1960513 – SELinux is preventing amandad from 'getattr' accesses on the filesystem /sys/fs/cgroup.

Bug 1960513 - SELinux is preventing amandad from 'getattr' accesses on the filesystem /sys/fs/cgroup.

Summary: SELinux is preventing amandad from 'getattr' accesses on the filesystem /sys/...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	34
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:	abrt_hash:0db29a874804bce2bd552987083...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-14 04:26 UTC by Joshua Baker-LePain
Modified:	2021-05-31 12:52 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-34.8-1.fc34
Clone Of:
Environment:
Last Closed:	2021-05-28 00:59:46 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joshua Baker-LePain 2021-05-14 04:26:47 UTC

Description of problem:
Triggered on client by an amcheck from the server
SELinux is preventing amandad from 'getattr' accesses on the filesystem /sys/fs/cgroup.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that amandad should be allowed getattr access on the cgroup filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'amandad' --raw | audit2allow -M my-amandad
# semodule -X 300 -i my-amandad.pp

Additional Information:
Source Context                system_u:system_r:amanda_t:s0
Target Context                system_u:object_r:cgroup_t:s0
Target Objects                /sys/fs/cgroup [ filesystem ]
Source                        amandad
Source Path                   amandad
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.6-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.6-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.11.19-300.fc34.x86_64 #1 SMP Fri
                              May 7 14:17:15 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-05-13 21:12:02 PDT
Last Seen                     2021-05-13 21:12:02 PDT
Local ID                      c1e4cda5-d1b0-49cd-bc18-b7e1f7a76c4c

Raw Audit Messages
type=AVC msg=audit(1620965522.91:2367): avc:  denied  { getattr } for  pid=11412 comm="amandad" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0


Hash: amandad,amanda_t,cgroup_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-targeted-34.6-1.fc34.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.11.19-300.fc34.x86_64
type:           libreport

Comment 1 Milos Malik 2021-05-14 08:28:01 UTC

Following SELinux denial appears in enforcing mode:
----
type=PROCTITLE msg=audit(05/14/2021 04:24:43.644:447) : proctitle=/usr/sbin/amandad -auth=krb5 amdump amindexd amidxtaped 
type=PATH msg=audit(05/14/2021 04:24:43.644:447) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/14/2021 04:24:43.644:447) : cwd=/ 
type=SYSCALL msg=audit(05/14/2021 04:24:43.644:447) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7fcb77d273a9 a1=0x7ffdacf0d470 a2=0x7fcb792ef260 a3=0x0 items=1 ppid=1 pid=32575 auid=unset uid=root gid=disk euid=root suid=root fsuid=root egid=disk sgid=disk fsgid=disk tty=(none) ses=unset comm=amandad exe=/usr/lib64/amanda/amandad subj=system_u:system_r:amanda_t:s0 key=(null) 
type=AVC msg=audit(05/14/2021 04:24:43.644:447) : avc:  denied  { getattr } for  pid=32575 comm=amandad name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0 
----

# rpm -qa selinux\* amanda\* | sort
amanda-3.5.1-28.fc34.x86_64
amanda-client-3.5.1-28.fc34.x86_64
amanda-libs-3.5.1-28.fc34.x86_64
amanda-server-3.5.1-28.fc34.x86_64
selinux-policy-34.6-1.fc34.noarch
selinux-policy-devel-34.6-1.fc34.noarch
selinux-policy-targeted-34.6-1.fc34.noarch
#

Comment 2 Milos Malik 2021-05-14 08:33:35 UTC

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(05/14/2021 04:30:05.589:707) : proctitle=/usr/sbin/amandad -auth=krb5 amdump amindexd amidxtaped 
type=PATH msg=audit(05/14/2021 04:30:05.589:707) : item=0 name=/proc/1/environ inode=36728 dev=00:16 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/14/2021 04:30:05.589:707) : cwd=/ 
type=SYSCALL msg=audit(05/14/2021 04:30:05.589:707) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x7ffd55b34360 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=47385 auid=unset uid=root gid=disk euid=root suid=root fsuid=root egid=disk sgid=disk fsgid=disk tty=(none) ses=unset comm=amandad exe=/usr/lib64/amanda/amandad subj=system_u:system_r:amanda_t:s0 key=(null) 
type=AVC msg=audit(05/14/2021 04:30:05.589:707) : avc:  denied  { sys_ptrace } for  pid=47385 comm=amandad capability=sys_ptrace  scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:system_r:amanda_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(05/14/2021 04:30:05.590:708) : proctitle=/usr/sbin/amandad -auth=krb5 amdump amindexd amidxtaped 
type=PATH msg=audit(05/14/2021 04:30:05.590:708) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/14/2021 04:30:05.590:708) : cwd=/ 
type=SYSCALL msg=audit(05/14/2021 04:30:05.590:708) : arch=x86_64 syscall=statfs success=yes exit=0 a0=0x7f3867428515 a1=0x7ffd55b34420 a2=0x7f386883d260 a3=0x1000 items=1 ppid=1 pid=47385 auid=unset uid=root gid=disk euid=root suid=root fsuid=root egid=disk sgid=disk fsgid=disk tty=(none) ses=unset comm=amandad exe=/usr/lib64/amanda/amandad subj=system_u:system_r:amanda_t:s0 key=(null) 
type=AVC msg=audit(05/14/2021 04:30:05.590:708) : avc:  denied  { getattr } for  pid=47385 comm=amandad name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 
----

Comment 3 Zdenek Pytela 2021-05-14 11:22:33 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/739

Comment 5 Fedora Update System 2021-05-24 09:16:23 UTC

FEDORA-2021-558e78822f has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-558e78822f

Comment 6 Fedora Update System 2021-05-25 02:27:15 UTC

FEDORA-2021-558e78822f has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-558e78822f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-558e78822f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2021-05-28 00:59:46 UTC

FEDORA-2021-558e78822f has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.