Bug 2038580 - upsd SELINUX errors with Fedora 35
Summary: upsd SELINUX errors with Fedora 35
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-08 16:45 UTC by Matt Kinni
Modified: 2022-10-12 13:01 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-36.16-1.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-10-12 13:01:30 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
ups.conf and upsd.conf (244 bytes, text/plain)
2022-01-08 16:45 UTC, Matt Kinni
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1401 0 None open nut-upsd: kernel_read_system_state, fs_getattr_cgroup 2022-09-21 15:43:09 UTC

Description Matt Kinni 2022-01-08 16:45:01 UTC
Created attachment 1849610 [details]
ups.conf and upsd.conf

Description of problem:

I am getting the following avc denials on boot when upsd starts:
type=AVC msg=audit(1641654906.673:166): avc:  denied  { getattr } for  pid=1704 comm="upsd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1641654906.673:167): avc:  denied  { read } for  pid=1704 comm="upsd" name="cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1641654906.673:168): avc:  denied  { open } for  pid=1704 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1641654906.673:169): avc:  denied  { getattr } for  pid=1704 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1641654906.673:170): avc:  denied  { ioctl } for  pid=1704 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 ioctlcmd=0x5401 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1641658193.974:357): avc:  denied  { getattr } for  pid=29043 comm="upsd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1641658193.974:358): avc:  denied  { read } for  pid=29043 comm="upsd" name="cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1641658193.974:359): avc:  denied  { open } for  pid=29043 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1641658193.974:360): avc:  denied  { getattr } for  pid=29043 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1641658193.974:361): avc:  denied  { ioctl } for  pid=29043 comm="upsd" path="/proc/cmdline" dev="proc" ino=4026532019 ioctlcmd=0x5401 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1

These reliably occur during the start of nut-server.service, and restarting the service generates the same denials over and over.

Version-Release number of selected component (if applicable):
nut-2.7.4-41.fc35.x86_64
nut-client-2.7.4-41.fc35.x86_64

How reproducible:
Always

Steps to Reproduce:
1. start nut-server with the attached upsd.conf, with selinux in permissive mode
2. 
3.

Actual results:
avc denials are logged; see ausearch -m avc -ts recent | grep denied


Expected results:
upsd is able to access what it needs without avc denials in the F35 targeted policy

Additional info:

Comment 1 Orion Poplawski 2022-01-12 04:24:18 UTC
nut SELinux policy is currently still in the main selinux-policy package.

Does this cause any functional issues?

Comment 2 Milos Malik 2022-01-18 08:02:12 UTC
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(01/18/2022 02:59:36.466:691) : proctitle=/usr/sbin/upsd -F 
type=PATH msg=audit(01/18/2022 02:59:36.466:691) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/18/2022 02:59:36.466:691) : cwd=/ 
type=SYSCALL msg=audit(01/18/2022 02:59:36.466:691) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7fc0ac86562e a1=0x7ffd71806c20 a2=0x7fc0ac88b7d0 a3=0x0 items=1 ppid=1 pid=5143 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) 
type=AVC msg=audit(01/18/2022 02:59:36.466:691) : avc:  denied  { getattr } for  pid=5143 comm=upsd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0 
----
type=PROCTITLE msg=audit(01/18/2022 02:59:36.468:692) : proctitle=/usr/sbin/upsd -F 
type=PATH msg=audit(01/18/2022 02:59:36.468:692) : item=0 name=/proc/cmdline inode=4026532019 dev=00:16 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/18/2022 02:59:36.468:692) : cwd=/ 
type=SYSCALL msg=audit(01/18/2022 02:59:36.468:692) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fc0ac865717 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=5143 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) 
type=AVC msg=audit(01/18/2022 02:59:36.468:692) : avc:  denied  { read } for  pid=5143 comm=upsd name=cmdline dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 
----

Caught in permissive mode:
----
type=PROCTITLE msg=audit(01/18/2022 03:00:31.761:702) : proctitle=/usr/sbin/upsd -F 
type=PATH msg=audit(01/18/2022 03:00:31.761:702) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/18/2022 03:00:31.761:702) : cwd=/ 
type=SYSCALL msg=audit(01/18/2022 03:00:31.761:702) : arch=x86_64 syscall=statfs success=yes exit=0 a0=0x7f7cef3ef62e a1=0x7fff6ff78160 a2=0x7f7cef4157d0 a3=0x1000 items=1 ppid=1 pid=5186 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) 
type=AVC msg=audit(01/18/2022 03:00:31.761:702) : avc:  denied  { getattr } for  pid=5186 comm=upsd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 
----
type=PROCTITLE msg=audit(01/18/2022 03:00:31.763:703) : proctitle=/usr/sbin/upsd -F 
type=PATH msg=audit(01/18/2022 03:00:31.763:703) : item=0 name=/proc/cmdline inode=4026532019 dev=00:16 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/18/2022 03:00:31.763:703) : cwd=/ 
type=SYSCALL msg=audit(01/18/2022 03:00:31.763:703) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x7f7cef3ef717 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=5186 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) 
type=AVC msg=audit(01/18/2022 03:00:31.763:703) : avc:  denied  { open } for  pid=5186 comm=upsd path=/proc/cmdline dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 
type=AVC msg=audit(01/18/2022 03:00:31.763:703) : avc:  denied  { read } for  pid=5186 comm=upsd name=cmdline dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(01/18/2022 03:00:31.764:704) : proctitle=/usr/sbin/upsd -F 
type=PATH msg=audit(01/18/2022 03:00:31.764:704) : item=0 name= inode=4026532019 dev=00:16 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/18/2022 03:00:31.764:704) : cwd=/ 
type=SYSCALL msg=audit(01/18/2022 03:00:31.764:704) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x5 a1=0x7f7cef5ecff5 a2=0x7fff6ff78010 a3=0x1000 items=1 ppid=1 pid=5186 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) 
type=AVC msg=audit(01/18/2022 03:00:31.764:704) : avc:  denied  { getattr } for  pid=5186 comm=upsd path=/proc/cmdline dev="proc" ino=4026532019 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(01/18/2022 03:00:31.765:705) : proctitle=/usr/sbin/upsd -F 
type=SYSCALL msg=audit(01/18/2022 03:00:31.765:705) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x5 a1=TCGETS a2=0x7fff6ff780f0 a3=0x80 items=0 ppid=1 pid=5186 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upsd exe=/usr/sbin/upsd subj=system_u:system_r:nut_upsd_t:s0 key=(null) 
type=AVC msg=audit(01/18/2022 03:00:31.765:705) : avc:  denied  { ioctl } for  pid=5186 comm=upsd path=/proc/cmdline dev="proc" ino=4026532019 ioctlcmd=TCGETS scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 
----

# rpm -qa selinux\* nut\* | sort
nut-2.7.4-41.fc35.x86_64
nut-client-2.7.4-41.fc35.x86_64
selinux-policy-35.8-1.fc35.noarch
selinux-policy-targeted-35.8-1.fc35.noarch
#

Comment 3 Fedora Update System 2022-09-30 08:49:46 UTC
FEDORA-2022-0c59a07653 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653

Comment 4 Fedora Update System 2022-10-01 02:12:53 UTC
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-0c59a07653`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2022-10-12 13:01:30 UTC
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.