Bug 1850540 - [RHEL8/Bug] SELinux violation iptables to plymouth
Summary: [RHEL8/Bug] SELinux violation iptables to plymouth
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.2
Hardware: Unspecified
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1122832
TreeView+ depends on / blocked
 
Reported: 2020-06-24 13:18 UTC by Oliver Falk
Modified: 2022-01-05 13:43 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-12 15:46:13 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Oliver Falk 2020-06-24 13:18:55 UTC
Description of problem:
We see a SELinux issue in customer environment during boot, with iptables-services enabled:

    # audit2allow -a

    #============= iptables_t ==============
    allow iptables_t plymouthd_t:unix_stream_socket connectto;


Version-Release number of selected component (if applicable): -


How reproducible: Unknown


Steps to Reproduce:
According to the customer report, this is happening on all their RHEL 8.2 with iptables-services installed, but so far, I wasn't able to reproduce it on one of my RHEL 8 boxes.

Actual results: SELinux hit


Expected results: No deny seen.


Additional info:
Customer case linked.

Comment 1 Zdenek Pytela 2020-06-24 13:38:32 UTC
Oliver,

We need more information to be able to assess this issue. Please gather audited AVC denials:

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot

The reproducing steps would also be helpful when available, or a list of related changes made to the default state of the system.

Comment 2 Oliver Falk 2020-06-24 14:11:31 UTC
Hey Zdenek!

I tried to find a reproducer but failed until now.
I'll ask the CU to provide me with the data from your mentioned ausearch!

I'm going to get back to you, once I have the information!

Thanks,
 Oliver

Comment 5 Oliver Falk 2020-06-25 11:41:50 UTC
Thanks Peter for directly providing the additional information here on this BZ - I've put them now "private", since this BZ is open.

@Zdenek, can you work with this additional information?

Oliver

Comment 6 Zdenek Pytela 2020-06-25 13:51:15 UTC
Hi all,

Thank for sharing the details. It needs to be figured out why plymouth runs in iptables_t domain.

  # sesearch -A -s iptables_t -t plymouthd_t -c unix_stream_socket -p connectto
<>
  # sesearch -A -s plymouth_t -t plymouthd_t -c unix_stream_socket -p connectto
allow plymouth_t plymouthd_t:unix_stream_socket connectto;

I was unable to reproduce it with just installing and enabling iptables-service, so wonder what else is required to trigger these denials.

Comment 18 Zdenek Pytela 2021-01-12 15:46:13 UTC
Closing per feedback the issue is no longer valid.


Note You need to log in before you can comment on or make changes to this bug.