Bug 1772055 - selinux denial for systemd-resolve (mmap with /usr/share/p11-kit/modules/p11-kit-trust.module)
Summary: selinux denial for systemd-resolve (mmap with /usr/share/p11-kit/modules/p11-...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 31
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Richard Fiľo
QA Contact:
URL:
Whiteboard:
: 1773875 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-13 14:27 UTC by Felix Schwarz
Modified: 2020-03-16 11:11 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-01 01:30:43 UTC
Type: Bug


Attachments (Terms of Use)

Description Felix Schwarz 2019-11-13 14:27:44 UTC
On F31 I have systemd-resolved enabled and I get the following SELinux denial:

# audit2why < /var/log/audit/audit.log
type=AVC msg=audit(1573654857.753:140): avc:  denied  { map } for  pid=1048 comm="systemd-resolve" path="/usr/share/p11-kit/modules/p11-kit-trust.module" dev="dm-1" ino=3315 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

	Was caused by:
	The boolean domain_can_mmap_files was set incorrectly. 
	Description:
	Allow domain to can mmap files

	Allow access by executing:
	# setsebool -P domain_can_mmap_files 1


Of course I can work around the issue but I think the correct approach would be to fix this in selinux-policy.

Comment 1 Michal Schmidt 2019-11-19 08:36:54 UTC
*** Bug 1773875 has been marked as a duplicate of this bug. ***

Comment 2 Richard Fiľo 2019-11-19 17:03:15 UTC
Can you write me, how can i reproduce that scenario?

Thanks, Richard.

Comment 3 Felix Schwarz 2019-11-19 17:18:40 UTC
This happened with a pretty basic F31 install.

- I have systemd-networkd enabled (ipv4 DHCP, nothing special).
- systemd-networkd enabled
- /etc/nsswitch.conf contains "hosts:      files resolve myhostname"
- /etc/resolv.conf -> /run/systemd/resolve/resolv.conf

Comment 4 Michal Schmidt 2019-11-19 17:26:27 UTC
(In reply to Felix Schwarz from comment #3)
> - I have systemd-networkd enabled (ipv4 DHCP, nothing special).
> - systemd-networkd enabled

Normally I also use systemd-networkd, but I disabled it now and after reboot systemd-resolved still triggers the AVC denial.
So systemd-networkd does not seem to be necessary to reproduce.

Comment 5 Richard Fiľo 2019-11-21 16:13:05 UTC
It will be fixed in SELinux policy package.

PR: https://github.com/fedora-selinux/selinux-policy/pull/297

Comment 6 Felix Schwarz 2019-11-21 19:57:15 UTC
> It will be fixed in SELinux policy package.

Thank you for taking care of that so quickly.

Comment 7 Lukas Vrabec 2019-11-26 14:23:27 UTC
commit 5ea253b63e222f7cab3b053bf388a1789717b7c3 (HEAD -> rawhide, origin/rawhide)
Author: Richard Filo <rfilo@redhat.com>
Date:   Thu Nov 21 13:22:51 2019 +0100

    Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
    
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1772055

Comment 8 Felix Schwarz 2019-12-11 09:15:13 UTC
I just noticed that this change was only added to rawhide. Is it possible to merge this back to F31?

Comment 9 Christopher Tubbs 2019-12-12 07:27:47 UTC
This is still happening for me with selinux-policy-targeted-3.14.4-43.fc31.noarch

Comment 10 Richard Fiľo 2019-12-13 10:30:23 UTC
It will be fixed in next build.

Comment 11 Fedora Update System 2020-01-31 01:28:39 UTC
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17

Comment 12 Fedora Update System 2020-02-01 01:30:43 UTC
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.