Description of problem: # grep NoNew /usr/lib/systemd/system/rdisc.service NoNewPrivileges=yes # sesearch -t rdisc_t -c process2 -p nnp_transition -A # Version-Release number of selected component (if applicable): iputils-20190515-3.fc31.x86_64 selinux-policy-3.14.4-40.fc31.noarch selinux-policy-devel-3.14.4-40.fc31.noarch selinux-policy-targeted-3.14.4-40.fc31.noarch How reproducible: * always Steps to Reproduce: 1. get a Fedora 31 machine (targeted policy is active) 2. start the rdisc service 3. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(11/06/2019 02:49:59.826:341) : proctitle=/usr/sbin/rdisc -f -t type=PATH msg=audit(11/06/2019 02:49:59.826:341) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=136860 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/06/2019 02:49:59.826:341) : item=0 name=/usr/sbin/rdisc inode=146819 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rdisc_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/06/2019 02:49:59.826:341) : cwd=/ type=EXECVE msg=audit(11/06/2019 02:49:59.826:341) : argc=3 a0=/usr/sbin/rdisc a1=-f a2=-t type=BPRM_FCAPS msg=audit(11/06/2019 02:49:59.826:341) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read old_pi=net_raw old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read old_pa=net_raw pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read pi=net_raw pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read pa=net_raw frootid=0 type=SYSCALL msg=audit(11/06/2019 02:49:59.826:341) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x555d92d279b0 a1=0x555d92e6eed0 a2=0x555d92dc5060 a3=0x7 items=2 ppid=1 pid=22728 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rdisc exe=/usr/sbin/rdisc subj=system_u:system_r:init_t:s0 key=(null) type=SELINUX_ERR msg=audit(11/06/2019 02:49:59.826:341) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:rdisc_t:s0 type=AVC msg=audit(11/06/2019 02:49:59.826:341) : avc: denied { nnp_transition } for pid=22728 comm=(rdisc) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rdisc_t:s0 tclass=process2 permissive=0 ---- type=PROCTITLE msg=audit(11/06/2019 02:49:59.830:342) : proctitle=/usr/sbin/rdisc -f -t type=SYSCALL msg=audit(11/06/2019 02:49:59.830:342) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_RAW a2=icmp a3=0x7fc20cb84ac0 items=0 ppid=1 pid=22728 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rdisc exe=/usr/sbin/rdisc subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(11/06/2019 02:49:59.830:342) : avc: denied { create } for pid=22728 comm=rdisc scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=rawip_socket permissive=0 ---- Expected results: * the scenario does not trigger SELinux denials * the rdisc service runs successfully in enforcing mode
Link to scratch build with fix: https://copr-be.cloud.fedoraproject.org/results/rfilo/Selinux-policy-f31/fedora-31-x86_64/01120048-selinux-policy/ It should be fixed in the selinux-policy packages. RP: https://github.com/fedora-selinux/selinux-policy-contrib/pull/171
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-397eea28b7
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.