Bug 1775882 - SELinux is preventing (imedated) from 'mounton' accesses on the chr_file /run/systemd/unit-root/dev/kmsg.
Summary: SELinux is preventing (imedated) from 'mounton' accesses on the chr_file /run...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:d5d53cb134c65f7a6cd3c058604...
: 1775883 1777083 1778022 (view as bug list)
Depends On:
Blocks: F32BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2019-11-23 08:12 UTC by Nicolas Mailhot
Modified: 2019-11-29 18:21 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-29 18:21:14 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Nicolas Mailhot 2019-11-23 08:12:26 UTC
Description of problem:
SELinux is preventing (imedated) from 'mounton' accesses on the chr_file /run/systemd/unit-root/dev/kmsg.

*****  Plugin catchall (100. confidence) suggests   **************************

Si vous pensez que (imedated) devrait être autorisé à accéder mounton sur kmsg chr_file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# ausearch -c "(imedated)" --raw | audit2allow -M my-imedated
# semodule -X 300 -i my-imedated.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:kmsg_device_t:s0
Target Objects                /run/systemd/unit-root/dev/kmsg [ chr_file ]
Source                        (imedated)
Source Path                   (imedated)
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.5-16.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.4.0-0.rc6.git0.1.fc32.x86_64 #1
                              SMP Mon Nov 4 16:37:09 UTC 2019 x86_64 x86_64
Alert Count                   3
First Seen                    2019-11-22 18:09:04 CET
Last Seen                     2019-11-23 09:11:25 CET
Local ID                      0239c08e-0bcb-469c-8549-f37aeacbbb5a

Raw Audit Messages
type=AVC msg=audit(1574496685.631:3117): avc:  denied  { mounton } for  pid=471519 comm="(imedated)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=3080 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1


Hash: (imedated),init_t,kmsg_device_t,chr_file,mounton

Version-Release number of selected component:
selinux-policy-3.14.5-16.fc32.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.11.3
hashmarkername: setroubleshoot
kernel:         5.4.0-0.rc6.git0.1.fc32.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2019-11-25 17:41:14 UTC
*** Bug 1775883 has been marked as a duplicate of this bug. ***

Comment 2 Adam Williamson 2019-11-26 19:47:38 UTC
I'm seeing denials like this on openQA tests of today's Rawhide compose, and they seem to be causing all the tests to fail because initial login takes two minutes(!). Journal shows a ton of these denials:

Nov 26 11:17:57 localhost.localdomain audit[744]: AVC avc:  denied  { mounton } for  pid=744 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:17:57 localhost.localdomain audit[745]: AVC avc:  denied  { mounton } for  pid=745 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:17:57 localhost.localdomain audit[748]: AVC avc:  denied  { mounton } for  pid=748 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:17:57 localhost.localdomain audit[749]: AVC avc:  denied  { mounton } for  pid=749 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:17:57 localhost.localdomain audit[752]: AVC avc:  denied  { mounton } for  pid=752 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:17:57 localhost.localdomain audit[753]: AVC avc:  denied  { mounton } for  pid=753 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:17:57 localhost.localdomain audit[756]: AVC avc:  denied  { mounton } for  pid=756 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:17:57 localhost.localdomain audit[757]: AVC avc:  denied  { mounton } for  pid=757 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:17:57 localhost.localdomain audit[760]: AVC avc:  denied  { mounton } for  pid=760 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:17:57 localhost.localdomain audit[761]: AVC avc:  denied  { mounton } for  pid=761 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:17:57 localhost.localdomain audit[784]: AVC avc:  denied  { mounton } for  pid=784 comm="(ostnamed)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:18:23 localhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/iscsi.service" cmdline="" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:iscsi_unit_file_t:s0 tclass=service permissive=0
Nov 26 11:18:32 localhost.localdomain audit[922]: AVC avc:  denied  { mounton } for  pid=922 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:18:32 localhost.localdomain audit[923]: AVC avc:  denied  { mounton } for  pid=923 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:18:32 localhost.localdomain audit[926]: AVC avc:  denied  { mounton } for  pid=926 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:18:32 localhost.localdomain audit[927]: AVC avc:  denied  { mounton } for  pid=927 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:18:32 localhost.localdomain audit[930]: AVC avc:  denied  { mounton } for  pid=930 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:18:32 localhost.localdomain audit[931]: AVC avc:  denied  { mounton } for  pid=931 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:18:32 localhost.localdomain audit[934]: AVC avc:  denied  { mounton } for  pid=934 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:18:32 localhost.localdomain audit[935]: AVC avc:  denied  { mounton } for  pid=935 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:18:32 localhost.localdomain audit[938]: AVC avc:  denied  { mounton } for  pid=938 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
Nov 26 11:18:32 localhost.localdomain audit[939]: AVC avc:  denied  { mounton } for  pid=939 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0

and they seem to cause some systemd errors:

Nov 26 11:18:32 localhost.localdomain systemd[931]: systemd-logind.service: Failed to set up mount namespacing: /run/systemd/unit-root/dev/kmsg: Permission denied
Nov 26 11:18:32 localhost.localdomain systemd[931]: systemd-logind.service: Failed at step NAMESPACE spawning /usr/lib/systemd/systemd-logind: Permission denied

and I think that results in systemd waiting for something for two minutes before timing out:

Nov 26 11:20:32 localhost.localdomain login[901]: pam_systemd(login:session): Failed to create session: Connection timed out
Nov 26 11:20:32 localhost.localdomain login[901]: pam_unix(login:session): session opened for user test by LOGIN(uid=0)

and only after that does the console login actually complete. Oddly, this doesn't reproduce on a local VM, I'm not sure why not - I don't have these denials there and login works instantly. But it's happening every time in openQA.

Comment 3 Adam Williamson 2019-11-26 21:17:21 UTC
confirmed openQA test works OK if I hack selinux to permissive mode, so it's the selinux denials causing the problem.

Comment 4 Adam Williamson 2019-11-27 03:25:40 UTC
oh, and I just upgraded my desktop to latest Rawhide and on that box, this bug seems to mean it never reaches gdm *at all*. It just gets stuck at the boot screen. I have to boot with enforcing=0 to be able to log in at all. Not sure why this seems to manifest so differently on different systems, that's weird.

Comment 5 Nicolas Mailhot 2019-11-27 09:22:09 UTC
I'm fairly certain that also kills networking for systems that use networkd (at least I had one of them DOA after this update, that had to be recued to permissive mode fpr networking to work; didn't have had time to check actual avcs on it yet)

Comment 6 Ben Cotton 2019-11-27 14:20:09 UTC
Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 7 Mikhail 2019-11-27 15:21:06 UTC
That's not 29. That's rawhide!

Comment 8 Adam Williamson 2019-11-27 15:58:18 UTC
Since this prevents my box booting at all, proposing as an F32 Beta blocker.

Comment 9 Lukas Vrabec 2019-11-27 18:09:39 UTC
commit 3874269a715a60bca048a76da372fd90b7294e9c (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Nov 27 19:06:42 2019 +0100

    Update dev_mounton_all_device_nodes() interface
    
    Update the interface to allow a caller domain to mounton also
    device_node chr_files and blk_files.
    
    Resolves: rhbz#1775882


Fixes backported also to F31.

Comment 10 Lukas Vrabec 2019-11-27 18:54:00 UTC
*** Bug 1777083 has been marked as a duplicate of this bug. ***

Comment 11 Adam Williamson 2019-11-27 19:12:45 UTC
Thanks Lukas. Can we get a new build ASAP so the next Rawhide is testable?

Comment 12 Lukas Vrabec 2019-11-27 19:28:27 UTC
Here we go!

Building selinux-policy-3.14.5-17.fc32 for rawhide
Created task: 39380917
Task info: https://koji.fedoraproject.org/koji/taskinfo?taskID=39380917

Comment 13 Bruno Goncalves 2019-11-28 08:52:10 UTC
I've tested selinux-policy-3.14.5-17.fc32.noarch and I still have issues when booting with enforcing=1.

On audit log I see:
type=AVC msg=audit(1574930779.828:51): avc:  denied  { getattr } for  pid=562 comm="(modprobe)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1
type=AVC msg=audit(1574930779.829:52): avc:  denied  { mounton } for  pid=562 comm="(modprobe)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1
type=AVC msg=audit(1574930780.657:56): avc:  denied  { getattr } for  pid=601 comm="(ostnamed)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1
type=AVC msg=audit(1574930780.657:57): avc:  denied  { mounton } for  pid=601 comm="(ostnamed)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1

Comment 14 Adam Williamson 2019-11-28 22:00:57 UTC
Yeah, openQA tests all failed on today's compose too. openQA logs from a run I did with a hack to set the installed system in permissive mode show this:

----
time->Wed Nov 27 13:21:35 2019
type=AVC msg=audit(1574878895.838:77): avc:  denied  { mounton } for  pid=619 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=1033 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1
----
time->Wed Nov 27 13:21:35 2019
type=AVC msg=audit(1574878895.839:78): avc:  denied  { getattr } for  pid=619 comm="(modprobe)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1
----
time->Wed Nov 27 13:21:35 2019
type=AVC msg=audit(1574878895.840:79): avc:  denied  { mounton } for  pid=619 comm="(modprobe)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1

Comment 15 Lukas Vrabec 2019-11-29 12:56:27 UTC
*** Bug 1778022 has been marked as a duplicate of this bug. ***

Comment 16 Adam Williamson 2019-11-29 17:36:55 UTC
Looks like selinux-policy-3.14.5-18.fc32 fixes this - openQA tests for the 1129.n.0 compose mostly passed. Anyone else confirm for them?

Comment 17 Nicolas Mailhot 2019-11-29 18:14:11 UTC
With:
selinux-policy-targeted-3.14.5-18.fc32.noarch
selinux-policy-3.14.5-18.fc32.noarch

login and networkd work again

Comment 18 Adam Williamson 2019-11-29 18:21:14 UTC
OK, let's call this closed then. Thanks lvrabec.


Note You need to log in before you can comment on or make changes to this bug.