Following rules are missing in the ladvd policy module: allow init_t ladvd_t:process2 nnp_transition; allow init_t self:packet_socket map; Version-Release number of selected component (if applicable): ladvd-1.1.2-6.fc32.x86_64 ladvd-selinux-1.1.2-6.fc32.x86_64 selinux-policy-3.14.5-38.fc32.noarch selinux-policy-devel-3.14.5-38.fc32.noarch selinux-policy-doc-3.14.5-38.fc32.noarch selinux-policy-targeted-3.14.5-38.fc32.noarch How reproducible: * always Steps to Reproduce: 1. get a Fedora 31 or 32 machine (targeted policy is active) 2. start the ladvd service 3. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(05/11/2020 15:54:36.394:1870) : proctitle=/usr/sbin/ladvd -f -t -a -z type=PATH msg=audit(05/11/2020 15:54:36.394:1870) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=8389818 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(05/11/2020 15:54:36.394:1870) : item=0 name=/usr/sbin/ladvd inode=8487505 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ladvd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/11/2020 15:54:36.394:1870) : cwd=/ type=EXECVE msg=audit(05/11/2020 15:54:36.394:1870) : argc=5 a0=/usr/sbin/ladvd a1=-f a2=-t a3=-a a4=-z type=SYSCALL msg=audit(05/11/2020 15:54:36.394:1870) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x564369296c60 a1=0x564369548ba0 a2=0x564369314250 a3=0x56436963a920 items=2 ppid=1 pid=41362 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ladvd exe=/usr/sbin/ladvd subj=system_u:system_r:init_t:s0 key=(null) type=SELINUX_ERR msg=audit(05/11/2020 15:54:36.394:1870) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:ladvd_t:s0 type=AVC msg=audit(05/11/2020 15:54:36.394:1870) : avc: denied { nnp_transition } for pid=41362 comm=(ladvd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=process2 permissive=0 ---- type=PROCTITLE msg=audit(05/11/2020 15:54:36.450:1871) : proctitle=/usr/sbin/ladvd -f -t -a -z type=MMAP msg=audit(05/11/2020 15:54:36.450:1871) : fd=11 flags=MAP_SHARED type=SYSCALL msg=audit(05/11/2020 15:54:36.450:1871) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x28f000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=41362 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ladvd exe=/usr/sbin/ladvd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(05/11/2020 15:54:36.450:1871) : avc: denied { map } for pid=41362 comm=ladvd path=socket:[637766] dev="sockfs" ino=637766 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=packet_socket permissive=0 ---- Expected results: * the ladvd service does not trigger any SELinux when started in default configuration Additional information from the journal: ladvd[41362]: opening raw socket failed ladvd[41362]: pcap_activate for ens3 failed
I performed a basic testing (start, restart, stop) of ladvd service and the 2 rules mentioned in comment#0 do not fix the issue. But following 3 rules do: allow init_t ladvd_t:process2 nnp_transition; allow ladvd_t ladvd_t:packet_socket map; allow ladvd_t ladvd_t:capability kill; If above-mentioned rules are present, the ladvd service runs successfully in enforcing mode: # service ladvd status Redirecting to /bin/systemctl status ladvd.service ● ladvd.service - LLDP/CDP sender Loaded: loaded (/usr/lib/systemd/system/ladvd.service; disabled; vendor pr> Active: active (running) since Mon 2020-05-11 16:51:28 CEST; 3s ago Docs: man:ladvd(8) man:ladvdc(8) Main PID: 45077 (ladvd) Tasks: 2 (limit: 2330) Memory: 1.9M CPU: 37ms CGroup: /system.slice/ladvd.service ├─45077 ladvd: parent [priv] └─45088 ladvd: child May 11 16:51:28 localhost.localdomain systemd[1]: Started LLDP/CDP sender. May 11 16:51:28 localhost.localdomain ladvd[45088]: ladvd 1.1.2 running # ps -efZ | grep ladvd system_u:system_r:ladvd_t:s0 root 45077 1 0 16:51 ? 00:00:00 ladvd: parent [priv] system_u:system_r:ladvd_t:s0 ladvd 45088 45077 0 16:51 ? 00:00:00 ladvd: child unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 45119 2018 0 16:51 pts/0 00:00:00 grep --color=auto ladvd #
Thanks for bugreport! I will add these to policy after some investigation what exactly they mean.
FEDORA-2020-6010469bfb has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6010469bfb
FEDORA-2020-6010469bfb has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6010469bfb` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6010469bfb See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-6010469bfb has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.