2031356 – SELinux is preventing systemd-coredum from 'sys_admin' accesses on the cap_userns labeled systemd_coredump_t.

Bug 2031356 - SELinux is preventing systemd-coredum from 'sys_admin' accesses on the cap_userns labeled systemd_coredump_t.

Summary: SELinux is preventing systemd-coredum from 'sys_admin' accesses on the cap_us...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	35
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:a878df327c13e55dc37c5d725a8...
Duplicates (4):	2039983 2039985 2039986 2043739 (view as bug list)
Depends On:
Blocks:	2057435
TreeView+	depends on / blocked

Reported:	2021-12-11 09:46 UTC by Mikhail
Modified:	2022-02-23 11:56 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-35.10-1.fc35
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2057435 (view as bug list)
Environment:
Last Closed:	2022-01-19 02:11:28 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mikhail 2021-12-11 09:46:14 UTC

Description of problem:
SELinux is preventing systemd-coredum from 'sys_admin' accesses on the cap_userns labeled systemd_coredump_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-coredum should be allowed sys_admin access on cap_userns labeled systemd_coredump_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-coredum' --raw | audit2allow -M my-systemdcoredum
# semodule -X 300 -i my-systemdcoredum.pp

Additional Information:
Source Context                system_u:system_r:systemd_coredump_t:s0
Target Context                system_u:system_r:systemd_coredump_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        systemd-coredum
Source Path                   systemd-coredum
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.6-1.fc36.noarch
Local Policy RPM              selinux-policy-targeted-35.6-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.16.0-
                              0.rc4.20211207gitcd8c917a56f2.30.fc36.x86_64 #1
                              SMP PREEMPT Tue Dec 7 18:35:28 UTC 2021 x86_64
                              x86_64
Alert Count                   4
First Seen                    2021-12-11 12:31:29 +05
Last Seen                     2021-12-11 14:44:43 +05
Local ID                      79891449-d02a-4cad-8457-959a90646c13

Raw Audit Messages
type=AVC msg=audit(1639215883.828:346): avc:  denied  { sys_admin } for  pid=35611 comm="systemd-coredum" capability=21  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=cap_userns permissive=0


Hash: systemd-coredum,systemd_coredump_t,systemd_coredump_t,cap_userns,sys_admin

Version-Release number of selected component:
selinux-policy-targeted-35.6-1.fc36.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.15.2
hashmarkername: setroubleshoot
kernel:         5.16.0-0.rc4.20211207gitcd8c917a56f2.30.fc36.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2021-12-13 10:56:29 UTC

More denials as reported using a different channel:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-35.6-1.fc36.noarch
----
time->Sat Dec 11 07:40:54 2021
type=AVC msg=audit(1639204854.117:978): avc:  denied  { sys_admin } for  pid=322547 comm="systemd-coredum" capability=21  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=cap_userns permissive=1
----
time->Sat Dec 11 07:40:54 2021
type=AVC msg=audit(1639204854.127:979): avc:  denied  { mounton } for  pid=322548 comm="(sd-parse-elf)" path="/" dev="vda3" ino=256 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
----
time->Sat Dec 11 07:40:54 2021
type=AVC msg=audit(1639204854.127:980): avc:  denied  { dac_read_search } for  pid=322548 comm="(sd-parse-elf)" capability=2  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=cap_userns permissive=1
----
time->Sat Dec 11 07:40:54 2021
type=AVC msg=audit(1639204854.127:981): avc:  denied  { dac_override } for  pid=322548 comm="(sd-parse-elf)" capability=1  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=cap_userns permissive=1

Comment 2 Zbigniew Jędrzejewski-Szmek 2021-12-14 14:28:15 UTC

systemd-coredump forks a child process to perform core file analysis (comm=(sd-parse-elf)), and
before doing the actual analysis, it sets up some sandbox, using mount and user namespaces.
So all this is expected and should be allowed.

See https://github.com/systemd/systemd/commit/61aea456c1 for the upstream change.

Comment 3 Mikhail 2021-12-20 09:24:35 UTC

Similar problem has been detected:

Happens every time when crashed /usr/libexec/tracker-extract-3 process.

hashmarkername: setroubleshoot
kernel:         5.16.0-0.rc5.20211217git6441998e2e37.38.fc36.x86_64
package:        selinux-policy-targeted-35.7-1.fc36.noarch
reason:         SELinux is preventing systemd-coredum from 'sys_admin' accesses on the cap_userns labeled systemd_coredump_t.
type:           libreport

Comment 4 Zdenek Pytela 2022-01-13 20:15:36 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/999

Comment 5 Zdenek Pytela 2022-01-14 08:05:20 UTC

*** Bug 2039983 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2022-01-14 08:05:26 UTC

*** Bug 2039985 has been marked as a duplicate of this bug. ***

Comment 7 Zdenek Pytela 2022-01-14 08:05:41 UTC

*** Bug 2039986 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2022-01-18 10:09:45 UTC

FEDORA-2022-41fa7610dd has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-41fa7610dd

Comment 9 Fedora Update System 2022-01-19 02:11:28 UTC

FEDORA-2022-41fa7610dd has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Zdenek Pytela 2022-01-24 08:07:35 UTC

*** Bug 2043739 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.