Bug 1673107 - Rebase selinux-policy package against Fedora 30
Summary: Rebase selinux-policy package against Fedora 30
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: 8.1
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Tomas Capek
URL:
Whiteboard:
: 1657800 1697894 1702255 1719025 (view as bug list)
Depends On: 1682526
Blocks: 1641631 1567073 1583703 1593577 1593607 1605215 1608051 1612552 1622548 1638666 1640296 1647777 1649312 1656738 1656837 1657281 1657800 1658624 1664316 1664409 1664983 1667016 1668840 1669277 1669285 1670313 1671019 1671129 1672531 1672546 1673056 1683642 1684103 1685689 1687721 1687867 1688671 1690925 1691351 1692676 1693679 1697894 1700222 1700667 1701158 1702243 1702255 1702580 1705044 1708098 1719025
TreeView+ depends on / blocked
 
Reported: 2019-02-06 17:11 UTC by Lukas Vrabec
Modified: 2019-11-05 22:11 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
.`selinux-policy` rebased to 3.14.3 The `selinux-policy` package has been upgraded to upstream version 3.14.3, which provides a number of bug fixes and enhancements to the allow rules over the previous version.
Clone Of:
Environment:
Last Closed: 2019-11-05 22:10:04 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4210551 Troubleshoot None Creating a hotspot with nmcli in RHEL8 fails with "Error: Connection activation failed: (5) IP configuration could not b... 2019-06-11 07:11:14 UTC
Red Hat Product Errata RHBA-2019:3547 None None None 2019-11-05 22:11:03 UTC

Comment 2 Milos Malik 2019-04-01 07:24:02 UTC
Following record appeared in the journal after selinuxpolicy update:

Apr 01 09:16:48 localhost.localdomain kernel: audit: type=1400 audit(1554103007.295:4): avc:  denied  { map } for  pid=1 comm="systemd" path="/usr/lib/modules/4.18.0-80.el8.x86_64/modules.dep.bin" dev="sda2" ino=17707098 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0

# rpm -qa selinux-policy\* | sort
selinux-policy-3.14.2-99.el8.1.noarch
selinux-policy-devel-3.14.2-99.el8.1.noarch
selinux-policy-doc-3.14.2-99.el8.1.noarch
selinux-policy-minimum-3.14.2-99.el8.1.noarch
selinux-policy-mls-3.14.2-99.el8.1.noarch
selinux-policy-sandbox-3.14.2-99.el8.1.noarch
selinux-policy-targeted-3.14.2-99.el8.1.noarch
# matchpathcon /usr/lib/modules/4.18.0-80.el8.x86_64/modules.dep.bin
/usr/lib/modules/4.18.0-80.el8.x86_64/modules.dep.bin	system_u:object_r:modules_dep_t:s0
#

Comment 3 Milos Malik 2019-04-01 07:29:03 UTC
The SELinux denial mentioned in comment#2 appears during each reboot.

# getsebool -a | grep mmap
domain_can_mmap_files --> off
mmap_low_allowed --> off
wine_mmap_zero_ignore --> off
#

Comment 4 Milos Malik 2019-04-01 11:36:18 UTC
Following SELinux denials appeared after upgrade on my RHEL-8.0 MLS machine:
----
type=PROCTITLE msg=audit(04/01/2019 13:20:01.606:132) : proctitle=/sbin/modprobe -q -- nft-set 
type=MMAP msg=audit(04/01/2019 13:20:01.606:132) : fd=0 flags=MAP_PRIVATE 
type=SYSCALL msg=audit(04/01/2019 13:20:01.606:132) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x5b92c a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=7 pid=1005 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:kmod_t:s15:c0.c1023 key=(null) 
type=AVC msg=audit(04/01/2019 13:20:01.606:132) : avc:  denied  { map } for  pid=1005 comm=modprobe path=/usr/lib/modules/4.18.0-64.el8.x86_64/modules.dep.bin dev="sda2" ino=26059525 scontext=system_u:system_r:kmod_t:s15:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(04/01/2019 13:20:02.020:136) : proctitle=(null) 
type=PATH msg=audit(04/01/2019 13:20:02.020:136) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=8404771 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(04/01/2019 13:20:02.020:136) : item=1 name=/bin/bash inode=1135 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(04/01/2019 13:20:02.020:136) : item=0 name=/usr/libexec/chrony-helper inode=8434376 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/01/2019 13:20:02.020:136) : cwd=/ 
type=SYSCALL msg=audit(04/01/2019 13:20:02.020:136) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x5568be9c9b40 a1=0x5568be9c98d0 a2=0x5568be9c87b0 a3=0x8 items=3 ppid=1141 pid=1147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:chronyd_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(04/01/2019 13:20:02.020:136) : avc:  denied  { map } for  pid=1147 comm=chrony-helper path=/usr/bin/bash dev="sda2" ino=1135 scontext=system_u:system_r:chronyd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 
----

Comment 5 Milos Malik 2019-04-01 11:41:01 UTC
----
type=PROCTITLE msg=audit(04/01/2019 13:20:02.112:138) : proctitle=/bin/bash /usr/bin/kdumpctl start 
type=PATH msg=audit(04/01/2019 13:20:02.112:138) : item=0 name=/boot inode=96 dev=08:01 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:boot_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/01/2019 13:20:02.112:138) : cwd=/ 
type=SYSCALL msg=audit(04/01/2019 13:20:02.112:138) : arch=x86_64 syscall=faccessat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x560aca675a10 a2=W_OK a3=0x7ffc658898fc items=1 ppid=1134 pid=1142 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kdumpctl exe=/usr/bin/bash subj=system_u:system_r:kdumpctl_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(04/01/2019 13:20:02.112:138) : avc:  denied  { dac_override } for  pid=1142 comm=kdumpctl capability=dac_override  scontext=system_u:system_r:kdumpctl_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kdumpctl_t:s0-s15:c0.c1023 tclass=capability permissive=0 
----

and a ton of SELinux denials generated by tuned_t.

Comment 7 Milos Malik 2019-04-01 12:02:33 UTC
Following SELinux denials appear in the journal on MLS machine:
# dmesg | grep -i avc
[    2.160916] audit: type=1400 audit(1554119614.992:4): avc:  denied  { map } for  pid=1 comm="systemd" path="/usr/lib/modules/4.18.0-64.el8.x86_64/modules.dep.bin" dev="sda2" ino=26059525 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
[    2.293906] audit: type=1400 audit(1554119615.125:5): avc:  denied  { write } for  pid=466 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=8761 scontext=system_u:system_r:systemd_gpt_generator_t:s0-s15:c0.c1023 tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file permissive=0
[    2.301855] audit: type=1400 audit(1554119615.133:6): avc:  denied  { read } for  pid=466 comm="systemd-gpt-aut" name="sda" dev="devtmpfs" ino=12554 scontext=system_u:system_r:systemd_gpt_generator_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file permissive=0
[    3.055429] audit: type=1400 audit(1554119615.887:7): avc:  denied  { map } for  pid=515 comm="systemd-udevd" path="/usr/lib/modules/4.18.0-64.el8.x86_64/modules.dep.bin" dev="sda2" ino=26059525 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
[    3.202910] audit: type=1400 audit(1554119616.034:8): avc:  denied  { module_load } for  pid=522 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=system permissive=0
[    3.227463] audit: type=1400 audit(1554119616.059:9): avc:  denied  { module_load } for  pid=524 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=system permissive=0
[    3.238429] audit: type=1400 audit(1554119616.070:10): avc:  denied  { module_load } for  pid=523 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=system permissive=0
#

Comment 8 Lukas Vrabec 2019-04-01 12:06:51 UTC
commit d9025072d033957bf981250fc18af993404ff9cc (HEAD -> rhel8.1-base)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Apr 1 14:05:45 2019 +0200

    Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files
    Resolves: rhbz#1673107

Comment 9 Lukas Vrabec 2019-04-02 14:59:54 UTC
commit 2f8b6c9cd7e3f28d98eac3abc2827f99a6c21c44
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Apr 2 16:02:44 2019 +0200

    Allow chronyd_t domain to exec shell
    Resolves: rhbz#1673107

commit ae5a161b2b694470da89b24f75785b0a9a357aed (HEAD -> rhel8.1-base, origin/rhel8.1-base)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Apr 2 15:41:09 2019 +0200

    Allow kmod_t domain to mmap modules_dep_t files.
    Resolves: rhbz#1673107

Comment 10 Lukas Vrabec 2019-04-02 15:04:43 UTC
commit 1fc142d33309c68e2984d0c0ad8f1c8c6016fec8 (HEAD -> rhel8.1-contrib, origin/rhel8.1-contrib)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Apr 2 17:02:57 2019 +0200

    Add dac_override capability for kdumpctl_t process domain

Comment 19 Lukas Vrabec 2019-06-11 07:11:15 UTC
*** Bug 1719025 has been marked as a duplicate of this bug. ***

Comment 20 Lukas Vrabec 2019-06-11 08:20:28 UTC
*** Bug 1697894 has been marked as a duplicate of this bug. ***

Comment 22 Lukas Vrabec 2019-08-07 10:11:19 UTC
*** Bug 1657800 has been marked as a duplicate of this bug. ***

Comment 23 Zdenek Pytela 2019-08-20 15:55:06 UTC
*** Bug 1702255 has been marked as a duplicate of this bug. ***

Comment 26 errata-xmlrpc 2019-11-05 22:10:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547


Note You need to log in before you can comment on or make changes to this bug.