Bug 1940289
| Summary: | fapolicyd abnormally exits by executing sosreport | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Masahiro Matsuya <mmatsuya> | |
| Component: | fapolicyd | Assignee: | Radovan Sroka <rsroka> | |
| Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> | |
| Severity: | high | Docs Contact: | Khushbu Borole <kborole> | |
| Priority: | high | |||
| Version: | 8.3 | CC: | alakatos, daniel.j.arevalo.ctr, dapospis, jafiala, lvrabec, pvlasin, rsroka | |
| Target Milestone: | rc | Keywords: | Regression, Triaged | |
| Target Release: | --- | Flags: | kborole:
needinfo-
pm-rhel: mirror+ |
|
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | fapolicyd-1.0.2-6.el8 | Doc Type: | Bug Fix | |
| Doc Text: |
.The `fapolicyd-selinux` SELinux policy now covers all file types
Previously, the `fapolicyd-selinux` SELinux policy did not cover all file types. Consequently, the `fapolicyd` service could not access files located on non-monitored locations such as `sysfs`. With this update, the `fapolicyd` service covers and analyzes all file system types.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1943251 (view as bug list) | Environment: | ||
| Last Closed: | 2021-05-18 16:22:41 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1943251 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (fapolicyd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:1952 |
Description of problem: The fapolicyd daemon exited abnormally just by running sosreport. Mar 16 18:13:40 kvm-122-215 fapolicyd[39990]: Error reading (Permission denied) Mar 16 18:13:40 kvm-122-215 systemd[1]: fapolicyd.service: Main process exited, code=exited, status=1/FAILURE When this problem happened, the following selinux denials happened. type=AVC msg=audit(1615886020.341:144): avc: denied { read open } for pid=39990 comm="fapolicyd" path="/var/tmp/sos.ii7d63yf/sosreport-kvm-122-215-2021-03-16-vnyuqau/proc/sys/vm/compact_memory" dev="dm-0" ino=441165 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0 After I made a policy to allow this operation, I got another AVC for getattr. type=AVC msg=audit(1615886321.065:162): avc: denied { getattr } for pid=23985 comm="fapolicyd" path="/var/tmp/sos.p81ap0s1/sosreport-kvm-122-43-2021-03-16-namgmun/proc/sys/vm/compact_memory" dev="dm-0" ino=462577 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0 sosreport could not complete with the following error when the problem happened. Operation not permitted while finalizing archive /var/tmp/sos.c_qrg1u6/sosreport-xxxxxxxxxxxxxxxxxxxxxxxx Creating archive tarball failed. Traceback (most recent call last): File "/sbin/sosreport", line 19, in <module> main(sys.argv[1:]) File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1423, in main sos.execute() File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1403, in execute return self.final_work() File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1323, in final_work archivestat) UnboundLocalError: local variable 'archivestat' referenced before assignment From strace analysis, it failed to open /var/tmp/sos.xxxxxx/sosreport-xxxxxxxx/proc/sys/vm/compact_memory, which is related to the above SELinux denial. It seems that the access by sosreport was not allowed since the fapolicyd suddenly exited. When a policy to allow those access by fapolicyd was applied, fapolicyd didn't exit suddenly, and the sosreport could complete without any problem. Version-Release number of selected component (if applicable): Red Hat Enterprise Linux 8.3 How reproducible: Always Steps to Reproduce: 1. Start fapolicyd on RHEL8.3 2. Run sosreport -o system NOTE: -o system is to run the only needed plugin. The problem happens without "-o system", but it takes more time to reproduce it. 3. confirm that fapolicyd exits and selinux AVC in audit.log Actual results: fapolicyd exits abnormally. sosreport cannot complete while fapolicyd is running. Expected results: fapolicyd doesn't exit abnormally. sosreport can complete even while fapolicyd is running. Additional info: I will attach a selinux policy file (.pp) and .te file which I used for my test just for a reference.