Description of problem: Version-Release number of selected component (if applicable): selinux-policy-3.14.4-31.fc31.noarch selinux-policy-targeted-3.14.4-31.fc31.noarch systemd-243~rc2-1.fc31.x86_64 systemd-bootchart-233-5.fc31.x86_64 systemd-libs-243~rc2-1.fc31.x86_64 systemd-pam-243~rc2-1.fc31.x86_64 systemd-rpm-macros-243~rc2-1.fc31.noarch systemd-udev-243~rc2-1.fc31.x86_64 How reproducible: * always Steps to Reproduce: 1. get a Fedora 30 or 31 machine (targeted policy is active) 2. start the systemd-bootchart service 3. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(09/30/2019 09:07:52.662:349) : proctitle=@usr/lib/systemd/systemd-bootchart -r type=SYSCALL msg=audit(09/30/2019 09:07:52.662:349) : arch=x86_64 syscall=write success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x559b400f59a7 a2=0x2 a3=0x0 items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-bootcha exe=/usr/lib/systemd/systemd-bootchart subj=system_u:system_r:systemd_bootchart_t:s0 key=(null) type=AVC msg=audit(09/30/2019 09:07:52.662:349) : avc: denied { sys_admin } for pid=2159 comm=systemd-bootcha capability=sys_admin scontext=system_u:system_r:systemd_bootchart_t:s0 tcontext=system_u:system_r:systemd_bootchart_t:s0 tclass=capability permissive=0 ---- Expected results: * no SELinux denials Additional info: * the SELinux denial does not prevent the service from running
Is it actually necessary capability for running this service? Because allow sys_admin capability is very powerful from the perspective of SELinux policy.
systemd-bootchart when running as root tries to get additional information about scheduling from /proc/schedstats. However, this needs to be enabled by appropriate sysctl (kernel.sched_schedstats). Altering sysctl options requires CAP_SYS_ADMIN. I'd say that service is generally more useful if it can take this additional data into consideration.
In my opinion that can be allowed. I created a scratch build with fix and pull request. Link to scratch build: https://download.copr.fedorainfracloud.org/results/rfilo/Selinux-policy-f31/fedora-31-x86_64/01381709-selinux-policy/ PR: https://github.com/fedora-selinux/selinux-policy/pull/355
commit 6d966941f05ea6148bd91886e7bf91d7ae59690c (HEAD -> rawhide, origin/rawhide) Author: Richard Filo <rfilo> Date: Wed May 13 11:42:23 2020 +0200 Allow sys_admin capability for domain labeled systemd_bootchart_t fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1757050
FEDORA-2020-6d33cc238c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6d33cc238c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
# rpm -qa selinux\* systemd\* | sort selinux-policy-3.14.6-13.fc33.noarch selinux-policy-targeted-3.14.6-13.fc33.noarch systemd-245.2-1.fc33.x86_64 systemd-bootchart-233-6.fc32.x86_64 systemd-libs-245.2-1.fc33.x86_64 systemd-pam-245.2-1.fc33.x86_64 systemd-rpm-macros-245.2-1.fc33.noarch systemd-udev-245.2-1.fc33.x86_64 # sesearch -s systemd_bootchart_t -t systemd_bootchart_t -c capability -p sys_admin -A --dontaudit # The following SELinux denial still appears after starting the systemd-bootchart service: ---- type=PROCTITLE msg=audit(05/21/2020 04:42:25.718:271) : proctitle=@usr/lib/systemd/systemd-bootchart -r type=SYSCALL msg=audit(05/21/2020 04:42:25.718:271) : arch=x86_64 syscall=write success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x557eb9bac198 a2=0x2 a3=0x0 items=0 ppid=1 pid=2121 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-bootcha exe=/usr/lib/systemd/systemd-bootchart subj=system_u:system_r:systemd_bootchart_t:s0 key=(null) type=AVC msg=audit(05/21/2020 04:42:25.718:271) : avc: denied { sys_admin } for pid=2121 comm=systemd-bootcha capability=sys_admin scontext=system_u:system_r:systemd_bootchart_t:s0 tcontext=system_u:system_r:systemd_bootchart_t:s0 tclass=capability permissive=0 ----
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.