RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1955466 - RHVH 4.4.6 based on RHEL 8.4: There are AVC denied errors in audit.log after upgrade related to NetworkManager, kdump and dracut
Summary: RHVH 4.4.6 based on RHEL 8.4: There are AVC denied errors in audit.log after ...
Keywords:
Status: CLOSED DUPLICATE of bug 1955415
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Lev Veyde
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1955415 2020997 2111410
TreeView+ depends on / blocked
 
Reported: 2021-04-30 07:50 UTC by Sandro Bonazzola
Modified: 2022-07-27 09:37 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-10 09:43:06 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Sandro Bonazzola 2021-04-30 07:50:44 UTC 
This bug was initially created as a copy of Bug #1955415

I am copying this bug because: NetworkManager related denial seems to require selinux-policy fix. The gluster related denial will be handled on bug #1955461
Please consider including in 8.4 batch update or async.


Description of problem:
After RHVH is upgraded to the latest 4.4.6, there are AVC denied errors in audit.log

Version-Release number of selected component (if applicable):
RHVM: 4.4.6.5-0.17.el8ev
RHVH: redhat-virtualization-host-4.4.6-20210426.0.el8_4

SELinux related packages included:
glusterfs-selinux-1.0-4.el8rhgs.noarch
ipa-selinux-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
libselinux-2.9-5.el8.x86_64
libselinux-utils-2.9-5.el8.x86_64
openvswitch-selinux-extra-policy-1.0-28.el8fdp.noarch
python3-libselinux-2.9-5.el8.x86_64
rpm-plugin-selinux-4.14.3-13.el8.x86_64
selinux-policy-3.14.3-67.el8.noarch
selinux-policy-targeted-3.14.3-67.el8.noarch


How reproducible
100%

Steps to Reproduce:
1. Install RHVH-4.4-20210331.0-RHVH-x86_64-dvd1.iso
2. Add host to RHVM
3. Login to host, setup local repos and point to "redhat-virtualization-host-4.4.6-20210426.0.el8_4"
4. Remove audit.log before upgrade
   # mv /var/log/audit/audit.log /var/log/audit/audit.log.bak
5. Upgrade the host via RHVM
6. Check avc denied info in audit.log after upgrade
   # grep 'avc:  denied' /var/log/audit/audit.log

Actual results:
There are AVC denied errors in audit.log
~~~~~~
# grep 'avc:  denied' /var/log/audit/audit.log
type=AVC msg=audit(1619768225.841:76): avc:  denied  { create } for  pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1619768225.841:77): avc:  denied  { create } for  pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket permissive=0
type=AVC msg=audit(1619753841.383:100): avc:  denied  { write } for  pid=5708 comm="NetworkManager" path="/var/tmp/dracut.bN9njs/systemd-cat" dev="dm-8" ino=12583537 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0
~~~~~~

Expected results:
After upgrade, there is no AVC denied error in audit.log 

Additional info:
Comment 2 Zdenek Pytela 2021-05-11 20:04:33 UTC 
(In reply to Sandro Bonazzola from comment #0)
> There are AVC denied errors in audit.log
> ~~~~~~
> # grep 'avc:  denied' /var/log/audit/audit.log
> type=AVC msg=audit(1619768225.841:76): avc:  denied  { create } for 
> pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0
> tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket
> permissive=0
> type=AVC msg=audit(1619768225.841:77): avc:  denied  { create } for 
> pid=1969 comm="glusterd" scontext=system_u:system_r:glusterd_t:s0
> tcontext=system_u:system_r:glusterd_t:s0 tclass=netlink_rdma_socket
> permissive=0
> type=AVC msg=audit(1619753841.383:100): avc:  denied  { write } for 
> pid=5708 comm="NetworkManager" path="/var/tmp/dracut.bN9njs/systemd-cat"
> dev="dm-8" ino=12583537 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0
The second denial is dontaudited in current version of selinux-policy, namely since 3.14.3-62.

The first one needs to be addressed in gluster-selinux.
I've found the PR
https://github.com/gluster/glusterfs-selinux/pull/18
and 
https://bugzilla.redhat.com/show_bug.cgi?id=1937300
Fixed In Version: glusterfs-selinux-1.0-3

The latest selinux-policy and glusterfs-selinux packages need to be installed to address the denials.

Given this information:
> SELinux related packages included:
> glusterfs-selinux-1.0-4.el8rhgs.noarch
> selinux-policy-3.14.3-67.el8.noarch
> selinux-policy-targeted-3.14.3-67.el8.noarch

can you check the timestamps of the audit records? It looks they may have been audited prior to the updated packages installation.
Comment 3 Zdenek Pytela 2021-06-02 19:38:15 UTC 
Sandro,

Have you got the chance to take a look at the notes in #c2, especially compare the timestamps of the AVCs and time of the update?

It can also possibly be related to bz#1949517.
Comment 4 Sandro Bonazzola 2021-06-03 09:58:17 UTC 
Redirecting question to Lev Veyde who was looking into the selinux issues on RHV-H recently.
Comment 5 Lev Veyde 2021-06-10 09:31:24 UTC 
(In reply to Zdenek Pytela from comment #3)
> Sandro,
> 
> Have you got the chance to take a look at the notes in #c2, especially
> compare the timestamps of the AVCs and time of the update?
> 
> It can also possibly be related to bz#1949517.

No, the issue is real and is certainly there even after cleaning the audit log file and rebooting.

I sent fixes for imgbased, and we'l test these in the latest version of RHV-H/node-ng.
Comment 6 Lev Veyde 2021-06-10 09:35:06 UTC 
(In reply to Zdenek Pytela from comment #3)
> Sandro,
> 
> Have you got the chance to take a look at the notes in #c2, especially
> compare the timestamps of the AVCs and time of the update?
> 
> It can also possibly be related to bz#1949517.

Also, it can't be related to the bz#1949517 as the issue here is not wrong labels, but rather missing allow rules in the compiled policy.
Comment 7 Lev Veyde 2021-06-10 09:43:06 UTC 
This bug seems to be a clone of https://bugzilla.redhat.com/1955415

*** This bug has been marked as a duplicate of bug 1955415 ***
Note You need to log in before you can comment on or make changes to this bug.