721 comm="(vnstatd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:vnstatd_t:s0 tclass=process2 permissive=0


Hash: (vnstatd),init_t,vnstatd_t,process2,nnp_transition

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.14-300.fc29.x86_64
type:           libreport

Comment 1 Milos Malik 2018-10-30 15:17:20 UTC
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(10/30/2018 16:13:34.012:349) : proctitle=(vnstatd) 
type=PATH msg=audit(10/30/2018 16:13:34.012:349) : item=0 name=/run/systemd/unit-root/var/lib/vnstat inode=18618693 dev=fc:02 mode=dir,755 ouid=vnstat ogid=vnstat rdev=00:00 obj=system_u:object_r:vnstatd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(10/30/2018 16:13:34.012:349) : cwd=/ 
type=SYSCALL msg=audit(10/30/2018 16:13:34.012:349) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x55ece9170070 a1=0x55ece920e500 a2=0x0 a3=MS_BIND|MS_REC items=1 ppid=1 pid=3267 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(vnstatd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(10/30/2018 16:13:34.012:349) : avc:  denied  { mounton } for  pid=3267 comm=(vnstatd) path=/run/systemd/unit-root/var/lib/vnstat dev="vda2" ino=18618693 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vnstatd_var_lib_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(10/30/2018 16:13:34.013:350) : proctitle=(vnstatd) 
type=PATH msg=audit(10/30/2018 16:13:34.013:350) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25299753 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(10/30/2018 16:13:34.013:350) : item=0 name=/usr/sbin/vnstatd inode=28030523 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:vnstatd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(10/30/2018 16:13:34.013:350) : cwd=/ 
type=EXECVE msg=audit(10/30/2018 16:13:34.013:350) : argc=2 a0=/usr/sbin/vnstatd a1=-n 
type=SYSCALL msg=audit(10/30/2018 16:13:34.013:350) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55ece92932e0 a1=0x55ece906f5b0 a2=0x55ece928c110 a3=0x55ece9193c90 items=2 ppid=1 pid=3267 auid=unset uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(10/30/2018 16:13:34.013:350) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:vnstatd_t:s0 
type=AVC msg=audit(10/30/2018 16:13:34.013:350) : avc:  denied  { nnp_transition } for  pid=3267 comm=(vnstatd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:vnstatd_t:s0 tclass=process2 permissive=0 
----
type=PROCTITLE msg=audit(10/30/2018 16:13:34.016:351) : proctitle=(vnstatd) 
type=PATH msg=audit(10/30/2018 16:13:34.016:351) : item=0 name=/var/lib/vnstat inode=18618693 dev=fc:02 mode=dir,755 ouid=vnstat ogid=vnstat rdev=00:00 obj=system_u:object_r:vnstatd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(10/30/2018 16:13:34.016:351) : cwd=/ 
type=SYSCALL msg=audit(10/30/2018 16:13:34.016:351) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffe87f660b0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=3267 auid=unset uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(10/30/2018 16:13:34.016:351) : avc:  denied  { read } for  pid=3267 comm=vnstatd name=vnstat dev="vda2" ino=18618693 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vnstatd_var_lib_t:s0 tclass=dir permissive=0
----

# rpm -qa vnstat\* selinux-policy\* | sort
selinux-policy-3.14.2-40.fc29.noarch
selinux-policy-devel-3.14.2-40.fc29.noarch
selinux-policy-sandbox-3.14.2-40.fc29.noarch
selinux-policy-targeted-3.14.2-40.fc29.noarch
vnstat-1.18-1.fc29.x86_64
#

Comment 2 Lukas Vrabec 2018-11-02 16:41:27 UTC
commit 6c30b43e6935ef82dc07dc56f4cbcb220ec814aa (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Fri Nov 2 17:39:52 2018 +0100

    Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)

Comment 3 Christian Kujau 2018-11-04 03:12:08 UTC
Description of problem:
After upgrading from F28 to F29, this alert shows up right after boot and logging in to Gnome. And looking more closely, vnstat even fails to start:

horus# systemctl status vnstat
● vnstat.service - vnStat network traffic monitor
   Loaded: loaded (/usr/lib/systemd/system/vnstat.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2018-11-03 20:06:00 PDT; 2min 34s ago
     Docs: man:vnstatd(1)
           man:vnstat(1)
           man:vnstat.conf(5)
  Process: 1166 ExecStart=/usr/sbin/vnstatd -n (code=exited, status=1/FAILURE)
 Main PID: 1166 (code=exited, status=1/FAILURE)

Nov 03 20:06:00 horus systemd[1]: vnstat.service: Service RestartSec=100ms expired, scheduling restart.
Nov 03 20:06:00 horus systemd[1]: vnstat.service: Scheduled restart job, restart counter is at 5.
Nov 03 20:06:00 horus systemd[1]: Stopped vnStat network traffic monitor.
Nov 03 20:06:00 horus systemd[1]: vnstat.service: Start request repeated too quickly.
Nov 03 20:06:00 horus systemd[1]: vnstat.service: Failed with result 'exit-code'.
Nov 03 20:06:00 horus systemd[1]: Failed to start vnStat network traffic monitor.

==== The boot log is full of SELinux alerts, for example:



$ sealert -l f416fb4d-0e0e-4c64-b9eb-46ad405f2325
/usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated.
Instead, use this sequence:

    from dbus.mainloop.glib import DBusGMainLoop

    DBusGMainLoop(set_as_default=True)

  import dbus.glib
SELinux is preventing vnstatd from read access on the directory /var/lib/vnstat.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that vnstatd should be allowed read access on the vnstat directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'vnstatd' --raw | audit2allow -M my-vnstatd
# semodule -X 300 -i my-vnstatd.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:vnstatd_var_lib_t:s0
Target Objects                /var/lib/vnstat [ dir ]
Source                        vnstatd
Source Path                   vnstatd
Port                          <Unknown>
Host                          horus
Source RPM Packages           
Target RPM Packages           vnstat-1.18-1.fc29.x86_64
Policy RPM                    selinux-policy-3.14.2-40.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     horus
Platform                      Linux horus 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct
                              20 23:24:08 UTC 2018 x86_64 x86_64
Alert Count                   5
First Seen                    2018-11-03 20:05:58 PDT
Last Seen                     2018-11-03 20:06:00 PDT
Local ID                      f416fb4d-0e0e-4c64-b9eb-46ad405f2325

Raw Audit Messages
type=AVC msg=audit(1541300760.483:239): avc:  denied  { read } for  pid=1166 comm="vnstatd" name="vnstat" dev="nvme0n1p6" ino=537650597 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vnstatd_var_lib_t:s0 tclass=dir permissive=0


Hash: vnstatd,init_t,vnstatd_var_lib_t,dir,read


Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 4 Fedora Update System 2018-11-04 10:07:56 UTC
selinux-policy-3.14.2-41.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b

Comment 5 Fedora Update System 2018-11-05 04:20:13 UTC
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b

Comment 6 Fedora Update System 2018-11-07 02:42:11 UTC
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.