Description of problem: Constant AVC errors when running bcc-tools filelife to detect short lived files, which then results in setroubleshoot generating small files that filelife then detects. Version-Release number of selected component (if applicable): selinux-policy-34.4-1.fc34.noarch How reproducible: Only on Fedora Server, Fedora Workstation seems unaffected. Steps to Reproduce: 1. sudo /usr/share/bcc/tools/filelife 2. 3. Actual results: Every 10 seconds: May 06 22:10:27 fnuc.local audit[446]: AVC avc: denied { confidentiality } for pid=446 comm="systemd-journal" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=lockdown permissive=0 May 06 22:10:27 fnuc.local audit[446]: SYSCALL arch=c000003e syscall=87 success=yes exit=0 a0=55a1a7f3c680 a1=0 a2=0 a3=7ffd7a048080 items=2 ppid=1 pid=446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null) May 06 22:10:27 fnuc.local audit: CWD cwd="/" May 06 22:10:27 fnuc.local audit: PATH item=0 name="/run/systemd/journal/streams/" inode=58 dev=00:19 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 May 06 22:10:27 fnuc.local audit: PATH item=1 name="/run/systemd/journal/streams/8:108450" inode=3688 dev=00:19 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 May 06 22:10:27 fnuc.local audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-journald" May 06 22:10:27 fnuc.local systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Main process exited, code=killed, status=14/ALRM May 06 22:10:27 fnuc.local audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@658 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' May 06 22:10:27 fnuc.local systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Failed with result 'signal'. May 06 22:10:27 fnuc.local systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Consumed 2.376s CPU time. May 06 22:10:27 fnuc.local setroubleshoot[8950]: AnalyzeThread.run(): Cancel pending alarm May 06 22:10:28 fnuc.local systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged. May 06 22:10:28 fnuc.local audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@659 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' May 06 22:10:30 fnuc.local setroubleshoot[8950]: SELinux is preventing /usr/lib/systemd/systemd-journald from confidentiality access on the lockdown /run/systemd/journal/streams/8:108450. For complete SELinux messages run: sealert -l 3f3ac395-199e-4f06-be13-fa9fb17b3e56 May 06 22:10:30 fnuc.local setroubleshoot[8950]: SELinux is preventing /usr/lib/systemd/systemd-journald from confidentiality access on the lockdown /run/systemd/journal/streams/8:108450. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-journald should be allowed confidentiality access on the 8:108450 lockdown by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal # semodule -X 300 -i my-systemdjournal.pp May 06 22:10:30 fnuc.local setroubleshoot[8950]: AnalyzeThread.run(): Set alarm timeout to 10 Expected results: No denial Additional info: Output I get from filelife 22:08:43 8946 SetroubleshootP 0.00 ffisM4bFm 22:08:53 1 systemd 10.93 dbus-:1.3-org.fedoraproject.Setr 22:08:54 1 systemd 118.12 dbus-:1.3-org.fedoraproject.Setr 22:08:57 8959 SetroubleshootP 0.00 ffiKlRwDG 22:09:09 1 systemd 12.69 dbus-:1.3-org.fedoraproject.Setr 22:09:10 8971 SetroubleshootP 0.00 ffibyH6LP 22:09:20 1 systemd 2980.07 invocation:dbus-:1.3-org.fedorap 22:09:20 1 systemd 10.92 dbus-:1.3-org.fedoraproject.Setr 22:09:21 8978 SetroubleshootP 0.00 ffiJczV61 22:09:32 1 systemd 10.90 dbus-:1.3-org.fedoraproject.Setr 22:09:33 8985 SetroubleshootP 0.00 ffigt6Xjr 22:09:43 1 systemd 10.94 dbus-:1.3-org.fedoraproject.Setr 22:09:44 8993 SetroubleshootP 0.00 ffiIniFf5 22:09:54 1 systemd 10.92 dbus-:1.3-org.fedoraproject.Setr 22:09:55 9000 SetroubleshootP 0.00 ffieAe1YQ 22:10:05 1 systemd 22.09 invocation:dbus-:1.3-org.fedorap 22:10:05 1 systemd 10.91 dbus-:1.3-org.fedoraproject.Setr 22:10:06 9007 SetroubleshootP 0.00 ffiLzK7WY 22:10:16 1 systemd 10.93 dbus-:1.3-org.fedoraproject.Setr 22:10:17 9017 SetroubleshootP 0.00 ffiDcllu0 22:10:27 1 systemd 965.57 invocation:dbus-:1.3-org.fedorap 22:10:27 1 systemd 10.93 dbus-:1.3-org.fedoraproject.Setr 22:10:28 9024 SetroubleshootP 0.00 ffihhy9um
This is likely a duplicate of BZ 1955585, but I'll need to double-check...
Yep, there is a bpf_probe_read_kernel() call in that BPF program, so it's pretty much the same issue. *** This bug has been marked as a duplicate of bug 1955585 ***