Description of problem: SELinux denials when a confined user user_u or staff_u logs in Version-Release number of selected component (if applicable): selinux-policy-3.14.5-11.fc32.noarch How reproducible: always Steps to Reproduce: 1. A confined user logs in Actual results: AVC's audited: ---- type=PROCTITLE msg=audit(11/01/19 08:56:29.489:2527) : proctitle=(systemd) type=SYSCALL msg=audit(11/01/19 08:56:29.489:2527) : arch=x86_64 syscall=bpf success=yes exit=8 a0=BPF_PROG_LOAD a1=0x7ffec917c120 a2=0x70 a3=0x55cb9d79df70 items=0 ppid=1 pid=35538 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=(none) ses=203 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) type=AVC msg=audit(11/01/19 08:56:29.489:2527) : avc: denied { prog_run } for pid=35538 comm=systemd scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=bpf permissive=1 type=AVC msg=audit(11/01/19 08:56:29.489:2527) : avc: denied { prog_load } for pid=35538 comm=systemd scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=bpf permissive=1 Fri Nov 1 08:56:34 CET 2019 In enforcing mode, only prog_load appears. Expected results: No avc Additional info: These permissions are allowed: # sesearch -A -c bpf -p prog_load|grep -w -e user_t -e staff_t -e sysadm_t -e root -e unconfined_t -e guest_u -e xguest_u allow sysadm_t init_t:bpf { map_create map_read map_write prog_load prog_run }; allow sysadm_t sysadm_t:bpf { map_create map_read map_write prog_load prog_run }; allow unconfined_t init_t:bpf { map_create map_read map_write prog_load prog_run }; allow unconfined_t unconfined_t:bpf { map_create map_read map_write prog_load prog_run };
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32.
Resolved with the following rawhide/base commit: commit b1f64ef6da0d4cd5fa6f34358c945bf1e29c0780 Author: Lukas Vrabec <lvrabec> Date: Wed Nov 6 10:20:12 2019 +0100 Allow users using template userdom_unpriv_user_template() to run bpf tool Resolves: rhbz#1769228 and is present in the policy since version 3.14.5-13.