Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1969747

Summary: AVC denials seen while running tests in test_integration/test_installation.py
Product: Red Hat Enterprise Linux 8 Reporter: Sudhir Menon <sumenon>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.5CC: abokovoy, grajaiya, jhrozek, lslebodn, lvrabec, mmalik, mzidek, pbrezina, plautrba, rcritten, ssekidde, tscherf
Target Milestone: betaKeywords: Regression, TestCaseProvided
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-09 08:48:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sudhir Menon 2021-06-09 07:55:02 UTC 
Description of problem: AVC denials seen while running tests in test_integration/test_installation.py


Version-Release number of selected component (if applicable):
ipa-server-4.9.3-1.module+el8.5.0+10565+ae980a94.x86_64
selinux-policy-3.14.3-69.el8.noarch
selinux-policy-targeted-3.14.3-69.el8.noarch
389-ds-base-1.4.3.16-13.module+el8.4.0+10307+74bbfb4e.x86_64
krb5-server-1.18.2-10.el8.x86_64

How reproducible: Always


Steps to Reproduce:
1. Run upstream testsuite: test_integration/test_installation.py
2. Check AVC log.

Actual results:
This is a summary AVC file for pytest, for ausearch query for each host, check logs/ausearch-<host>.log
----
time->Wed Jun  9 02:11:09 2021
type=PROCTITLE msg=audit(1623219069.226:22): proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E00696D706C696369745F66696C6573002D2D7569640030002D2D6769640030002D2D6C6F676765723D66696C6573
type=SYSCALL msg=audit(1623219069.226:22): arch=c000003e syscall=138 success=no exit=-13 a0=0 a1=7ffcce63a9e0 a2=0 a3=0 items=0 ppid=734 pid=776 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1623219069.226:22): avc:  denied  { getattr } for  pid=776 comm="sssd_be" name="/" dev="proc" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jun  9 02:11:10 2021
type=PROCTITLE msg=audit(1623219070.226:28): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D4573002F7573722F7362696E2F736574726F75626C6573686F6F7464002D66
type=SYSCALL msg=audit(1623219070.226:28): arch=c000003e syscall=138 success=no exit=-13 a0=3 a1=7ffc56387ad0 a2=0 a3=0 items=0 ppid=782 pid=783 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1623219070.226:28): avc:  denied  { getattr } for  pid=783 comm="setroubleshootd" name="/" dev="proc" ino=1 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
----
time->Wed Jun  9 02:11:10 2021
type=PROCTITLE msg=audit(1623219070.259:29): proctitle=72706D002D716C0066696C6573797374656D
type=SYSCALL msg=audit(1623219070.259:29): arch=c000003e syscall=138 success=no exit=-13 a0=3 a1=7ffe0903ab40 a2=0 a3=0 items=0 ppid=783 pid=821 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="rpm" exe="/usr/bin/rpm" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1623219070.259:29): avc:  denied  { getattr } for  pid=821 comm="rpm" name="/" dev="proc" ino=1 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive


Expected results:
Fix the AVD denials

Additional info:
Comment 2 Alexander Bokovoy 2021-06-09 08:37:37 UTC 
Moving to selinux-policy.

On Fedora 34 I have this:

# sesearch --source sssd_t --target proc_t --allow 
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain proc_t:dir { getattr open search };
allow domain proc_t:filesystem getattr;
allow domain proc_t:lnk_file { getattr read };
allow kernel_system_state_reader proc_t:dir { ioctl lock read };
allow kernel_system_state_reader proc_t:file { getattr ioctl lock open read };

e.g. proc_t:filesystem getattr is allowed

On RHEL 8.5.0 I have this:

# sesearch --source sssd_t --target proc_t --allow
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain proc_t:dir { getattr open search };
allow domain proc_t:dir { getattr open search }; [ fips_mode ]:True
allow domain proc_t:dir { getattr open search }; [ fips_mode ]:True
allow domain proc_t:lnk_file { getattr read };
allow kernel_system_state_reader proc_t:dir { getattr ioctl lock open read search };
allow kernel_system_state_reader proc_t:file { getattr ioctl lock open read };
allow kernel_system_state_reader proc_t:lnk_file { getattr read };
allow sssd_t proc_t:dir { getattr open search };

e.g. proc_t:filesystem getattr is not allowed.
Comment 3 Zdenek Pytela 2021-06-09 08:48:54 UTC 

*** This bug has been marked as a duplicate of bug 1967125 ***