1840265 – systemd unit PrivateDevices option does not work

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1840265 - systemd unit PrivateDevices option does not work

Summary: systemd unit PrivateDevices option does not work

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.3
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-26 16:27 UTC by Radovan Sroka
Modified:	2020-11-04 01:58 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 01:56:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4528	0	None	None	None	2020-11-04 01:57:06 UTC

Comment 1 Milos Malik 2020-05-26 17:47:33 UTC

----
type=PROCTITLE msg=audit(05/26/2020 19:45:55.793:2395) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:45:55.793:2395) : item=1 name=/tmp/namespace-dev-xh180B/dev/ptmx nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:45:55.793:2395) : item=0 name=/tmp/namespace-dev-xh180B/dev/ inode=1482476 dev=00:33 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:45:55.793:2395) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:45:55.793:2395) : arch=x86_64 syscall=mknod success=no exit=EACCES(Permission denied) a0=0x7ffc06995460 a1=file,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=257719 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:45:55.793:2395) : avc:  denied  { create } for  pid=257719 comm=(d-daemon) name=ptmx scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0 
----

Comment 2 Milos Malik 2020-05-26 17:51:50 UTC

Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.845:2420) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.845:2420) : item=1 name=/tmp/namespace-dev-RH8j98/dev/ptmx inode=1493881 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ptmx_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.845:2420) : item=0 name=/tmp/namespace-dev-RH8j98/dev/ inode=1493879 dev=00:33 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.845:2420) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.845:2420) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x7ffc06995460 a1=file,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.845:2420) : avc:  denied  { create } for  pid=264057 comm=(d-daemon) name=ptmx scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.845:2421) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.845:2421) : item=1 name=/dev/ptmx inode=10945 dev=00:06 mode=character,666 ouid=root ogid=tty rdev=05:02 obj=system_u:object_r:ptmx_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.845:2421) : item=0 name=/tmp/namespace-dev-RH8j98/dev/ptmx inode=1493881 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ptmx_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.845:2421) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.845:2421) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x558167043873 a1=0x7ffc06995460 a2=0x0 a3=MS_BIND items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.845:2421) : avc:  denied  { mounton } for  pid=264057 comm=(d-daemon) path=/tmp/namespace-dev-RH8j98/dev/ptmx dev="tmpfs" ino=1493881 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.846:2422) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.846:2422) : item=1 name=/tmp/namespace-dev-RH8j98/dev/null inode=1493886 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:null_device_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.846:2422) : item=0 name=/tmp/namespace-dev-RH8j98/dev/ inode=1493879 dev=00:33 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.846:2422) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.846:2422) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x7ffc069953a0 a1=file,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.846:2422) : avc:  denied  { create } for  pid=264057 comm=(d-daemon) name=null scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.846:2423) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.846:2423) : item=1 name=/dev/null inode=8957 dev=00:06 mode=character,666 ouid=root ogid=root rdev=01:03 obj=system_u:object_r:null_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.846:2423) : item=0 name=/tmp/namespace-dev-RH8j98/dev/null inode=1493886 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:null_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.846:2423) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.846:2423) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x558167044020 a1=0x7ffc069953a0 a2=0x0 a3=MS_BIND items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.846:2423) : avc:  denied  { mounton } for  pid=264057 comm=(d-daemon) path=/tmp/namespace-dev-RH8j98/dev/null dev="tmpfs" ino=1493886 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.846:2424) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.846:2424) : item=1 name=/tmp/namespace-dev-RH8j98/dev/zero inode=1493887 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:zero_device_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.846:2424) : item=0 name=/tmp/namespace-dev-RH8j98/dev/ inode=1493879 dev=00:33 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.846:2424) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.846:2424) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x7ffc069953a0 a1=file,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.846:2424) : avc:  denied  { create } for  pid=264057 comm=(d-daemon) name=zero scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.846:2425) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.846:2425) : item=1 name=/dev/zero inode=8959 dev=00:06 mode=character,666 ouid=root ogid=root rdev=01:05 obj=system_u:object_r:zero_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.846:2425) : item=0 name=/tmp/namespace-dev-RH8j98/dev/zero inode=1493887 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:zero_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.846:2425) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.846:2425) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x55816704402a a1=0x7ffc069953a0 a2=0x0 a3=MS_BIND items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.846:2425) : avc:  denied  { mounton } for  pid=264057 comm=(d-daemon) path=/tmp/namespace-dev-RH8j98/dev/zero dev="tmpfs" ino=1493887 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.846:2426) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.846:2426) : item=1 name=/tmp/namespace-dev-RH8j98/dev/random inode=1493889 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:random_device_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.846:2426) : item=0 name=/tmp/namespace-dev-RH8j98/dev/ inode=1493879 dev=00:33 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.846:2426) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.846:2426) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x7ffc069953a0 a1=file,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.846:2426) : avc:  denied  { create } for  pid=264057 comm=(d-daemon) name=random scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.846:2427) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.846:2427) : item=1 name=/dev/random inode=8961 dev=00:06 mode=character,666 ouid=root ogid=root rdev=01:08 obj=system_u:object_r:random_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.846:2427) : item=0 name=/tmp/namespace-dev-RH8j98/dev/random inode=1493889 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:random_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.846:2427) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.846:2427) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x55816704403e a1=0x7ffc069953a0 a2=0x0 a3=MS_BIND items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.846:2427) : avc:  denied  { mounton } for  pid=264057 comm=(d-daemon) path=/tmp/namespace-dev-RH8j98/dev/random dev="tmpfs" ino=1493889 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.846:2428) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.846:2428) : item=1 name=/tmp/namespace-dev-RH8j98/dev/urandom inode=1493890 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:urandom_device_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.846:2428) : item=0 name=/tmp/namespace-dev-RH8j98/dev/ inode=1493879 dev=00:33 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.846:2428) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.846:2428) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x7ffc069953a0 a1=file,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.846:2428) : avc:  denied  { create } for  pid=264057 comm=(d-daemon) name=urandom scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.846:2429) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.846:2429) : item=1 name=/dev/urandom inode=8962 dev=00:06 mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.846:2429) : item=0 name=/tmp/namespace-dev-RH8j98/dev/urandom inode=1493890 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:urandom_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.846:2429) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.846:2429) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x55816704404a a1=0x7ffc069953a0 a2=0x0 a3=MS_BIND items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.846:2429) : avc:  denied  { mounton } for  pid=264057 comm=(d-daemon) path=/tmp/namespace-dev-RH8j98/dev/urandom dev="tmpfs" ino=1493890 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.848:2430) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.848:2430) : item=1 name=/tmp/namespace-dev-RH8j98/dev/tty inode=1493891 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devtty_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.848:2430) : item=0 name=/tmp/namespace-dev-RH8j98/dev/ inode=1493879 dev=00:33 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.848:2430) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.848:2430) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x7ffc069953a0 a1=file,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.848:2430) : avc:  denied  { create } for  pid=264057 comm=(d-daemon) name=tty scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devtty_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/26/2020 19:48:36.848:2431) : proctitle=(d-daemon) 
type=PATH msg=audit(05/26/2020 19:48:36.848:2431) : item=1 name=/dev/tty inode=8964 dev=00:06 mode=character,666 ouid=root ogid=tty rdev=05:00 obj=system_u:object_r:devtty_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/26/2020 19:48:36.848:2431) : item=0 name=/tmp/namespace-dev-RH8j98/dev/tty inode=1493891 dev=00:33 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devtty_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/26/2020 19:48:36.848:2431) : cwd=/ 
type=SYSCALL msg=audit(05/26/2020 19:48:36.848:2431) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x558167044057 a1=0x7ffc069953a0 a2=0x0 a3=MS_BIND items=2 ppid=1 pid=264057 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(d-daemon) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/26/2020 19:48:36.848:2431) : avc:  denied  { mounton } for  pid=264057 comm=(d-daemon) path=/tmp/namespace-dev-RH8j98/dev/tty dev="tmpfs" ino=1493891 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devtty_t:s0 tclass=file permissive=1
----

Comment 12 Milos Malik 2020-06-17 08:29:00 UTC

Following SELinux denial appeared on aarch64 machine:
----
type=PROCTITLE msg=audit(06/17/2020 04:24:44.725:142) : proctitle=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf 
type=PATH msg=audit(06/17/2020 04:24:44.725:142) : item=0 name=/proc/cpuinfo inode=4026531931 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/17/2020 04:24:44.725:142) : cwd=/ 
type=SYSCALL msg=audit(06/17/2020 04:24:44.725:142) : arch=aarch64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0xffffb543cec8 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=30335 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbguard-daemon exe=/usr/sbin/usbguard-daemon subj=system_u:system_r:usbguard_t:s0 key=(null) 
type=AVC msg=audit(06/17/2020 04:24:44.725:142) : avc:  denied  { read } for  pid=30335 comm=usbguard-daemon name=cpuinfo dev="proc" ino=4026531931 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 
----

I can imagine this will be addressed in a separate bug.

Comment 13 Milos Malik 2020-06-17 09:13:43 UTC

The issue mentioned in comment#12 is now filed as https://bugzilla.redhat.com/show_bug.cgi?id=1847870. It will not block testing/verification of this bug.

Comment 17 errata-xmlrpc 2020-11-04 01:56:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528

Note You need to log in before you can comment on or make changes to this bug.