Description of problem: * current context of /sys/kernel/tracing is tracefs_t * default context for /sys/kernel/tracing should be sysfs_t * restorecon cannot fix it because of SELinux denials Version-Release number of selected component (if applicable): selinux-policy-3.14.6-14.fc33.noarch selinux-policy-targeted-3.14.6-14.fc33.noarch How reproducible: * always Steps to Reproduce: 1. get a Fedora 32/33 machine (targeted policy is active) 2. ls -Z /sys/kernel/tracing/* 3. matchpathcon /sys/kernel/tracing/* 4. restorecon -Rv /sys/kernel/tracing Actual results: * an avalange of SELinux denials allow sysfs_t tracefs_t:filesystem associate; Expected results: * no SELinux denials * current and default contexts are in sync Additional information: # mount | grep tracefs tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel) # seinfo --genfs | grep trace genfscon tracefs / system_u:object_r:tracefs_t:s0 #
# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 32 # restorecon -v /sys/kernel/tracing/available_events restorecon: Could not set context for /sys/kernel/tracing/available_events: Permission denied # ausearch -m avc -i -ts recent ---- type=PROCTITLE msg=audit(05/28/2020 15:05:30.977:317) : proctitle=restorecon -v /sys/kernel/tracing/available_events type=PATH msg=audit(05/28/2020 15:05:30.977:317) : item=0 name=/sys/kernel/tracing/available_events inode=91 dev=00:0b mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/28/2020 15:05:30.977:317) : cwd=/root type=SYSCALL msg=audit(05/28/2020 15:05:30.977:317) : arch=x86_64 syscall=lsetxattr success=no exit=EACCES(Permission denied) a0=0x555ec9e7e4b0 a1=0x7f1c01167753 a2=0x555ec9e7e480 a3=0x1d items=1 ppid=918 pid=1057 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/28/2020 15:05:30.977:317) : avc: denied { associate } for pid=1057 comm=restorecon name=available_events dev="tracefs" ino=91 scontext=system_u:object_r:sysfs_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0 ----
https://github.com/fedora-selinux/selinux-policy/pull/356
https://github.com/fedora-selinux/selinux-policy/pull/356/commits/db6708247ea732cb02953ed84491ba01dc9118c4 commit db6708247ea732cb02953ed84491ba01dc9118c4 (origin/rawhide) Author: Zdenek Pytela <zpytela> Date: Thu May 28 17:32:31 2020 +0200 Add file context for /sys/kernel/tracing
FEDORA-2020-ca8855e4de has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de
FEDORA-2020-ca8855e4de has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-ca8855e4de` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
selinux-policy-3.14.5-40.fc32 has been pushed to the Fedora 32 stable repository. If problems still persist, please make note of it in this bug report.