Bug 1958714 - SELinux is preventing dracut from using the nnp_transition, nosuid_transition access on a process.
Summary: SELinux is preventing dracut from using the nnp_transition, nosuid_transition...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:35b0b032acc51cbd4e68dceff77...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-10 00:20 UTC by Andrew Thurman
Modified: 2021-05-28 00:59 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-34.8-1.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-28 00:59:41 UTC
Type: ---


Attachments (Terms of Use)

Description Andrew Thurman 2021-05-10 00:20:48 UTC
Description of problem:
Happened while running `rpm-ostree override replace https://koji.fedoraproject.org/koji/buildinfo?buildID=1745028` to test 5.12 kernel on Silverblue.
It didn't seem to directly effect the transaction.
SELinux is preventing dracut from using the nnp_transition, nosuid_transition access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dracut should be allowed nnp_transition nosuid_transition access on processes labeled setfiles_mac_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dracut' --raw | audit2allow -M my-dracut
# semodule -X 300 -i my-dracut.pp

Additional Information:
Source Context                system_u:system_r:install_t:s0
Target Context                system_u:system_r:setfiles_mac_t:s0
Target Objects                Unknown [ process2 ]
Source                        dracut
Source Path                   dracut
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.5-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.5-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.11.18-300.fc34.x86_64 #1 SMP Mon
                              May 3 15:10:32 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-05-09 20:18:10 EDT
Last Seen                     2021-05-09 20:18:10 EDT
Local ID                      da4171a4-f3a9-42a0-91e4-d1330cea994b

Raw Audit Messages
type=AVC msg=audit(1620605890.404:644): avc:  denied  { nnp_transition nosuid_transition } for  pid=26740 comm="dracut" scontext=system_u:system_r:install_t:s0 tcontext=system_u:system_r:setfiles_mac_t:s0 tclass=process2 permissive=0


Hash: dracut,install_t,setfiles_mac_t,process2,nnp_transition,nosuid_transition

Version-Release number of selected component:
selinux-policy-targeted-34.5-1.fc34.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.11.18-300.fc34.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2021-05-14 15:03:56 UTC
(In reply to Andrew Thurman from comment #0)
> Description of problem:
> Happened while running `rpm-ostree override replace
> https://koji.fedoraproject.org/koji/buildinfo?buildID=1745028` to test 5.12
> kernel on Silverblue.
> It didn't seem to directly effect the transaction.
> SELinux is preventing dracut from using the nnp_transition,
> nosuid_transition access on a process.
Was the command executed from a command line?
Are you aware of some changes which could lead to triggering issues like this? For instance, enabling the nonewprivs item in limits.conf?
Does a similar AVC appear when you run the same command for a different package?
I suppose execution of restorecon or fixfiles will be necessary in some cases.

Comment 2 Andrew Thurman 2021-05-18 11:26:33 UTC
```
[andythurman@rockhopper ~]$ sudo ostree admin config-diff
M    adjtime
M    group
M    passwd
M    gshadow
M    shadow
M    machine-id
M    subgid
M    subuid
M    cups/printers.conf
M    cups/subscriptions.conf
M    udev/hwdb.bin
D    containers/storage.conf
A    NetworkManager/system-connections/enp3s0.nmconnection
A    NetworkManager/system-connections/my_expressvpn_switzerland_-_2_udp.nmconnection
A    NetworkManager/system-connections/my_expressvpn_usa_-_new_york_udp.nmconnection
A    X11/xorg.conf.d/00-keyboard.conf
A    bash_completion.d/tracer
A    chromium/policies/managed/00_gssapi.json
A    cni/net.d/cni.lock
A    cni/net.d/gitea-postgres_default.conflist
A    cni/net.d/traefik-golang_default.conflist
A    cni/net.d/nextcloud-redis-mariadb_redisnet.conflist
A    cni/net.d/nextcloud-redis-mariadb_dbnet.conflist
A    cni/net.d/nextcloudtest_default.conflist
A    cni/net.d/nextcloud_default.conflist
A    cni/net.d/wordpress-mysql_default.conflist
A    cni/net.d/velorendocker_default.conflist
A    cups/printers.conf.O
A    cups/subscriptions.conf.O
A    dbus-1/system.d/org.freedesktop.PackageKit.conf
A    dbus-1/system.d/teamd.conf
A    default/grub
A    dnf/plugins/copr.d
A    dnf/plugins/copr.conf
A    dnf/plugins/debuginfo-install.conf
A    issue.d/cockpit.issue
A    lvm/archive/fedora_fedora_00023-383629534.vg
A    lvm/archive/fedora_fedora_00024-1621666727.vg
A    lvm/archive/fedora_fedora_00025-526712641.vg
A    lvm/archive/fedora_fedora_00026-167264674.vg
A    lvm/archive/fedora_fedora_00027-834245101.vg
A    lvm/archive/fedora_fedora_00028-1269254440.vg
A    lvm/archive/fedora_fedora_00029-682989392.vg
A    lvm/archive/fedora_fedora_00030-1739699805.vg
A    lvm/archive/fedora_fedora_00031-1421313462.vg
A    lvm/archive/fedora_fedora_00032-578450004.vg
A    lvm/archive/fedora_fedora_00033-1615811680.vg
A    lvm/archive/fedora_fedora_00034-1853388030.vg
A    lvm/archive/fedora_fedora_00035-2138591304.vg
A    lvm/archive/fedora_fedora_00036-309567331.vg
A    lvm/archive/fedora_fedora_00037-1024230910.vg
A    lvm/archive/fedora_fedora_00038-1001854372.vg
A    lvm/backup/fedora_fedora
A    motd.d/cockpit
A    openvpn/pia-ca.rsa.4096.crt
A    opt/chrome/policies/managed/00_gssapi.json
A    opt/chrome/managed
A    pam.d/cockpit
A    pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020
A    pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-34
A    pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-35
A    pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-36
A    pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-latest
A    pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-rawhide
A    pulse/daemon.conf
A    pulse/default.pa
A    selinux/targeted/semanage.trans.LOCK
A    selinux/targeted/semanage.read.LOCK
A    selinux/final
A    sysconfig/anaconda
A    sysconfig/network
A    systemd/system/sockets.target.wants/multipathd.socket
A    systemd/system/sockets.target.wants/podman.socket
A    systemd/system/sysinit.target.wants/multipathd.service
A    systemd/system/default.target
A    systemd/system/packagekit.service
A    systemd/system.control
A    systemd/system.control/user.slice.d
A    systemd/system.control/user.slice.d/50-MemoryMin.conf
A    systemd/system.control/user.slice.d/50-MemoryLow.conf
A    systemd/system.control/user-979.slice.d
A    systemd/system.control/user-979.slice.d/50-MemoryMin.conf
A    systemd/system.control/user-979.slice.d/50-MemoryLow.conf
A    systemd/system.control/user-979.slice.d/50-CPUWeight.conf
A    systemd/system.control/user-979.slice.d/50-IOWeight.conf
A    systemd/system.control/user@979.service.d
A    systemd/system.control/user@979.service.d/50-MemoryMin.conf
A    systemd/system.control/user@979.service.d/50-MemoryLow.conf
A    systemd/system.control/user@979.service.d/50-CPUWeight.conf
A    systemd/system.control/user@979.service.d/50-IOWeight.conf
A    systemd/system.control/user-1000.slice.d
A    systemd/system.control/user-1000.slice.d/50-MemoryMin.conf
A    systemd/system.control/user-1000.slice.d/50-MemoryLow.conf
A    systemd/system.control/user-1000.slice.d/50-CPUWeight.conf
A    systemd/system.control/user-1000.slice.d/50-IOWeight.conf
A    systemd/system.control/user@1000.service.d
A    systemd/system.control/user@1000.service.d/50-MemoryMin.conf
A    systemd/system.control/user@1000.service.d/50-MemoryLow.conf
A    systemd/system.control/user@1000.service.d/50-CPUWeight.conf
A    systemd/system.control/user@1000.service.d/50-IOWeight.conf
A    systemd/system.control/user-42.slice.d
A    systemd/system.control/user-42.slice.d/50-MemoryMin.conf
A    systemd/system.control/user-42.slice.d/50-MemoryLow.conf
A    systemd/system.control/user-42.slice.d/50-CPUWeight.conf
A    systemd/system.control/user-42.slice.d/50-IOWeight.conf
A    systemd/system.control/user@42.service.d
A    systemd/system.control/user@42.service.d/50-MemoryMin.conf
A    systemd/system.control/user@42.service.d/50-MemoryLow.conf
A    systemd/system.control/user@42.service.d/50-CPUWeight.conf
A    systemd/system.control/user@42.service.d/50-IOWeight.conf
A    yum.repos.d/rpmfusion-nonfree-updates-testing.repo
A    yum.repos.d/rpmfusion-nonfree-updates.repo
A    yum.repos.d/rpmfusion-nonfree.repo
A    cockpit
A    cockpit/ws-certs.d
A    cockpit/ws-certs.d/0-self-signed-ca.pem
A    cockpit/ws-certs.d/0-self-signed.cert
A    cockpit/ws-certs.d/0-self-signed.key
A    libvirt
A    libvirt/qemu
A    libvirt/qemu/networks
A    libvirt/qemu/networks/default.xml
A    libvirt/secrets
A    libvirt/storage
A    libvirt/storage/autostart
A    libvirt/storage/autostart/default.xml
A    libvirt/storage/autostart/Downloads.xml
A    libvirt/storage/default.xml
A    libvirt/storage/Downloads.xml
A    crypttab
A    localtime
A    locale.conf
A    vconsole.conf
A    .pwd.lock
A    passwd-
A    shadow-
A    subuid-
A    subgid-
A    machine-info
A    hostname
A    group-
A    gshadow-
A    fstab
A    resolv.conf
A    PackageKit
A    PackageKit/PackageKit.conf
A    PackageKit/Vendor.conf
A    multipath
A    .updated
```

I essentially have no changes to the policy.

It sometimes happens on other commands, however I have not gotten the exact reproducibility down. Overriding packages seems to be the most reproducible way.

Comment 3 Fedora Update System 2021-05-24 09:16:19 UTC
FEDORA-2021-558e78822f has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-558e78822f

Comment 4 Fedora Update System 2021-05-25 02:27:12 UTC
FEDORA-2021-558e78822f has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-558e78822f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-558e78822f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2021-05-28 00:59:41 UTC
FEDORA-2021-558e78822f has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.