RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1940289 - fapolicyd abnormally exits by executing sosreport
Summary: fapolicyd abnormally exits by executing sosreport
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: fapolicyd
Version: 8.3
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Radovan Sroka
QA Contact: Dalibor Pospíšil
Khushbu Borole
URL:
Whiteboard:
Depends On:
Blocks: 1943251
TreeView+ depends on / blocked
 
Reported: 2021-03-18 03:50 UTC by Masahiro Matsuya
Modified: 2021-05-18 16:23 UTC (History)
7 users (show)

Fixed In Version: fapolicyd-1.0.2-6.el8
Doc Type: Bug Fix
Doc Text:
.The `fapolicyd-selinux` SELinux policy now covers all file types Previously, the `fapolicyd-selinux` SELinux policy did not cover all file types. Consequently, the `fapolicyd` service could not access files located on non-monitored locations such as `sysfs`. With this update, the `fapolicyd` service covers and analyzes all file system types.
Clone Of:
: 1943251 (view as bug list)
Environment:
Last Closed: 2021-05-18 16:22:41 UTC
Type: Bug
Target Upstream Version:
Embargoed:
kborole: needinfo-

Attachments (Terms of Use)

Description Masahiro Matsuya 2021-03-18 03:50:13 UTC 
Description of problem:

The fapolicyd daemon exited abnormally just by running sosreport.

Mar 16 18:13:40 kvm-122-215 fapolicyd[39990]: Error reading (Permission denied)
Mar 16 18:13:40 kvm-122-215 systemd[1]: fapolicyd.service: Main process exited, code=exited, status=1/FAILURE

When this problem happened, the following selinux denials happened.


   type=AVC msg=audit(1615886020.341:144): avc:  denied  { read open } for  pid=39990 comm="fapolicyd" path="/var/tmp/sos.ii7d63yf/sosreport-kvm-122-215-2021-03-16-vnyuqau/proc/sys/vm/compact_memory" dev="dm-0" ino=441165 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0

After I made a policy to allow this operation, I got another AVC for getattr.

   type=AVC msg=audit(1615886321.065:162): avc:  denied  { getattr } for  pid=23985 comm="fapolicyd" path="/var/tmp/sos.p81ap0s1/sosreport-kvm-122-43-2021-03-16-namgmun/proc/sys/vm/compact_memory" dev="dm-0" ino=462577 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0


sosreport could not complete with the following error when the problem happened.


 Operation not permitted while finalizing archive /var/tmp/sos.c_qrg1u6/sosreport-xxxxxxxxxxxxxxxxxxxxxxxx

Creating archive tarball failed.
Traceback (most recent call last):
  File "/sbin/sosreport", line 19, in <module>
    main(sys.argv[1:])
  File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1423, in main
    sos.execute()
  File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1403, in execute
    return self.final_work()
  File "/usr/lib/python3.6/site-packages/sos/sosreport.py", line 1323, in final_work
    archivestat)
UnboundLocalError: local variable 'archivestat' referenced before assignment



From strace analysis, it failed to open /var/tmp/sos.xxxxxx/sosreport-xxxxxxxx/proc/sys/vm/compact_memory, which is related to the above SELinux denial. It seems that the access by sosreport was not allowed since the fapolicyd suddenly exited.

When a policy to allow those access by fapolicyd was applied, fapolicyd didn't exit suddenly, and the sosreport could complete without any problem.


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 8.3

How reproducible:
Always

Steps to Reproduce:
1. Start fapolicyd on RHEL8.3
2. Run sosreport -o system

 NOTE: -o system is to run the only needed plugin. The problem happens without "-o system", but it takes more time to reproduce it.

3. confirm that fapolicyd exits and selinux AVC in audit.log

Actual results:
fapolicyd exits abnormally.
sosreport cannot complete while fapolicyd is running.

Expected results:
fapolicyd doesn't exit abnormally.
sosreport can complete even while fapolicyd is running.

Additional info:

I will attach a selinux policy file (.pp) and .te file which I used for my test just for a reference.
Comment 20 errata-xmlrpc 2021-05-18 16:22:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (fapolicyd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:1952
Note You need to log in before you can comment on or make changes to this bug.