2073265 – various avc denials for comm="sss_cache" path="pipe:[18908]" dev="pipefs"

Bug 2073265 - various avc denials for comm="sss_cache" path="pipe:[18908]" dev="pipefs"

Summary: various avc denials for comm="sss_cache" path="pipe:[18908]" dev="pipefs"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	36
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-08 05:35 UTC by Chris Murphy
Modified:	2022-12-23 01:20 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-36.17-1.fc36
Clone Of:
Environment:
Last Closed:	2022-12-23 01:20:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
journal.log (168.25 KB, text/plain) 2022-04-08 16:30 UTC, Chris Murphy	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1418	0	None	open	Allow sss daemons read/write unnamed pipes of cloud-init	2022-09-30 14:11:29 UTC

Description Chris Murphy 2022-04-08 05:35:07 UTC

Description of problem:

Multiple AVC errors on first boot.


Version-Release number of selected component (if applicable):
selinux-policy-36.5-1.fc36.noarch
Fedora-Cloud-Base-36-20220405.n.0.x86_64.raw

How reproducible:
Always


Steps to Reproduce:
1. Boot the image, check for AVC errors
2.
3.

Actual results:

Apr 08 05:08:21 fedora audit[810]: AVC avc:  denied  { read } for  pid=810 comm="sss_cache" path="pipe:[18908]" dev="pipefs" ino=18908 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0
Apr 08 05:08:21 fedora audit[810]: AVC avc:  denied  { write } for  pid=810 comm="sss_cache" path="pipe:[18909]" dev="pipefs" ino=18909 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0
Apr 08 05:08:21 fedora audit[810]: AVC avc:  denied  { write } for  pid=810 comm="sss_cache" path="pipe:[18910]" dev="pipefs" ino=18910 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0
Apr 08 05:08:21 fedora audit[812]: AVC avc:  denied  { read } for  pid=812 comm="sss_cache" path="pipe:[18908]" dev="pipefs" ino=18908 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0
Apr 08 05:08:21 fedora audit[812]: AVC avc:  denied  { write } for  pid=812 comm="sss_cache" path="pipe:[18909]" dev="pipefs" ino=18909 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0
Apr 08 05:08:21 fedora audit[812]: AVC avc:  denied  { write } for  pid=812 comm="sss_cache" path="pipe:[18910]" dev="pipefs" ino=18910 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0


Expected results:

I expect no AVC denials on first boot of a cloud image

Additional info:

# find / -inum 18908
/sys/devices/platform/i8042/serio0/wakeup/wakeup28/uevent
/var/lib/selinux/targeted/active/modules/100/jetty/cil
# find / -inum 18909
/sys/devices/platform/i8042/serio0/wakeup/wakeup28/subsystem
/var/lib/selinux/targeted/active/modules/100/jetty/hll
# find / -inum 18910
/sys/devices/platform/i8042/serio0/wakeup/wakeup28/device
/var/lib/selinux/targeted/active/modules/100/jetty/lang_ext


I can't tell there are any consequences for these denials.

Comment 1 Zdenek Pytela 2022-04-08 07:21:30 UTC

Chris,

Do you happen to know at which moment this denial appears?

Comment 2 Chris Murphy 2022-04-08 16:30:56 UTC

Created attachment 1871474 [details]
journal.log

Happens right as cloudinit starts up. While it does happen on the first boot of the image using virt-install, it doesn't happen for subsequent boots, but the journal for these boots also doesn't show cloud-init running.

Comment 3 Fedora Update System 2022-12-07 09:20:47 UTC

FEDORA-2022-e7d50924ec has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e7d50924ec

Comment 4 Fedora Update System 2022-12-08 02:53:15 UTC

FEDORA-2022-e7d50924ec has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-e7d50924ec`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-e7d50924ec

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2022-12-23 01:20:09 UTC

FEDORA-2022-e7d50924ec has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.