Bug 1650997 - massive amounts of selinux denials for org.freedesktop.resolve1.ResolveHostname for pmie
Summary: massive amounts of selinux denials for org.freedesktop.resolve1.ResolveHostna...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 29
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-18 16:08 UTC by Zbigniew Jędrzejewski-Szmek
Modified: 2019-01-17 02:17 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-17 02:17:10 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Zbigniew Jędrzejewski-Szmek 2018-11-18 16:08:04 UTC 
Description of problem:

I get thousands (?) of those per second:

Nov 18 10:59:50 rpi3 audit[752]: USER_AVC pid=752 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.resolve1.Manager member=ResolveHostname dest=org.freedesktop.resolve1 spid=19642 tpid=1308 scontext=system_u:system_r:pcp_pmie_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_resolved_t:s0 tclass=dbus permissive=0
                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Nov 18 10:59:50 rpi3 audit[752]: USER_AVC pid=752 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.resolve1.Manager member=ResolveHostname dest=org.freedesktop.resolve1 spid=19642 tpid=1308 scontext=system_u:system_r:pcp_pmie_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_resolved_t:s0 tclass=dbus permissive=0
                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.2-42.fc29.noarch
systemd-239-6.git9f3aed1.fc29.aarch64
pcp-4.2.0-1.fc29.aarch64

How reproducible:
It's probably deterministic.

Steps to Reproduce:
1. enable systemd-resolved.service and put in /etc/nsswitch.conf
> hosts:      resolve [!UNAVAIL=return] myhostname
2. make sure /usr/bin/pmie is running

Actual results:
200% CPU used

Expected results:
Nothing.

Additional info:
pcp seems to be borked, it's running the service as part of the pcp user session. I'll try to figure out what is going on there and file a separate bug.
Comment 1 Lukas Vrabec 2018-12-17 19:03:21 UTC 
commit 70ee11dfc297bb8a114d5a74602f1038956f7070 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Dec 17 20:02:52 2018 +0100

    Allow pcp_pmie_t domain to dbus chat with systemd_resolved_t domain BZ(1650997)
Comment 2 Fedora Update System 2019-01-13 15:45:28 UTC 
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
Comment 3 Fedora Update System 2019-01-14 03:03:37 UTC 
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
Comment 4 Fedora Update System 2019-01-17 02:17:10 UTC 
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.