2071586 – SELinux is preventing pidof from 'sys_ptrace' accesses on the cap_userns labeled abrt_t.

Bug 2071586 - SELinux is preventing pidof from 'sys_ptrace' accesses on the cap_userns labeled abrt_t.

Summary: SELinux is preventing pidof from 'sys_ptrace' accesses on the cap_userns labe...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	37
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:	abrt_hash:7ccfa5897eefeddb8bf8cfa4e42...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-04 09:54 UTC by Ankur Sinha (FranciscoD)
Modified:	2022-09-27 00:15 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-37.12-2.fc37
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-09-27 00:15:57 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1373	0	None	open	pidof executed by abrt can readlink /proc/*/exe	2022-09-07 09:04:06 UTC

Description Ankur Sinha (FranciscoD) 2022-04-04 09:54:11 UTC

Description of problem:
SELinux is preventing pidof from 'sys_ptrace' accesses on the cap_userns labeled abrt_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pidof should be allowed sys_ptrace access on cap_userns labeled abrt_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pidof' --raw | audit2allow -M my-pidof
# semodule -X 300 -i my-pidof.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Objects                Unknown [ cap_userns ]
Source                        pidof
Source Path                   pidof
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.5-1.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.5-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.17.1-300.fc36.x86_64 #1 SMP
                              PREEMPT Mon Mar 28 15:27:56 UTC 2022 x86_64 x86_64
Alert Count                   4
First Seen                    2022-03-30 21:20:25 BST
Last Seen                     2022-04-04 10:53:03 BST
Local ID                      b9b84c50-2dc9-4c25-b13a-14be66689fa0

Raw Audit Messages
type=AVC msg=audit(1649065983.329:425): avc:  denied  { sys_ptrace } for  pid=2422 comm="pidof" capability=19  scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0


Hash: pidof,abrt_t,abrt_t,cap_userns,sys_ptrace

Version-Release number of selected component:
selinux-policy-targeted-36.5-1.fc36.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.1
hashmarkername: setroubleshoot
kernel:         5.17.1-300.fc36.x86_64
type:           libreport

Potential duplicate: bug 1836681

Comment 1 Zdenek Pytela 2022-04-04 10:06:56 UTC

Hi,

If you want abrt handle event scripts, turn the abrt_handle_event boolean on:

  # setsebool -P abrt_handle_event on

Comment 2 Ankur Sinha (FranciscoD) 2022-05-10 14:40:55 UTC

Similar problem has been detected:

Upgraded and rebooted a F36 system

hashmarkername: setroubleshoot
kernel:         5.17.6-300.fc36.x86_64
package:        selinux-policy-targeted-36.8-1.fc36.noarch
reason:         SELinux is preventing pidof from 'sys_ptrace' accesses on the cap_userns labeled abrt_t.
type:           libreport

Comment 3 Milos Malik 2022-09-06 10:50:55 UTC

Reproducible on Fedora 36 VM:

# touch /var/crash/something
# service abrt-vmcore stop
Redirecting to /bin/systemctl stop abrt-vmcore.service
# service abrt-vmcore start
Redirecting to /bin/systemctl start abrt-vmcore.service
# service abrt-vmcore status
Redirecting to /bin/systemctl status abrt-vmcore.service
● abrt-vmcore.service - Harvest vmcores for ABRT
     Loaded: loaded (/usr/lib/systemd/system/abrt-vmcore.service; enabled; vendor preset: enabled)
     Active: active (exited) since Tue 2022-09-06 12:37:34 CEST; 7min ago
    Process: 24937 ExecStart=/usr/sbin/abrt-harvest-vmcore (code=exited, status=0/SUCCESS)
   Main PID: 24937 (code=exited, status=0/SUCCESS)
        CPU: 137ms

Sep 06 12:37:33 fedora systemd[1]: Starting abrt-vmcore.service - Harvest vmcores for ABRT...
Sep 06 12:37:34 fedora systemd[1]: Finished abrt-vmcore.service - Harvest vmcores for ABRT.
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=PROCTITLE msg=audit(09/06/2022 12:37:34.144:485) : proctitle=pidof abrtd 
type=SYSCALL msg=audit(09/06/2022 12:37:34.144:485) : arch=x86_64 syscall=read success=yes exit=169 a0=0x4 a1=0x55852b067ad0 a2=0x400 a3=0x0 items=0 ppid=24943 pid=24944 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pidof exe=/usr/bin/pidof subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/06/2022 12:37:34.144:485) : avc:  denied  { sys_ptrace } for  pid=24944 comm=pidof capability=sys_ptrace  scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 
----
type=PROCTITLE msg=audit(09/06/2022 12:37:34.144:486) : proctitle=pidof abrtd 
type=PATH msg=audit(09/06/2022 12:37:34.144:486) : item=0 name=/proc/813/exe inode=29772 dev=00:16 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:devicekit_power_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 12:37:34.144:486) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 12:37:34.144:486) : arch=x86_64 syscall=readlink success=no exit=EACCES(Permission denied) a0=0x7ffd50d1c650 a1=0x55852b05a4b0 a2=0x400 a3=0x0 items=1 ppid=24943 pid=24944 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pidof exe=/usr/bin/pidof subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/06/2022 12:37:34.144:486) : avc:  denied  { sys_ptrace } for  pid=24944 comm=pidof capability=sys_ptrace  scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 
----

# rpm -qa selinux\* abrt\* | sort
abrt-2.15.1-1.fc36.x86_64
abrt-addon-ccpp-2.15.1-1.fc36.x86_64
abrt-addon-kerneloops-2.15.1-1.fc36.x86_64
abrt-addon-pstoreoops-2.15.1-1.fc36.x86_64
abrt-addon-vmcore-2.15.1-1.fc36.x86_64
abrt-addon-xorg-2.15.1-1.fc36.x86_64
abrt-cli-2.15.1-1.fc36.x86_64
abrt-dbus-2.15.1-1.fc36.x86_64
abrt-libs-2.15.1-1.fc36.x86_64
abrt-plugin-bodhi-2.15.1-1.fc36.x86_64
abrt-retrace-client-2.15.1-1.fc36.x86_64
abrt-tui-2.15.1-1.fc36.noarch
selinux-policy-36.14-1.fc36.noarch
selinux-policy-devel-36.14-1.fc36.noarch
selinux-policy-targeted-36.14-1.fc36.noarch
# getsebool -a | grep abrt
abrt_anon_write --> off
abrt_handle_event --> on
abrt_upload_watch_anon_write --> on
#

Comment 4 Milos Malik 2022-09-06 10:52:24 UTC

The same reproducer executed in permissive mode leads to the following SELinux denial:
----
type=PROCTITLE msg=audit(09/06/2022 12:51:17.214:516) : proctitle=pidof abrtd 
type=SYSCALL msg=audit(09/06/2022 12:51:17.214:516) : arch=x86_64 syscall=read success=yes exit=304 a0=0x4 a1=0x55b241026ad0 a2=0x400 a3=0x0 items=0 ppid=25130 pid=25131 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pidof exe=/usr/bin/pidof subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/06/2022 12:51:17.214:516) : avc:  denied  { sys_ptrace } for  pid=25131 comm=pidof capability=sys_ptrace  scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----

Comment 5 Fedora Update System 2022-09-23 16:27:24 UTC

FEDORA-2022-839f7bd62c has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-839f7bd62c

Comment 6 Fedora Update System 2022-09-24 02:59:51 UTC

FEDORA-2022-839f7bd62c has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-839f7bd62c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-839f7bd62c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2022-09-27 00:15:57 UTC

FEDORA-2022-839f7bd62c has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.