Bug 1967125 - SELinux is preventing libcap-ng from 'getattr' accesses on the filesystem /proc.
Summary: SELinux is preventing libcap-ng from 'getattr' accesses on the filesystem /proc.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.5
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: beta
: 8.5
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard: abrt_hash:772447edea349ab4463404de293...
: 1968338 1968371 1969688 1969740 1969747 1970256 1971228 1971688 (view as bug list)
Depends On: 1892401
Blocks: 1939386 1944515 1969483
TreeView+ depends on / blocked
 
Reported: 2021-06-02 13:03 UTC by Zoltan Fridrich
Modified: 2021-11-10 08:36 UTC (History)
24 users (show)

Fixed In Version: selinux-policy-3.14.3-70.el8
Doc Type: No Doc Update
Doc Text:
Clone Of: 1892401
Environment:
Last Closed: 2021-11-09 19:43:34 UTC
Type: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4420 0 None None None 2021-11-09 19:44:02 UTC

Description Zoltan Fridrich 2021-06-02 13:03:23 UTC
+++ This bug was initially created as a clone of Bug #1892401 +++

Description of problem:
SELinux is preventing libcap-ng from 'getattr' accesses on the filesystem /proc.

After building libcap-ng the following test fails: /libcap-ng/Regression/compare-capabilities-from-captest-and-capsh/10_avc_check

with the following avc.log:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-3.14.3-68.el8.noarch
----
time->Wed Jun  2 09:35:02 2021
type=PROCTITLE msg=audit(1622626502.227:1163): proctitle=2F7573722F7362696E2F756E69785F63686B70776400726F6F740063686B657870697279
type=SYSCALL msg=audit(1622626502.227:1163): arch=c000003e syscall=138 success=no exit=-13 a0=3 a1=7ffec4a7d910 a2=0 a3=0 items=0 ppid=17071 pid=17073 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1622626502.227:1163): avc:  denied  { getattr } for  pid=17073 comm="unix_chkpwd" name="/" dev="proc" ino=1 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jun  2 09:35:38 2021
type=PROCTITLE msg=audit(1622626538.802:1251): proctitle=2F7573722F7362696E2F756E69785F63686B70776400726F6F740063686B657870697279
type=SYSCALL msg=audit(1622626538.802:1251): arch=c000003e syscall=138 success=no exit=-13 a0=3 a1=7ffc09c99620 a2=0 a3=0 items=0 ppid=17427 pid=17429 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1622626538.802:1251): avc:  denied  { getattr } for  pid=17429 comm="unix_chkpwd" name="/" dev="proc" ino=1 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0

Comment 1 Zdenek Pytela 2021-06-02 13:28:47 UTC
These commits need to be backported:
commit 0b26432144f0b6f2140b974b9c508d991286bfa4
Author: Zdenek Pytela <zpytela>
Date:   Mon Jan 4 19:50:49 2021 +0100

    Allow domain stat /proc filesystem

    Resolves: rhbz#1892401

commit d190cec28e8a29db86ad3b0bc57a66107e781d42
Author: Zdenek Pytela <zpytela>
Date:   Mon Jan 4 19:48:17 2021 +0100

    Remove all kernel_getattr_proc() interface calls

    All individual permissions to allow stat the /proc filesystem
    will be replaced by allowing it for all types in the domain attribute.

commit 4ff1ffe65c898aa4707f9fca5324b83613a1ae5f
Author: Zdenek Pytela <zpytela>
Date:   Mon Jan 4 19:41:19 2021 +0100

    Revert "Allow passwd to get attributes in proc_t"

    This reverts commit 44a5636ce1fb9d8d306fe49b821b84114ab28746.
    The permission to stat the /proc filesystem rather needs to be allowed
    for all types in the domain attribute.

commit f01b1545610dcf9c6af470b5a15538d089df9cb6
Author: Zdenek Pytela <zpytela>
Date:   Mon Jan 4 19:35:47 2021 +0100

    Revert "Allow dovecot_auth_t stat /proc filesystem"

    This reverts commit 757eb7fb51305e86a1ae296f7c69d694e0177749.
    The permission to stat the /proc filesystem rather needs to be allowed
    for all types in the domain attribute.

commit 125d471b67a4c80dd0f33d82f361e7f12a258de9
Author: Zdenek Pytela <zpytela>
Date:   Mon Jan 4 19:34:21 2021 +0100

    Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem"

    This reverts commit 785340ee2d313990024653ce2dd028d34bdeecd9.
    The permission to stat the /proc filesystem rather needs to be allowed
    for all types in the domain attribute.

Comment 3 Zdenek Pytela 2021-06-08 10:04:43 UTC
*** Bug 1968371 has been marked as a duplicate of this bug. ***

Comment 4 Zdenek Pytela 2021-06-08 10:05:41 UTC
*** Bug 1968338 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2021-06-09 08:48:54 UTC
*** Bug 1969747 has been marked as a duplicate of this bug. ***

Comment 7 Zdenek Pytela 2021-06-09 10:12:27 UTC
*** Bug 1969740 has been marked as a duplicate of this bug. ***

Comment 8 Zdenek Pytela 2021-06-09 11:33:11 UTC
*** Bug 1969688 has been marked as a duplicate of this bug. ***

Comment 11 dhodovsk 2021-06-10 07:44:12 UTC
*** Bug 1892401 has been marked as a duplicate of this bug. ***

Comment 12 Zdenek Pytela 2021-06-10 08:57:40 UTC
*** Bug 1970256 has been marked as a duplicate of this bug. ***

Comment 18 Zdenek Pytela 2021-06-14 16:47:54 UTC
*** Bug 1971688 has been marked as a duplicate of this bug. ***

Comment 19 Zdenek Pytela 2021-06-16 16:47:39 UTC
*** Bug 1971228 has been marked as a duplicate of this bug. ***

Comment 20 Carl George 🤠 2021-06-23 17:57:02 UTC
For CentOS Stream 8 users, take note this was fixed in selinux-policy-3.14.3-70.el8, and we shipped selinux-policy-3.14.3-71.el8 (the next higher release which also contained the fix) on 2021-06-17.

Comment 22 errata-xmlrpc 2021-11-09 19:43:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420


Note You need to log in before you can comment on or make changes to this bug.