RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1967125 - SELinux is preventing libcap-ng from 'getattr' accesses on the filesystem /proc.
Summary: SELinux is preventing libcap-ng from 'getattr' accesses on the filesystem /proc.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.5
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: beta
: 8.5
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard: abrt_hash:772447edea349ab4463404de293...
: 1968338 1968371 1969688 1969740 1969747 1970256 1971228 1971688 (view as bug list)
Depends On: 1892401
Blocks: 1939386 1944515 1969483
TreeView+ depends on / blocked
 
Reported: 2021-06-02 13:03 UTC by Zoltan Fridrich
Modified: 2021-11-10 08:36 UTC (History)
24 users (show)

Fixed In Version: selinux-policy-3.14.3-70.el8
Doc Type: No Doc Update
Doc Text:
Clone Of: 1892401
Environment:
Last Closed: 2021-11-09 19:43:34 UTC
Type: ---
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4420 0 None None None 2021-11-09 19:44:02 UTC

Description Zoltan Fridrich 2021-06-02 13:03:23 UTC
+++ This bug was initially created as a clone of Bug #1892401 +++

Description of problem:
SELinux is preventing libcap-ng from 'getattr' accesses on the filesystem /proc.

After building libcap-ng the following test fails: /libcap-ng/Regression/compare-capabilities-from-captest-and-capsh/10_avc_check

with the following avc.log:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-3.14.3-68.el8.noarch
----
time->Wed Jun  2 09:35:02 2021
type=PROCTITLE msg=audit(1622626502.227:1163): proctitle=2F7573722F7362696E2F756E69785F63686B70776400726F6F740063686B657870697279
type=SYSCALL msg=audit(1622626502.227:1163): arch=c000003e syscall=138 success=no exit=-13 a0=3 a1=7ffec4a7d910 a2=0 a3=0 items=0 ppid=17071 pid=17073 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1622626502.227:1163): avc:  denied  { getattr } for  pid=17073 comm="unix_chkpwd" name="/" dev="proc" ino=1 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jun  2 09:35:38 2021
type=PROCTITLE msg=audit(1622626538.802:1251): proctitle=2F7573722F7362696E2F756E69785F63686B70776400726F6F740063686B657870697279
type=SYSCALL msg=audit(1622626538.802:1251): arch=c000003e syscall=138 success=no exit=-13 a0=3 a1=7ffc09c99620 a2=0 a3=0 items=0 ppid=17427 pid=17429 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1622626538.802:1251): avc:  denied  { getattr } for  pid=17429 comm="unix_chkpwd" name="/" dev="proc" ino=1 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0

Comment 1 Zdenek Pytela 2021-06-02 13:28:47 UTC
These commits need to be backported:
commit 0b26432144f0b6f2140b974b9c508d991286bfa4
Author: Zdenek Pytela <zpytela>
Date:   Mon Jan 4 19:50:49 2021 +0100

    Allow domain stat /proc filesystem

    Resolves: rhbz#1892401

commit d190cec28e8a29db86ad3b0bc57a66107e781d42
Author: Zdenek Pytela <zpytela>
Date:   Mon Jan 4 19:48:17 2021 +0100

    Remove all kernel_getattr_proc() interface calls

    All individual permissions to allow stat the /proc filesystem
    will be replaced by allowing it for all types in the domain attribute.

commit 4ff1ffe65c898aa4707f9fca5324b83613a1ae5f
Author: Zdenek Pytela <zpytela>
Date:   Mon Jan 4 19:41:19 2021 +0100

    Revert "Allow passwd to get attributes in proc_t"

    This reverts commit 44a5636ce1fb9d8d306fe49b821b84114ab28746.
    The permission to stat the /proc filesystem rather needs to be allowed
    for all types in the domain attribute.

commit f01b1545610dcf9c6af470b5a15538d089df9cb6
Author: Zdenek Pytela <zpytela>
Date:   Mon Jan 4 19:35:47 2021 +0100

    Revert "Allow dovecot_auth_t stat /proc filesystem"

    This reverts commit 757eb7fb51305e86a1ae296f7c69d694e0177749.
    The permission to stat the /proc filesystem rather needs to be allowed
    for all types in the domain attribute.

commit 125d471b67a4c80dd0f33d82f361e7f12a258de9
Author: Zdenek Pytela <zpytela>
Date:   Mon Jan 4 19:34:21 2021 +0100

    Revert "Allow sssd, unix_chkpwd, groupadd stat /proc filesystem"

    This reverts commit 785340ee2d313990024653ce2dd028d34bdeecd9.
    The permission to stat the /proc filesystem rather needs to be allowed
    for all types in the domain attribute.

Comment 3 Zdenek Pytela 2021-06-08 10:04:43 UTC
*** Bug 1968371 has been marked as a duplicate of this bug. ***

Comment 4 Zdenek Pytela 2021-06-08 10:05:41 UTC
*** Bug 1968338 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2021-06-09 08:48:54 UTC
*** Bug 1969747 has been marked as a duplicate of this bug. ***

Comment 7 Zdenek Pytela 2021-06-09 10:12:27 UTC
*** Bug 1969740 has been marked as a duplicate of this bug. ***

Comment 8 Zdenek Pytela 2021-06-09 11:33:11 UTC
*** Bug 1969688 has been marked as a duplicate of this bug. ***

Comment 11 dhodovsk 2021-06-10 07:44:12 UTC
*** Bug 1892401 has been marked as a duplicate of this bug. ***

Comment 12 Zdenek Pytela 2021-06-10 08:57:40 UTC
*** Bug 1970256 has been marked as a duplicate of this bug. ***

Comment 18 Zdenek Pytela 2021-06-14 16:47:54 UTC
*** Bug 1971688 has been marked as a duplicate of this bug. ***

Comment 19 Zdenek Pytela 2021-06-16 16:47:39 UTC
*** Bug 1971228 has been marked as a duplicate of this bug. ***

Comment 20 Carl George 🤠 2021-06-23 17:57:02 UTC
For CentOS Stream 8 users, take note this was fixed in selinux-policy-3.14.3-70.el8, and we shipped selinux-policy-3.14.3-71.el8 (the next higher release which also contained the fix) on 2021-06-17.

Comment 22 errata-xmlrpc 2021-11-09 19:43:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420


Note You need to log in before you can comment on or make changes to this bug.