1969747 – AVC denials seen while running tests in test_integration/test_installation.py

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1969747 - AVC denials seen while running tests in test_integration/test_installation.py

Summary: AVC denials seen while running tests in test_integration/test_installation.py

Keywords:
Status:	CLOSED DUPLICATE of bug 1967125
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-09 07:55 UTC by Sudhir Menon
Modified:	2022-01-05 13:43 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-06-09 08:48:54 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Sudhir Menon 2021-06-09 07:55:02 UTC

Description of problem: AVC denials seen while running tests in test_integration/test_installation.py


Version-Release number of selected component (if applicable):
ipa-server-4.9.3-1.module+el8.5.0+10565+ae980a94.x86_64
selinux-policy-3.14.3-69.el8.noarch
selinux-policy-targeted-3.14.3-69.el8.noarch
389-ds-base-1.4.3.16-13.module+el8.4.0+10307+74bbfb4e.x86_64
krb5-server-1.18.2-10.el8.x86_64

How reproducible: Always


Steps to Reproduce:
1. Run upstream testsuite: test_integration/test_installation.py
2. Check AVC log.

Actual results:
This is a summary AVC file for pytest, for ausearch query for each host, check logs/ausearch-<host>.log
----
time->Wed Jun  9 02:11:09 2021
type=PROCTITLE msg=audit(1623219069.226:22): proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E00696D706C696369745F66696C6573002D2D7569640030002D2D6769640030002D2D6C6F676765723D66696C6573
type=SYSCALL msg=audit(1623219069.226:22): arch=c000003e syscall=138 success=no exit=-13 a0=0 a1=7ffcce63a9e0 a2=0 a3=0 items=0 ppid=734 pid=776 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1623219069.226:22): avc:  denied  { getattr } for  pid=776 comm="sssd_be" name="/" dev="proc" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jun  9 02:11:10 2021
type=PROCTITLE msg=audit(1623219070.226:28): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D4573002F7573722F7362696E2F736574726F75626C6573686F6F7464002D66
type=SYSCALL msg=audit(1623219070.226:28): arch=c000003e syscall=138 success=no exit=-13 a0=3 a1=7ffc56387ad0 a2=0 a3=0 items=0 ppid=782 pid=783 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1623219070.226:28): avc:  denied  { getattr } for  pid=783 comm="setroubleshootd" name="/" dev="proc" ino=1 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jun  9 02:11:10 2021
type=PROCTITLE msg=audit(1623219070.259:29): proctitle=72706D002D716C0066696C6573797374656D
type=SYSCALL msg=audit(1623219070.259:29): arch=c000003e syscall=138 success=no exit=-13 a0=3 a1=7ffe0903ab40 a2=0 a3=0 items=0 ppid=783 pid=821 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="rpm" exe="/usr/bin/rpm" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1623219070.259:29): avc:  denied  { getattr } for  pid=821 comm="rpm" name="/" dev="proc" ino=1 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive


Expected results:
Fix the AVD denials

Additional info:

Comment 2 Alexander Bokovoy 2021-06-09 08:37:37 UTC

Moving to selinux-policy.

On Fedora 34 I have this:

# sesearch --source sssd_t --target proc_t --allow 
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain proc_t:dir { getattr open search };
allow domain proc_t:filesystem getattr;
allow domain proc_t:lnk_file { getattr read };
allow kernel_system_state_reader proc_t:dir { ioctl lock read };
allow kernel_system_state_reader proc_t:file { getattr ioctl lock open read };

e.g. proc_t:filesystem getattr is allowed

On RHEL 8.5.0 I have this:

# sesearch --source sssd_t --target proc_t --allow
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain proc_t:dir { getattr open search };
allow domain proc_t:dir { getattr open search }; [ fips_mode ]:True
allow domain proc_t:dir { getattr open search }; [ fips_mode ]:True
allow domain proc_t:lnk_file { getattr read };
allow kernel_system_state_reader proc_t:dir { getattr ioctl lock open read search };
allow kernel_system_state_reader proc_t:file { getattr ioctl lock open read };
allow kernel_system_state_reader proc_t:lnk_file { getattr read };
allow sssd_t proc_t:dir { getattr open search };

e.g. proc_t:filesystem getattr is not allowed.

Comment 3 Zdenek Pytela 2021-06-09 08:48:54 UTC


*** This bug has been marked as a duplicate of bug 1967125 ***

Note You need to log in before you can comment on or make changes to this bug.