Description of problem: * the uuidd service runs, but it cannot transition into the correct domain (uuidd_t) Version-Release number of selected component (if applicable): selinux-policy-3.14.4-40.fc31.noarch selinux-policy-targeted-3.14.4-40.fc31.noarch uuidd-2.34-3.fc31.x86_64 How reproducible: * always Steps to Reproduce: 1. get a Fedora 31 machine (targeted policy is active) 2. start the uuidd service 3. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(11/28/2019 12:43:47.724:293) : proctitle=/usr/sbin/uuidd --socket-activation type=PATH msg=audit(11/28/2019 12:43:47.724:293) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=136860 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/28/2019 12:43:47.724:293) : item=0 name=/usr/sbin/uuidd inode=144736 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:uuidd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/28/2019 12:43:47.724:293) : cwd=/ type=EXECVE msg=audit(11/28/2019 12:43:47.724:293) : argc=2 a0=/usr/sbin/uuidd a1=--socket-activation type=SYSCALL msg=audit(11/28/2019 12:43:47.724:293) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55979be631a0 a1=0x55979bea3030 a2=0x55979be6b470 a3=0x7 items=2 ppid=1 pid=1181 auid=unset uid=uuidd gid=uuidd euid=uuidd suid=uuidd fsuid=uuidd egid=uuidd sgid=uuidd fsgid=uuidd tty=(none) ses=unset comm=uuidd exe=/usr/sbin/uuidd subj=system_u:system_r:init_t:s0 key=(null) type=SELINUX_ERR msg=audit(11/28/2019 12:43:47.724:293) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:uuidd_t:s0 type=AVC msg=audit(11/28/2019 12:43:47.724:293) : avc: denied { nnp_transition } for pid=1181 comm=(uuidd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:uuidd_t:s0 tclass=process2 permissive=0 ---- Expected results: * no SELinux denials * the uuidd service runs under uuidd_t context Additional info: # ps -efZ | grep uuidd system_u:system_r:init_t:s0 uuidd 1181 1 0 12:43 ? 00:00:00 /usr/sbin/uuidd --socket-activation unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1198 939 0 12:47 pts/0 00:00:00 grep --color=auto uuidd #
Link to scratch build with fix: https://copr-be.cloud.fedoraproject.org/results/rfilo/Selinux-policy-f31/fedora-31-x86_64/01120543-selinux-policy/ It should be fixed in the selinux-policy packages. RP: https://github.com/fedora-selinux/selinux-policy-contrib/pull/173
commit 29cc7c44b93fd2c34426dad4d410d0672c7aa014 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Richard Filo <rfilo> Date: Fri Nov 29 14:04:54 2019 +0100 Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1777936
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-397eea28b7
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.