After a default install and boot of Fedora-Rawhide-20200703.n.0 , we find multiple AVCs in the system logs, like this: === time->Fri Jul 3 10:36:57 2020 type=AVC msg=audit(1593787017.794:187): avc: denied { getattr } for pid=855 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Fri Jul 3 10:36:59 2020 type=AVC msg=audit(1593787019.577:189): avc: denied { getattr } for pid=856 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Fri Jul 3 10:36:59 2020 type=AVC msg=audit(1593787019.683:192): avc: denied { getattr } for pid=858 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Fri Jul 3 10:37:15 2020 type=AVC msg=audit(1593787035.507:218): avc: denied { getattr } for pid=922 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Fri Jul 3 10:37:17 2020 type=AVC msg=audit(1593787037.265:219): avc: denied { getattr } for pid=923 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Fri Jul 3 10:37:17 2020 type=AVC msg=audit(1593787037.371:222): avc: denied { getattr } for pid=925 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Fri Jul 3 10:37:40 2020 type=AVC msg=audit(1593787060.627:247): avc: denied { getattr } for pid=986 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Fri Jul 3 10:37:42 2020 type=AVC msg=audit(1593787062.304:248): avc: denied { getattr } for pid=987 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- time->Fri Jul 3 10:37:42 2020 type=AVC msg=audit(1593787062.410:251): avc: denied { getattr } for pid=989 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 === This is new in Fedora-Rawhide-20200703.n.0 , these denials were not present in Fedora-Rawhide-20200702.n.0 and earlier. They don't seem to break anything else obvious - openQA tests pass otherwise. The new compose doesn't seem to include the recent selinux-policy -17 build, so that's not the cause. It does have several other potentially significant changes - there's a new dbus, a new glibc, and a new pam, any of those could I guess be relevant.
*** Bug 1855413 has been marked as a duplicate of this bug. ***
*** Bug 1858738 has been marked as a duplicate of this bug. ***
*** Bug 1855731 has been marked as a duplicate of this bug. ***
# useradd tested-user # passwd tested-user Changing password for user tested-user. New password: Retype new password: passwd: all authentication tokens updated successfully. # Above-mentioned scenario triggers the following SELinux denials: ---- type=PROCTITLE msg=audit(07/28/2020 08:40:12.410:360) : proctitle=passwd tested-user type=SYSCALL msg=audit(07/28/2020 08:40:12.410:360) : arch=x86_64 syscall=fstatfs success=no exit=EACCES(Permission denied) a0=0x9 a1=0x7ffec766d1e0 a2=0x8041 a3=0x2 items=0 ppid=1097 pid=1098 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/28/2020 08:40:12.410:360) : avc: denied { getattr } for pid=1098 comm=passwd name=/ dev="proc" ino=1 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- type=PROCTITLE msg=audit(07/28/2020 08:40:12.526:361) : proctitle=passwd tested-user type=SYSCALL msg=audit(07/28/2020 08:40:12.526:361) : arch=x86_64 syscall=fstatfs success=no exit=EACCES(Permission denied) a0=0x9 a1=0x7ffec766d1e0 a2=0x8041 a3=0x8 items=0 ppid=1097 pid=1099 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/28/2020 08:40:12.526:361) : avc: denied { getattr } for pid=1099 comm=passwd name=/ dev="proc" ino=1 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- type=PROCTITLE msg=audit(07/28/2020 08:40:21.096:362) : proctitle=passwd tested-user type=SYSCALL msg=audit(07/28/2020 08:40:21.096:362) : arch=x86_64 syscall=fstatfs success=no exit=EACCES(Permission denied) a0=0xa a1=0x7ffec766d1e0 a2=0x8041 a3=0x8 items=0 ppid=1097 pid=1100 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/28/2020 08:40:21.096:362) : avc: denied { getattr } for pid=1100 comm=passwd name=/ dev="proc" ino=1 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ----
The only SELinux denial that appears in permissive mode is: ---- type=PROCTITLE msg=audit(07/28/2020 08:47:16.767:380) : proctitle=passwd tested-user type=SYSCALL msg=audit(07/28/2020 08:47:16.767:380) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x9 a1=0x7ffd2fd4c810 a2=0x8041 a3=0x2 items=0 ppid=1130 pid=1131 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/28/2020 08:47:16.767:380) : avc: denied { getattr } for pid=1131 comm=passwd name=/ dev="proc" ino=1 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 ----
Backtracing the syscall: passwd calls /usr/sbin/unix_chkpwd three times each times there is this sequence caught by strace: 3089 openat(AT_FDCWD, "/proc/self/fd", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 9</proc/3089/fd> 3089 fstat(9</proc/3089/fd>, {st_dev=makedev(0, 0x17), st_ino=32847, st_mode=S_IFDIR|0500, st_nlink=2, st_uid=0, st_gid=0, st_blksize=1024, st_blocks=0, st_size=0, st_atime=1596052185 /* 2020-07-29T15:49:45.322404691-0400 */, st_atime_nsec=322404691, st_mtime=1596052185 /* 2020-07-29T15:49:45.322404691-0400 */, st_mtime_nsec=322404691, st_ctime=1596052185 /* 2020-07-29T15:49:45.322404691-0400 */, st_ctime_nsec=322404691}) = 0 3089 fstatfs(9</proc/3089/fd>, 0x7fff071f1550) = -1 EACCES (Permission denied) 3089 close(9</proc/3089/fd>) = 0 Seems to match this code: linux-pam/libpam/pam_modutil_sanitize.c 112 /* Closes all descriptors after stderr. */ 113 static void 114 close_fds(void) ... 131 /* If /proc is mounted, we can optimize which fd can be closed. */ 132 if ((dir = opendir("/proc/self/fd")) != NULL) { 133 if ((dfd = dirfd(dir)) >= 0 && is_in_procfs(dfd) > 0) { 134 while ((dent = readdir(dir)) != NULL) { 135 fd = atoi(dent->d_name); 136 if (fd > STDERR_FILENO && fd != dfd) 137 close(fd); 138 } 139 } else { 140 dfd = -1; 141 } 142 closedir(dir); 143 } 94 /* Check if path is in a procfs. */ 95 static int 96 is_in_procfs(int fd) 97 { 98 #if defined HAVE_SYS_VFS_H && defined PROC_SUPER_MAGIC 99 struct statfs stfs; 100 101 if (fstatfs(fd, &stfs) == 0) { 102 if (stfs.f_type == PROC_SUPER_MAGIC) 103 return 1; 104 } else { 105 return 0; 106 } 107 #endif /* HAVE_SYS_VFS_H && PROC_SUPER_MAGIC */ So I think it makes no harm to ignore it (certainly apart from ~200000 close syscalls), but is worth allowing in selinux-policy.
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle. Changing version to 33.
PR: https://github.com/fedora-selinux/selinux-policy/pull/411
commit b6a11abf50ad2b7e08b36b26b0a44fad86eada72 (HEAD -> rawhide, origin/rawhide) Author: Patrik Koncity <pkoncity> Date: Wed Aug 19 13:59:30 2020 +0200 Allow login_pgm attribute to get attributes in proc_t Allow login_pgm attribute, which contain domain like local_login_t and cockpit_session_t, get attributes on filesystem /proc. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1853730
*** Bug 1871351 has been marked as a duplicate of this bug. ***
*** Bug 1871183 has been marked as a duplicate of this bug. ***
FEDORA-2020-8f3381648b has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b
FEDORA-2020-8f3381648b has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8f3381648b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Proposing this as an FE for F33 Beta as it'd be nice to avoid these denials on live boots and in openQA tests. Fix definitely works as we have way fewer softfails in Rawhide tests caused by these denials now, F33 still has a lot.
We have +3 FE in the ticket - https://pagure.io/fedora-qa/blocker-review/issue/55 - setting Accepted.
FEDORA-2020-8f3381648b has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.