Description of problem: I first saw irqbalance denied nnp_transition shortly after systemd started irqbalance.service while booting the Fedora Rawhide KDE Plasma spin live image Fedora-KDE-Live-x86_64-Rawhide-20200616.n.0.iso from https://koji.fedoraproject.org/koji/buildinfo?buildID=1524265 This denial happened on two boots of that image. The same denial happened while booting Fedora-KDE-Live-x86_64-Rawhide-20200616.n.1.iso from https://koji.fedoraproject.org/koji/buildinfo?buildID=1524380 Jun 18 05:40:05 systemd[1]: Started irqbalance daemon. Jun 18 05:40:05 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 18 05:40:05 systemd[1]: Starting LSB: Init script for live image.... Jun 18 05:40:05 systemd[1]: Condition check resulted in Machine Check Exception Logging Daemon being skipped. Jun 18 05:40:05 systemd[1]: Condition check resulted in Software RAID monitoring and management being skipped. Jun 18 05:40:05 systemd[1]: Started Hardware RNG Entropy Gatherer Daemon. Jun 18 05:40:05 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 18 05:40:05 audit[1156]: AVC avc: denied { nnp_transition } for pid=1156 comm="(qbalance)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=process2 permissive=0 Jun 18 05:40:05 audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:irqbalance_t:s0 I ran sudo systemctl restart irqbalance. The same denial was shown. irqbalance-1.6.0-2.fc33.x86_64 is the version in use. The irqbalance-1.6.0 update might be involved in this denial https://koji.fedoraproject.org/koji/buildinfo?buildID=1521026 SELinux is preventing (qbalance) from using the 'nnp_transition' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (qbalance) should be allowed nnp_transition access on processes labeled irqbalance_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(qbalance)' --raw | audit2allow -M my-qbalance # semodule -X 300 -i my-qbalance.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:irqbalance_t:s0 Target Objects Unknown [ process2 ] Source (qbalance) Source Path (qbalance) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-15.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-15.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.8.0-0.rc1.20200616gita5dc8300df75.1.fc33.x86_64 #1 SMP Tue Jun 16 16:43:24 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-06-18 12:43:49 EDT Last Seen 2020-06-18 12:43:49 EDT Local ID 03b81958-d609-46ac-a75f-3accdc217761 Raw Audit Messages type=AVC msg=audit(1592498629.783:488): avc: denied { nnp_transition } for pid=12846 comm="(qbalance)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=process2 permissive=0 Hash: (qbalance),init_t,irqbalance_t,process2,nnp_transition Version-Release number of selected component: selinux-policy-targeted-3.14.6-15.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.13.1 hashmarkername: setroubleshoot kernel: 5.8.0-0.rc1.20200616gita5dc8300df75.1.fc33.x86_64 type: libreport
This denial might've happened because NoNewPrivileges=yes was added to irqbalance.service in irqbalance-1.6.0-2.fc33. https://src.fedoraproject.org/rpms/irqbalance/c/730501427e46650f66809909d2ee8136b6a65604?branch=master
Following SELinux denial was triggered by our automated TC: ---- type=PROCTITLE msg=audit(06/19/2020 01:32:10.458:320) : proctitle=/usr/sbin/irqbalance --foreground --policyscript=/bin/irq_policy.sh type=PATH msg=audit(06/19/2020 01:32:10.458:320) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=144047 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(06/19/2020 01:32:10.458:320) : item=0 name=/usr/sbin/irqbalance inode=138893 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:irqbalance_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(06/19/2020 01:32:10.458:320) : cwd=/ type=EXECVE msg=audit(06/19/2020 01:32:10.458:320) : argc=3 a0=/usr/sbin/irqbalance a1=--foreground a2=--policyscript=/bin/irq_policy.sh type=SYSCALL msg=audit(06/19/2020 01:32:10.458:320) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x556622228040 a1=0x55662224af80 a2=0x556622249480 a3=0x7ffc7e6dd5d0 items=2 ppid=1 pid=5073 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=irqbalance exe=/usr/sbin/irqbalance subj=system_u:system_r:init_t:s0 key=(null) type=SELINUX_ERR msg=audit(06/19/2020 01:32:10.458:320) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:irqbalance_t:s0 type=AVC msg=audit(06/19/2020 01:32:10.458:320) : avc: denied { nnp_transition } for pid=5073 comm=(qbalance) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=process2 permissive=0 ---- # rpm -qa irq\* selinux\* | sort irqbalance-1.6.0-2.fc33.x86_64 selinux-policy-3.14.6-15.fc33.noarch selinux-policy-devel-3.14.6-15.fc33.noarch selinux-policy-targeted-3.14.6-15.fc33.noarch #
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/280
Backported to F32.
*** Bug 1853776 has been marked as a duplicate of this bug. ***
FEDORA-2020-876f7af8d8 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-876f7af8d8
FEDORA-2020-876f7af8d8 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-876f7af8d8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-876f7af8d8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-876f7af8d8 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.