Bug 1842897
| Summary: | Denied NetworkManager write to /var/tmp/dracut.*/systemd-cat while generating initrd image | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Martin Pitt <mpitt> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.3 | CC: | lvrabec, mmalik, plautrba, ssekidde, ymankad, zpytela |
| Target Milestone: | rc | Keywords: | Regression, Triaged |
| Target Release: | 8.4 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:57:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1834275 | ||
This commit needs to be backported:
commit 4d471274fc9696898a0618cc7262dfc70fd73269
Author: Lukas Vrabec <lvrabec>
Date: Wed Sep 25 13:37:57 2019 +0200
Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)
diff --git a/networkmanager.te b/networkmanager.te
index 116b22c0c..ccff83eb7 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -347,6 +347,10 @@ optional_policy(`
lldpad_dgram_send(NetworkManager_t)
')
+optional_policy(`
+ kdump_dontaudit_inherited_kdumpctl_tmp_pipes(NetworkManager_t)
+')
+
unless there was an issue with functionality; off the logs, I cannot confirm any.
I would not call it a regression in selinux-policy though.
@Zdenek: I set the flag as it didn't happen in RHEL 8.3 until last week. It's not a major bug, of course. Thanks! Found by one of our automated TCs:
----
type=PROCTITLE msg=audit(06/29/2020 10:37:55.675:4250) : proctitle=NetworkManager --version
type=PATH msg=audit(06/29/2020 10:37:55.675:4250) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=10103 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(06/29/2020 10:37:55.675:4250) : item=0 name=/usr/sbin/NetworkManager inode=461437 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:NetworkManager_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/29/2020 10:37:55.675:4250) : cwd=/
type=EXECVE msg=audit(06/29/2020 10:37:55.675:4250) : argc=2 a0=NetworkManager a1=--version
type=SYSCALL msg=audit(06/29/2020 10:37:55.675:4250) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x563f03f55750 a1=0x563f0404c540 a2=0x563f04179b00 a3=0x8 items=2 ppid=253936 pid=255324 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(06/29/2020 10:37:55.675:4250) : avc: denied { write } for pid=255324 comm=NetworkManager path=/var/tmp/dracut.KP1ykH/systemd-cat dev="vda1" ino=20971841 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=fifo_file permissive=0
----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1639 |
Description of problem: Within the last 7 days, RHEL 8.3 got a regression. During our kdump test, it rebuilds the initrd for enabling kdump: dracut[15203]: Executing: /usr/bin/dracut --quiet --hostonly --hostonly-cmdline --hostonly-i18n --hostonly-mode strict -o "plymouth dash resume ifcfg earlykdump" --add ssh-client --sshkey /root/.ssh/id_rsa --no-hostonly-default-device -f /boot/initramfs-5.3.0-0.rc6.git0.1.fc31.x86_64kdump.img 5.3.0-0.rc6.git0.1.fc31.x86_64 which yields an SELinux denial: audit: type=1400 audit(*): avc: denied { write } for pid=* comm="NetworkManager" path="/var/tmp/dracut.*/systemd-cat" dev="dm-0" ino=* scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0 This was already reported and fixed in Fedora 31 half a year ago in bug 1750428, but now it crept into RHEL 8.3. Full journal: https://logs.cockpit-project.org/logs/pull-920-20200602-083214-f21c0be3-rhel-8-3-cockpit-project-cockpit/TestKdump-testBasic-rhel-8-3-127.0.0.2-2501-FAIL.log.gz Version-Release number of selected component (if applicable): selinux-policy-3.14.3-44.el8.noarch dracut-049-85.git20200527.el8.x86_64 How reproducible: Always