1958025 – running bcc-tools filelife reuslts in AVC denial

Bug 1958025 - running bcc-tools filelife reuslts in AVC denial

Summary: running bcc-tools filelife reuslts in AVC denial

Keywords:
Status:	CLOSED DUPLICATE of bug 1955585
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	34
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-07 04:19 UTC by Chris Murphy
Modified:	2021-05-07 08:49 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-07 08:49:42 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Chris Murphy 2021-05-07 04:19:44 UTC

Description of problem:

Constant AVC errors when running bcc-tools filelife to detect short lived files, which then results in setroubleshoot generating small files that filelife then detects.


Version-Release number of selected component (if applicable):
selinux-policy-34.4-1.fc34.noarch

How reproducible:
Only on Fedora Server, Fedora Workstation seems unaffected.

Steps to Reproduce:
1. sudo /usr/share/bcc/tools/filelife
2.
3.

Actual results:

Every 10 seconds:

May 06 22:10:27 fnuc.local audit[446]: AVC avc:  denied  { confidentiality } for  pid=446 comm="systemd-journal" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=lockdown permissive=0
May 06 22:10:27 fnuc.local audit[446]: SYSCALL arch=c000003e syscall=87 success=yes exit=0 a0=55a1a7f3c680 a1=0 a2=0 a3=7ffd7a048080 items=2 ppid=1 pid=446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
May 06 22:10:27 fnuc.local audit: CWD cwd="/"
May 06 22:10:27 fnuc.local audit: PATH item=0 name="/run/systemd/journal/streams/" inode=58 dev=00:19 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
May 06 22:10:27 fnuc.local audit: PATH item=1 name="/run/systemd/journal/streams/8:108450" inode=3688 dev=00:19 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
May 06 22:10:27 fnuc.local audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-journald"
May 06 22:10:27 fnuc.local systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Main process exited, code=killed, status=14/ALRM
May 06 22:10:27 fnuc.local audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@658 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
May 06 22:10:27 fnuc.local systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Failed with result 'signal'.
May 06 22:10:27 fnuc.local systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Consumed 2.376s CPU time.
May 06 22:10:27 fnuc.local setroubleshoot[8950]: AnalyzeThread.run(): Cancel pending alarm
May 06 22:10:28 fnuc.local systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged.
May 06 22:10:28 fnuc.local audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@659 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 06 22:10:30 fnuc.local setroubleshoot[8950]: SELinux is preventing /usr/lib/systemd/systemd-journald from confidentiality access on the lockdown /run/systemd/journal/streams/8:108450. For complete SELinux messages run: sealert -l 3f3ac395-199e-4f06-be13-fa9fb17b3e56
May 06 22:10:30 fnuc.local setroubleshoot[8950]: SELinux is preventing /usr/lib/systemd/systemd-journald from confidentiality access on the lockdown /run/systemd/journal/streams/8:108450.
                                                 
                                                 *****  Plugin catchall (100. confidence) suggests   **************************
                                                 
                                                 If you believe that systemd-journald should be allowed confidentiality access on the 8:108450 lockdown by default.
                                                 Then you should report this as a bug.
                                                 You can generate a local policy module to allow this access.
                                                 Do
                                                 allow this access for now by executing:
                                                 # ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal
                                                 # semodule -X 300 -i my-systemdjournal.pp
                                                 
May 06 22:10:30 fnuc.local setroubleshoot[8950]: AnalyzeThread.run(): Set alarm timeout to 10

Expected results:

No denial

Additional info:

Output I get from filelife

22:08:43 8946   SetroubleshootP  0.00    ffisM4bFm
22:08:53 1      systemd          10.93   dbus-:1.3-org.fedoraproject.Setr
22:08:54 1      systemd          118.12  dbus-:1.3-org.fedoraproject.Setr
22:08:57 8959   SetroubleshootP  0.00    ffiKlRwDG
22:09:09 1      systemd          12.69   dbus-:1.3-org.fedoraproject.Setr
22:09:10 8971   SetroubleshootP  0.00    ffibyH6LP
22:09:20 1      systemd          2980.07 invocation:dbus-:1.3-org.fedorap
22:09:20 1      systemd          10.92   dbus-:1.3-org.fedoraproject.Setr
22:09:21 8978   SetroubleshootP  0.00    ffiJczV61
22:09:32 1      systemd          10.90   dbus-:1.3-org.fedoraproject.Setr
22:09:33 8985   SetroubleshootP  0.00    ffigt6Xjr
22:09:43 1      systemd          10.94   dbus-:1.3-org.fedoraproject.Setr
22:09:44 8993   SetroubleshootP  0.00    ffiIniFf5
22:09:54 1      systemd          10.92   dbus-:1.3-org.fedoraproject.Setr
22:09:55 9000   SetroubleshootP  0.00    ffieAe1YQ
22:10:05 1      systemd          22.09   invocation:dbus-:1.3-org.fedorap
22:10:05 1      systemd          10.91   dbus-:1.3-org.fedoraproject.Setr
22:10:06 9007   SetroubleshootP  0.00    ffiLzK7WY
22:10:16 1      systemd          10.93   dbus-:1.3-org.fedoraproject.Setr
22:10:17 9017   SetroubleshootP  0.00    ffiDcllu0
22:10:27 1      systemd          965.57  invocation:dbus-:1.3-org.fedorap
22:10:27 1      systemd          10.93   dbus-:1.3-org.fedoraproject.Setr
22:10:28 9024   SetroubleshootP  0.00    ffihhy9um

Comment 1 Ondrej Mosnacek 2021-05-07 07:57:55 UTC

This is likely a duplicate of BZ 1955585, but I'll need to double-check...

Comment 2 Ondrej Mosnacek 2021-05-07 08:49:42 UTC

Yep, there is a bpf_probe_read_kernel() call in that BPF program, so it's pretty much the same issue.

*** This bug has been marked as a duplicate of bug 1955585 ***

Note You need to log in before you can comment on or make changes to this bug.