Bug 1757050 - the systemd-bootchart service triggers a SELinux denial
Summary: the systemd-bootchart service triggers a SELinux denial
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Richard Fiľo
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-30 13:12 UTC by Milos Malik
Modified: 2020-09-01 18:21 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.4-52.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-05 02:39:53 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Milos Malik 2019-09-30 13:12:52 UTC
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-31.fc31.noarch
selinux-policy-targeted-3.14.4-31.fc31.noarch
systemd-243~rc2-1.fc31.x86_64
systemd-bootchart-233-5.fc31.x86_64
systemd-libs-243~rc2-1.fc31.x86_64
systemd-pam-243~rc2-1.fc31.x86_64
systemd-rpm-macros-243~rc2-1.fc31.noarch
systemd-udev-243~rc2-1.fc31.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 30 or 31 machine (targeted policy is active)
2. start the systemd-bootchart service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(09/30/2019 09:07:52.662:349) : proctitle=@usr/lib/systemd/systemd-bootchart -r 
type=SYSCALL msg=audit(09/30/2019 09:07:52.662:349) : arch=x86_64 syscall=write success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x559b400f59a7 a2=0x2 a3=0x0 items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-bootcha exe=/usr/lib/systemd/systemd-bootchart subj=system_u:system_r:systemd_bootchart_t:s0 key=(null) 
type=AVC msg=audit(09/30/2019 09:07:52.662:349) : avc:  denied  { sys_admin } for  pid=2159 comm=systemd-bootcha capability=sys_admin  scontext=system_u:system_r:systemd_bootchart_t:s0 tcontext=system_u:system_r:systemd_bootchart_t:s0 tclass=capability permissive=0 
----

Expected results:
 * no SELinux denials

Additional info:
 * the SELinux denial does not prevent the service from running

Comment 1 Richard Fiľo 2019-09-30 16:03:24 UTC
Is it actually necessary capability for running this service?

Because allow sys_admin capability is very powerful from the perspective of SELinux policy.

Comment 2 Michal Sekletar 2020-02-04 16:59:56 UTC
systemd-bootchart when running as root tries to get additional information about scheduling from /proc/schedstats. However, this needs to be enabled by appropriate sysctl (kernel.sched_schedstats). Altering sysctl options requires CAP_SYS_ADMIN. I'd say that service is generally more useful if it can take this additional data into consideration.

Comment 3 Richard Fiľo 2020-05-18 12:36:17 UTC
In my opinion that can be allowed. I created a scratch build with fix and pull request.

Link to scratch build: https://download.copr.fedorainfracloud.org/results/rfilo/Selinux-policy-f31/fedora-31-x86_64/01381709-selinux-policy/

PR: https://github.com/fedora-selinux/selinux-policy/pull/355

Comment 4 Lukas Vrabec 2020-05-18 13:02:14 UTC
commit 6d966941f05ea6148bd91886e7bf91d7ae59690c (HEAD -> rawhide, origin/rawhide)
Author: Richard Filo <rfilo>
Date:   Wed May 13 11:42:23 2020 +0200

    Allow sys_admin capability for domain labeled systemd_bootchart_t
    
    fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1757050

Comment 5 Fedora Update System 2020-05-20 13:47:30 UTC
FEDORA-2020-6d33cc238c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c

Comment 6 Fedora Update System 2020-05-21 04:16:10 UTC
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6d33cc238c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Milos Malik 2020-05-21 08:46:33 UTC
# rpm -qa selinux\* systemd\* | sort
selinux-policy-3.14.6-13.fc33.noarch
selinux-policy-targeted-3.14.6-13.fc33.noarch
systemd-245.2-1.fc33.x86_64
systemd-bootchart-233-6.fc32.x86_64
systemd-libs-245.2-1.fc33.x86_64
systemd-pam-245.2-1.fc33.x86_64
systemd-rpm-macros-245.2-1.fc33.noarch
systemd-udev-245.2-1.fc33.x86_64
# sesearch -s systemd_bootchart_t -t systemd_bootchart_t -c capability -p sys_admin -A --dontaudit
#

The following SELinux denial still appears after starting the systemd-bootchart service:
----
type=PROCTITLE msg=audit(05/21/2020 04:42:25.718:271) : proctitle=@usr/lib/systemd/systemd-bootchart -r 
type=SYSCALL msg=audit(05/21/2020 04:42:25.718:271) : arch=x86_64 syscall=write success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x557eb9bac198 a2=0x2 a3=0x0 items=0 ppid=1 pid=2121 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-bootcha exe=/usr/lib/systemd/systemd-bootchart subj=system_u:system_r:systemd_bootchart_t:s0 key=(null) 
type=AVC msg=audit(05/21/2020 04:42:25.718:271) : avc:  denied  { sys_admin } for  pid=2121 comm=systemd-bootcha capability=sys_admin  scontext=system_u:system_r:systemd_bootchart_t:s0 tcontext=system_u:system_r:systemd_bootchart_t:s0 tclass=capability permissive=0 
----

Comment 10 Fedora Update System 2020-06-05 02:39:53 UTC
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.