Description of problem: During CKI test on upstream kernel (kernel 5.11.0) we hit some avc denied: ---- time->Wed Feb 24 10:19:47 2021 type=AVC msg=audit(1614179987.728:128): avc: denied { read } for pid=723 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Wed Feb 24 10:19:47 2021 type=AVC msg=audit(1614179987.728:129): avc: denied { open } for pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Wed Feb 24 10:19:47 2021 type=AVC msg=audit(1614179987.728:130): avc: denied { getattr } for pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Wed Feb 24 10:19:50 2021 type=AVC msg=audit(1614179990.212:133): avc: denied { getattr } for pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 ---- time->Wed Feb 24 10:19:50 2021 type=AVC msg=audit(1614179990.212:134): avc: denied { search } for pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ---- time->Wed Feb 24 10:22:12 2021 type=AVC msg=audit(1614180132.404:174): avc: denied { read } for pid=10407 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Wed Feb 24 10:22:12 2021 type=AVC msg=audit(1614180132.404:175): avc: denied { open } for pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Wed Feb 24 10:22:12 2021 type=AVC msg=audit(1614180132.404:176): avc: denied { getattr } for pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 Version-Release number of selected component (if applicable): selinux-policy-3.14.8-3.fc35.noarch How reproducible: 100% Steps to Reproduce: 1.1. Install Fedora Rawhide on beaker server, update kernel to kernel 5.11.0 kernel can be found at https://xci32.lab.eng.rdu2.redhat.com/cki-project/cki-pipeline/-/jobs/1110936/artifacts/raw/artifacts/kernel-mainline.kernel.org-clang-x86_64-f6e1e1d1e149802ed4062fa514c2d184d30aacdf.tar.gz 2. after kernel is installed and server boots on new kernel avc denied are found 3. Actual results: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-3.14.8-3.fc35.noarch ---- time->Wed Feb 24 10:19:47 2021 type=AVC msg=audit(1614179987.728:128): avc: denied { read } for pid=723 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Wed Feb 24 10:19:47 2021 type=AVC msg=audit(1614179987.728:129): avc: denied { open } for pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Wed Feb 24 10:19:47 2021 type=AVC msg=audit(1614179987.728:130): avc: denied { getattr } for pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Wed Feb 24 10:19:50 2021 type=AVC msg=audit(1614179990.212:133): avc: denied { getattr } for pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 ---- time->Wed Feb 24 10:19:50 2021 type=AVC msg=audit(1614179990.212:134): avc: denied { search } for pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ---- time->Wed Feb 24 10:22:12 2021 type=AVC msg=audit(1614180132.404:174): avc: denied { read } for pid=10407 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Wed Feb 24 10:22:12 2021 type=AVC msg=audit(1614180132.404:175): avc: denied { open } for pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 ---- time->Wed Feb 24 10:22:12 2021 type=AVC msg=audit(1614180132.404:176): avc: denied { getattr } for pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
Already resolved: commit 78ee0168301f21272a4ddc6f30d2a44f7a0c47fd Author: Zdenek Pytela <zpytela> Date: Tue Feb 23 17:40:01 2021 +0100 Allow sssd get cgroup filesystems attributes and search cgroup dirs Resolves: rhbz#1931954 commit b65f4fd6426b7abb3fa9d73a1e7b8c12092696c6 Author: Zdenek Pytela <zpytela> Date: Tue Feb 23 17:51:37 2021 +0100 Allow systemd-hostnamed read udev runtime data Required since systemd-248-rc1: systemd-hostnamed now exports the "HardwareVendor" and "HardwareModel" D-Bus properties, which are supposed to contain a pair of cleaned up, human readable strings describing the system's vendor and model. It's typically sourced from the firmware's DMI tables, but may be augmented from a new hwdb database. hostnamectl shows this in the status output. https://github.com/systemd/systemd/blob/v248-rc1/NEWS Resolves: rhbz#1931959 *** This bug has been marked as a duplicate of bug 1931959 ***