1945581 – Remove the SELinux lockdown class (was: Loading modules that create tracefs entries causes erroneous SELinux access checks)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1945581 - Remove the SELinux lockdown class (was: Loading modules that create tracefs entries causes erroneous SELinux access checks)

Summary: Remove the SELinux lockdown class (was: Loading modules that create tracefs e...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	9.0
Hardware:	ppc64le
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	9.0
Assignee:	Ondrej Mosnacek
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1942267 (view as bug list)
Depends On:
Blocks:	1939095 1940843 1950267 1969985 2017848 2039050
TreeView+	depends on / blocked

Reported:	2021-04-01 10:39 UTC by Jan Kaluža
Modified:	2022-05-17 15:41 UTC (History)
CC List:	11 users (show)
Fixed In Version:	kernel-5.14.0-11.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	1950267 2017848 (view as bug list)
Environment:
Last Closed:	2022-05-17 15:38:02 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Gitlab	redhat/centos-stream/src/kernel centos-stream-9 merge_requests 70	0	None	None	None	2021-10-18 14:39:29 UTC
Red Hat Product Errata	RHBA-2022:3907	0	None	None	None	2022-05-17 15:38:28 UTC

Internal Links: 2041503

Description Jan Kaluža 2021-04-01 10:39:44 UTC

When booting using mentioned kernel, following AVCs appear:

type=AVC msg=audit(1617223787.476:141): avc:  denied  { confidentiality } for  pid=792 comm="modprobe" lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0

This blocks the RTT tests needed for 9.0.0-beta compose promotion to nightly compose.

Beaker job: https://beaker.engineering.redhat.com//recipes/9794454#task124163973

Note that the selinux-policy update done as part of https://bugzilla.redhat.com/show_bug.cgi?id=1937682 is so far in gating. Maybe it would fix this issue, but I'm not sure.

Comment 1 Jan Kaluža 2021-04-01 10:41:05 UTC

I'm going to untag kernel from rhel-9.0.0-beta-candidate and rhel-9.0.0-beta-pending to unblock composes given it is Thursday before long weekend in Europe.

Comment 2 Zdenek Pytela 2021-04-01 10:53:56 UTC

More data needed to asses if it should be addressed in selinux-policy, full auditing enabled and a list of processes:

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today


ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_service_t

Comment 3 Ondrej Mosnacek 2021-04-01 11:14:46 UTC

Seems to be caused by this commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bf8e602186ec402ed937b2cbd6c39a34c0029757

...which doesn't play well with SELinux's implementation of lockdown hooks, causing false positive denials when someone tries to load a module that creates some tracefs entries... Not sure yet how to fix it, but reassigning to myself for now.

Comment 4 Herton R. Krzesinski 2021-04-05 14:26:35 UTC

(In reply to Ondrej Mosnacek from comment #3)
> Seems to be caused by this commit:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=bf8e602186ec402ed937b2cbd6c39a34c0029757
> 
> ...which doesn't play well with SELinux's implementation of lockdown hooks,
> causing false positive denials when someone tries to load a module that
> creates some tracefs entries... Not sure yet how to fix it, but reassigning
> to myself for now.

If that's the case, I wonder why only now this became an issue. Because the
commit above is from 2019 and went into kernel 5.4:

$ git log v5.3..v5.4 | grep bf8e602186ec402ed937b2cbd6c39a34c0029757
commit bf8e602186ec402ed937b2cbd6c39a34c0029757

Comment 5 Herton R. Krzesinski 2021-04-07 22:09:24 UTC

So I was able to reproduce the issue with a p9z-* system I reserved on beaker.
From investigation now I see why this appears now only with the 5.12 kernel,
and should reproduce only on ppc.

The problem happens when the hcn-init.service service starts on boot or if you
start it manually. It comes from the powerpc-utils-core package:

# rpm -qf /usr/lib/systemd/system/hcn-init.service
powerpc-utils-core-1.3.8-7.el9.ppc64le

One of the things the service above does, is "modprobe bonding":

Apr 07 16:46:42 ... systemd[1]: Condition check resulted in Crash recovery kernel arming being skipped.
Apr 07 16:46:42 ... hcnmgr[761]: =======================04-07-2021 16:46:42============================
Apr 07 16:46:42 ... hcnmgr[761]: [DEBUG]:hcnmgr enter
Apr 07 16:46:42 ... hcnmgr[761]: [DEBUG]:HCNMGR: Bonding module not loaded, load module ...

Before, in the 5.11 kernel, the bonding module did not have any dependency.

But with 5.12, now the bonding module depends on the "tls" module. The tls module
seems to be the one which creates some tracefs entries involved in the issue.

The start of the service and its "modprobe bonding" makes tls module to be loaded and
that is resulting the AVC denials problem we see:

Apr 07 17:11:35 ... audit[763]: AVC avc:  denied  { confidentiality } for  pid=763 comm="modprobe" lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service
_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0
Apr 07 17:11:35 ... audit[763]: SYSCALL arch=c0000015 syscall=128 success=yes exit=0 a0=7fffa4120010 a1=28010 a2=105507fd8 a3=1002e682 items=16 ppid=743 pid=763 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
Apr 07 17:11:35 ... audit: KERN_MODULE name="tls"
Apr 07 17:11:35 ... audit: CWD cwd="/"
Apr 07 17:11:35 ... audit: PATH item=0 name=(null) inode=2076 dev=00:0c mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=0 cap_fi=0
 cap_fe=0 cap_fver=0 cap_frootid=0
Apr 07 17:11:35 ... audit: PATH item=1 name=(null) inode=481 dev=00:0c mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 
cap_fe=0 cap_fver=0 cap_frootid=0
...
Apr 07 17:11:35 ... audit: PROCTITLE proctitle=6D6F6470726F626500626F6E64696E67
Apr 07 17:11:35 ... kernel: Could not create tracefs 'tls/filter' entry
Apr 07 17:11:35 ... kernel: Could not create tracefs 'enable' entry
Apr 07 17:11:35 ... kernel: Could not create tracefs 'enable' entry
...

However, and this is important, the AVC denials only happen when hcn-init.service
is started, either on boot or manually. If I do a "modprobe bonding" manually on
the command line, the AVC denials do not happen, and I do not get the "Could not
create tracefs ..." in dmesg.

Comment 6 Herton R. Krzesinski 2021-04-07 22:13:00 UTC

(In reply to Zdenek Pytela from comment #2)
> More data needed to asses if it should be addressed in selinux-policy, full
> auditing enabled and a list of processes:
> 
> 1) Open the /etc/audit/rules.d/audit.rules file in an editor.
> 2) Remove the following line if it exists:
> -a task,never
> 3) Add the following line to the end of the file:
> -w /etc/shadow -p w
> 4) Restart the audit daemon:
>   # service auditd restart
> 5) Re-run your scenario.
> 6) Collect AVC denials:
>   # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
> 
> 
> ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_service_t

This is the ausearch output:

----
type=AVC msg=audit(04/07/21 16:46:42.832:142) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:143) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:144) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:145) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:146) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:147) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:148) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:149) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:150) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:151) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:152) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:153) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:154) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:155) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:156) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:157) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:158) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:159) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:160) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:161) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:162) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:163) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:164) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:165) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:166) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:167) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:168) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:169) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:170) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:171) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
----
type=AVC msg=audit(04/07/21 16:46:42.832:172) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:173) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:174) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:175) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:176) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:177) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:178) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:179) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:180) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:181) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:182) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:183) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:184) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=AVC msg=audit(04/07/21 16:46:42.832:185) : avc:  denied  { confidentiality } for  pid=772 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
----
type=PROCTITLE msg=audit(04/07/21 17:11:35.871:146) : proctitle=modprobe bonding 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=15 name=(null) inode=488 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=14 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=13 name=(null) inode=487 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=12 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=11 name=(null) inode=486 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=10 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=9 name=(null) inode=485 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=8 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=7 name=(null) inode=484 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=6 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=5 name=(null) inode=483 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=4 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=3 name=(null) inode=482 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=2 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=1 name=(null) inode=481 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/07/21 17:11:35.871:146) : item=0 name=(null) inode=2076 dev=00:0c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(04/07/21 17:11:35.871:146) : cwd=/ 
type=KERN_MODULE msg=audit(04/07/21 17:11:35.871:146) : name=tls 
type=SYSCALL msg=audit(04/07/21 17:11:35.871:146) : arch=ppc64le syscall=init_module success=yes exit=0 a0=0x7fffa4120010 a1=0x28010 a2=0x105507fd8 a3=0x1002e682 items=16 ppid=743 pid=763 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:unconfined_service_t:s0 key=(null) 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0 
type=AVC msg=audit(04/07/21 17:11:35.871:146) : avc:  denied  { confidentiality } for  pid=763 comm=modprobe lockdown_reason="use of tracefs" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0
...

Comment 7 Ondrej Mosnacek 2021-04-13 08:19:13 UTC

Started a discussion upstream to seek the right solution for this:
https://lore.kernel.org/selinux/CAFqZXNs4eRC6kjFRe6CdwA-sng-w6bcJZf5io+hoLKwM98TVSA@mail.gmail.com/T/

Also setting priority to "urgent" as this seems to block a lot of things...

Comment 8 Herton R. Krzesinski 2021-04-15 22:56:17 UTC

Trying to unblock the kernel meanwhile while we wait the upstream response etc., would make sense as a temporary workaround to disable the hcn-init.service to start automatically on boot on the powerpc-utils-core package?

Than, adding you here since seems you're the maintainer of powerpc-utils. Do you know how important is to have hcn-init.service started on boot, and if an workaround like disabling its automatic start on boot would be acceptable. The start of this service is generating an selinux AVC (for more context see description and #comment 5).

Comment 9 Zdenek Pytela 2021-04-16 09:16:10 UTC

I am going to clone this BZ for selinux-policy component to allow the permission for one particular domain. The problem still needs to be addressed in kernel.

Comment 10 Than Ngo 2021-04-16 10:06:49 UTC

(In reply to Herton R. Krzesinski from comment #8)
> Trying to unblock the kernel meanwhile while we wait the upstream response
> etc., would make sense as a temporary workaround to disable the
> hcn-init.service to start automatically on boot on the powerpc-utils-core
> package?
> 
> Than, adding you here since seems you're the maintainer of powerpc-utils. Do
> you know how important is to have hcn-init.service started on boot, and if
> an workaround like disabling its automatic start on boot would be
> acceptable. The start of this service is generating an selinux AVC (for more
> context see description and #comment 5).

the hcn-init.service is important for hybrid virtual network to allow
SR_IOV VFs on LPAR capable for live partition migration and it needs to be started by boot.

Comment 16 Zdenek Pytela 2021-06-14 17:24:16 UTC

*** Bug 1942267 has been marked as a duplicate of this bug. ***

Comment 21 Ondrej Mosnacek 2021-09-16 07:20:31 UTC

The fix is now on its way to Linus tree:

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?h=stable-5.15&id=c491f0a471580712a4254adece400c3ebb3d8e44

Comment 23 Ondrej Mosnacek 2021-10-13 08:43:04 UTC

The comprehensive fix/workaround for all the problems caused by the lockdown SELinux class was rejected by Linus and for the lack of a better option, the consensus upstream was to just remove the class entirely and stop checking anything in the lockdown hook. Since this won't break any functionality (i.e. nothing bad happens even if the policy still defines the class), we decided to follow suit in RHEL-9 and remove it while it's time (i.e. before GA). It has only provided a nice-to-have additional level of security, so no big loss there either.

Comment 43 errata-xmlrpc 2022-05-17 15:38:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: kernel), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3907

Note You need to log in before you can comment on or make changes to this bug.