Bug 1739382 - [RHEL-8] avc denied detected while running ibacm test
Summary: [RHEL-8] avc denied detected while running ibacm test
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.1
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-09 08:27 UTC by zguo
Modified: 2020-11-14 07:12 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 22:12:10 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3547 0 None None None 2019-11-05 22:12:19 UTC

Description zguo 2019-08-09 08:27:48 UTC
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-13.el8.noarch
DISTRO=RHEL-8.1.0-20190806.2
4.18.0-128.el8.x86_64

How reproducible:


Steps to Reproduce:
1.Run test /kernel/infiniband/ibacm https://beaker.engineering.redhat.com/recipes/7205451#task97343215
  
2.
3.

Actual results:
https://beaker.engineering.redhat.com/recipes/7205451/tasks/97343215/results/447546472/logs/avc.log

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-13.el8.noarch
----
time->Thu Aug  8 06:57:41 2019
type=PROCTITLE msg=audit(1565261861.020:143): proctitle=2F7573722F7362696E2F696261636D002D2D73797374656D64
type=SYSCALL msg=audit(1565261861.020:143): arch=c000003e syscall=137 success=no exit=-13 a0=7f050bd977c0 a1=7f05078bf820 a2=7f050bfa13b0 a3=8 items=0 ppid=1 pid=44457 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ibacm" exe="/usr/sbin/ibacm" subj=system_u:system_r:ibacm_t:s0 key=(null)
type=AVC msg=audit(1565261861.020:143): avc:  denied  { getattr } for  pid=44457 comm="ibacm" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:ibacm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=0
----
time->Thu Aug  8 06:57:41 2019
type=PROCTITLE msg=audit(1565261861.021:144): proctitle=2F7573722F7362696E2F696261636D002D2D73797374656D64
type=SYSCALL msg=audit(1565261861.021:144): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=a0 a2=3 a3=1 items=0 ppid=1 pid=44457 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ibacm" exe="/usr/sbin/ibacm" subj=system_u:system_r:ibacm_t:s0 key=(null)
type=AVC msg=audit(1565261861.021:144): avc:  denied  { map } for  pid=44457 comm="ibacm" path="/run/INTEL_SA_DSC" dev="tmpfs" ino=89005 scontext=system_u:system_r:ibacm_t:s0 tcontext=system_u:object_r:ibacm_var_run_t:s0 tclass=file permissive=0
----

Expected results:

No this deny

Additional info:

Comment 1 Lukas Vrabec 2019-08-09 12:54:45 UTC
commit b7fd37c6dd892319963c1bf15f64ccfa39a7d6fc (HEAD -> rhel8.1-contrib)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Fri Aug 9 14:53:15 2019 +0200

    Update ibacm_t policy
    
    Allow ibacm_t domain to mmap own pid files
    Allow ibacm_t domain to getattr device filesystems
    Resolves: rhbz#1739382

Comment 22 Milos Malik 2019-08-21 07:55:09 UTC
Following SELinux denial appeared in the above-mentioned logs:
----
time->Tue Aug 20 18:58:02 2019
type=PROCTITLE msg=audit(1566341882.898:770): proctitle=2F7573722F7362696E2F696261636D002D2D73797374656D64
type=SYSCALL msg=audit(1566341882.898:770): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f815c4cdb30 a2=a0042 a3=1a4 items=0 ppid=1 pid=22980 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ibacm" exe="/usr/sbin/ibacm" subj=system_u:system_r:ibacm_t:s0 key=(null)
type=AVC msg=audit(1566341882.898:770): avc:  denied  { write } for  pid=22980 comm="ibacm" name="shm" dev="devtmpfs" ino=2101 scontext=system_u:system_r:ibacm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0
----

It's strange that /dev/shm is labeled device_t.

Comment 29 errata-xmlrpc 2019-11-05 22:12:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547


Note You need to log in before you can comment on or make changes to this bug.