Bug 1932436 - avc denied related to sssd and systemd-hostnam
Summary: avc denied related to sssd and systemd-hostnam
Keywords:
Status: CLOSED DUPLICATE of bug 1931959
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-24 15:32 UTC by Bruno Goncalves
Modified: 2021-02-24 20:31 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.7-17
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-24 20:31:49 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Bruno Goncalves 2021-02-24 15:32:32 UTC 
Description of problem:
During CKI test on upstream kernel (kernel 5.11.0) we hit some avc denied:


----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:128): avc:  denied  { read } for  pid=723 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:129): avc:  denied  { open } for  pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:130): avc:  denied  { getattr } for  pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:50 2021
type=AVC msg=audit(1614179990.212:133): avc:  denied  { getattr } for  pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
----
time->Wed Feb 24 10:19:50 2021
type=AVC msg=audit(1614179990.212:134): avc:  denied  { search } for  pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:174): avc:  denied  { read } for  pid=10407 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:175): avc:  denied  { open } for  pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:176): avc:  denied  { getattr } for  pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

Version-Release number of selected component (if applicable):
selinux-policy-3.14.8-3.fc35.noarch

How reproducible:
100%

Steps to Reproduce:
1.1. Install Fedora Rawhide on beaker server, update kernel to kernel 5.11.0

kernel can be found at https://xci32.lab.eng.rdu2.redhat.com/cki-project/cki-pipeline/-/jobs/1110936/artifacts/raw/artifacts/kernel-mainline.kernel.org-clang-x86_64-f6e1e1d1e149802ed4062fa514c2d184d30aacdf.tar.gz

2. after kernel is installed and server boots on new kernel avc denied are found
3.

Actual results:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-3.14.8-3.fc35.noarch
----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:128): avc:  denied  { read } for  pid=723 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:129): avc:  denied  { open } for  pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:130): avc:  denied  { getattr } for  pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:50 2021
type=AVC msg=audit(1614179990.212:133): avc:  denied  { getattr } for  pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
----
time->Wed Feb 24 10:19:50 2021
type=AVC msg=audit(1614179990.212:134): avc:  denied  { search } for  pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:174): avc:  denied  { read } for  pid=10407 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:175): avc:  denied  { open } for  pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:176): avc:  denied  { getattr } for  pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
Comment 2 Zdenek Pytela 2021-02-24 20:31:49 UTC 
Already resolved:
commit 78ee0168301f21272a4ddc6f30d2a44f7a0c47fd
Author: Zdenek Pytela <zpytela>
Date:   Tue Feb 23 17:40:01 2021 +0100

    Allow sssd get cgroup filesystems attributes and search cgroup dirs

    Resolves: rhbz#1931954

commit b65f4fd6426b7abb3fa9d73a1e7b8c12092696c6
Author: Zdenek Pytela <zpytela>
Date:   Tue Feb 23 17:51:37 2021 +0100

    Allow systemd-hostnamed read udev runtime data

    Required since systemd-248-rc1:
    systemd-hostnamed now exports the "HardwareVendor" and "HardwareModel"
    D-Bus properties, which are supposed to contain a pair of cleaned up,
    human readable strings describing the system's vendor and model. It's
    typically sourced from the firmware's DMI tables, but may be augmented
    from a new hwdb database. hostnamectl shows this in the status output.

    https://github.com/systemd/systemd/blob/v248-rc1/NEWS

    Resolves: rhbz#1931959

*** This bug has been marked as a duplicate of bug 1931959 ***
Note You need to log in before you can comment on or make changes to this bug.