Created attachment 1849610 [details] ups.conf and upsd.conf Description of problem: I am getting the following avc denials on boot when upsd starts: type=AVC msg=audit(1641654906.673:166): avc: denied { getattr } for pid=1704 comm="upsd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(1641654906.673:167): avc: denied { read } for pid=1704 comm="upsd" name="cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1641654906.673:168): avc: denied { open } for pid=1704 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1641654906.673:169): avc: denied { getattr } for pid=1704 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1641654906.673:170): avc: denied { ioctl } for pid=1704 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 ioctlcmd=0x5401 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1641658193.974:357): avc: denied { getattr } for pid=29043 comm="upsd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(1641658193.974:358): avc: denied { read } for pid=29043 comm="upsd" name="cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1641658193.974:359): avc: denied { open } for pid=29043 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1641658193.974:360): avc: denied { getattr } for pid=29043 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1641658193.974:361): avc: denied { ioctl } for pid=29043 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 ioctlcmd=0x5401 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 These reliably occur during the start of nut-server.service, and restarting the service generates the same denials over and over. Version-Release number of selected component (if applicable): nut-2.7.4-41.fc35.x86_64 nut-client-2.7.4-41.fc35.x86_64 How reproducible: Always Steps to Reproduce: 1. start nut-server with the attached upsd.conf, with selinux in permissive mode 2. 3. Actual results: avc denials are logged; see ausearch -m avc -ts recent | grep denied Expected results: upsd is able to access what it needs without avc denials in the F35 targeted policy Additional info:
nut SELinux policy is currently still in the main selinux-policy package. Does this cause any functional issues?
Caught in enforcing mode: ---- type=PROCTITLE msg=audit(01/18/2022 02:59:36.466:691) : proctitle=/usr/sbin/upsd -F type=PATH msg=audit(01/18/2022 02:59:36.466:691) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/18/2022 02:59:36.466:691) : cwd=/ type=SYSCALL msg=audit(01/18/2022 02:59:36.466:691) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7fc0ac86562e a1=0x7ffd71806c20 a2=0x7fc0ac88b7d0 a3=0x0 items=1 ppid=1 pid=5143 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) type=AVC msg=audit(01/18/2022 02:59:36.466:691) : avc: denied { getattr } for pid=5143 comm=upsd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0 ---- type=PROCTITLE msg=audit(01/18/2022 02:59:36.468:692) : proctitle=/usr/sbin/upsd -F type=PATH msg=audit(01/18/2022 02:59:36.468:692) : item=0 name=/proc/cmdline inode=4026532019 dev=00:16 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/18/2022 02:59:36.468:692) : cwd=/ type=SYSCALL msg=audit(01/18/2022 02:59:36.468:692) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fc0ac865717 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=5143 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) type=AVC msg=audit(01/18/2022 02:59:36.468:692) : avc: denied { read } for pid=5143 comm=upsd name=cmdline dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 ---- Caught in permissive mode: ---- type=PROCTITLE msg=audit(01/18/2022 03:00:31.761:702) : proctitle=/usr/sbin/upsd -F type=PATH msg=audit(01/18/2022 03:00:31.761:702) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/18/2022 03:00:31.761:702) : cwd=/ type=SYSCALL msg=audit(01/18/2022 03:00:31.761:702) : arch=x86_64 syscall=statfs success=yes exit=0 a0=0x7f7cef3ef62e a1=0x7fff6ff78160 a2=0x7f7cef4157d0 a3=0x1000 items=1 ppid=1 pid=5186 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) type=AVC msg=audit(01/18/2022 03:00:31.761:702) : avc: denied { getattr } for pid=5186 comm=upsd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 ---- type=PROCTITLE msg=audit(01/18/2022 03:00:31.763:703) : proctitle=/usr/sbin/upsd -F type=PATH msg=audit(01/18/2022 03:00:31.763:703) : item=0 name=/proc/cmdline inode=4026532019 dev=00:16 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/18/2022 03:00:31.763:703) : cwd=/ type=SYSCALL msg=audit(01/18/2022 03:00:31.763:703) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x7f7cef3ef717 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=5186 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) type=AVC msg=audit(01/18/2022 03:00:31.763:703) : avc: denied { open } for pid=5186 comm=upsd path=/proc/cmdline dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 type=AVC msg=audit(01/18/2022 03:00:31.763:703) : avc: denied { read } for pid=5186 comm=upsd name=cmdline dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(01/18/2022 03:00:31.764:704) : proctitle=/usr/sbin/upsd -F type=PATH msg=audit(01/18/2022 03:00:31.764:704) : item=0 name= inode=4026532019 dev=00:16 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/18/2022 03:00:31.764:704) : cwd=/ type=SYSCALL msg=audit(01/18/2022 03:00:31.764:704) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x5 a1=0x7f7cef5ecff5 a2=0x7fff6ff78010 a3=0x1000 items=1 ppid=1 pid=5186 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) type=AVC msg=audit(01/18/2022 03:00:31.764:704) : avc: denied { getattr } for pid=5186 comm=upsd path=/proc/cmdline dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(01/18/2022 03:00:31.765:705) : proctitle=/usr/sbin/upsd -F type=SYSCALL msg=audit(01/18/2022 03:00:31.765:705) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x5 a1=TCGETS a2=0x7fff6ff780f0 a3=0x80 items=0 ppid=1 pid=5186 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) type=AVC msg=audit(01/18/2022 03:00:31.765:705) : avc: denied { ioctl } for pid=5186 comm=upsd path=/proc/cmdline dev="proc" ino=4026532019 ioctlcmd=TCGETS scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 ---- # rpm -qa selinux\* nut\* | sort nut-2.7.4-41.fc35.x86_64 nut-client-2.7.4-41.fc35.x86_64 selinux-policy-35.8-1.fc35.noarch selinux-policy-targeted-35.8-1.fc35.noarch #
FEDORA-2022-0c59a07653 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-0c59a07653` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.