RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2112044 - lldpad causing AVC messages starting with selinux-policy--targeted 34.1.32
Summary: lldpad causing AVC messages starting with selinux-policy--targeted 34.1.32
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.1
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 9.2
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
: 2136481 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-28 18:13 UTC by Matt Lucius
Modified: 2023-05-09 10:19 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-34.1.44-1.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-09 08:16:08 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-129517 0 None None None 2022-07-28 18:15:18 UTC
Red Hat Product Errata RHBA-2023:2483 0 None None None 2023-05-09 08:16:21 UTC

Description Matt Lucius 2022-07-28 18:13:20 UTC 
Description of problem:
When running lldpad regression tests (specifically that for BZ647020) under RHEL 9.1 beaker is picking up AVC messages during the run (pasted below). These errors do not occur with the RHEL-9.0 distro. 

Doing a sweep with successive versions of the selinux-policy-targeted RPM from 34.1.29 (RHEL-9.0) to 34.1.37 (the RHEL-9.1 distro I was using), the AVC messages started appearing with 34.1.32.

Starting with lldpad in case something needs to be updated, and this can be kicked elsewhere if required.

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-34.1.37-1.el9.noarch
----
time->Wed Jul 27 08:34:02 2022
type=PROCTITLE msg=audit(1658925242.581:134): proctitle=2F7573722F7362696E2F6C6C64706164002D74
type=SYSCALL msg=audit(1658925242.581:134): arch=c000003e syscall=44 success=no exit=-13 a0=3 a1=562fe3b20a50 a2=4 a3=0 items=0 ppid=1 pid=21019 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lldpad" exe="/usr/sbin/lldpad" subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(1658925242.581:134): avc:  denied  { sendto } for  pid=21019 comm="lldpad" path=002F636F6D2F696E74656C2F6C6C647061642F3231303337 scontext=system_u:system_r:lldpad_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0


Version-Release number of selected component (if applicable):
RHEL-9.1 from 20220718
selinux-policy-targeted 34.1.32 and higher
lldpad lldpad-1.1.0-4.git85e5583.el9.x86_64

How reproducible:
Always

Steps to Reproduce:
1.Run lldpad regression tests for BZ647020 under beaker

Actual results:
Test passes with no issues

Expected results:
Beaker picks up AVC error as pasted above (lldpad functionality itself seems to work)

Additional info:
One of the failing runs: https://beaker.engineering.redhat.com/jobs/6858075
Comment 1 Aaron Conole 2022-09-14 15:40:01 UTC 
Nothing changed from lldpad side.  Can selinux folks please advise?
Comment 2 Milos Malik 2022-09-14 19:15:12 UTC 
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(09/14/2022 21:11:41.132:354) : proctitle=/usr/sbin/lldpad -t 
type=SOCKADDR msg=audit(09/14/2022 21:11:41.132:354) : saddr={ saddr_fam=local path=/com/intel/lldpad/3270 } 
type=SYSCALL msg=audit(09/14/2022 21:11:41.132:354) : arch=x86_64 syscall=sendto success=no exit=EACCES(Permission denied) a0=0x3 a1=0x5603959e0840 a2=0x4 a3=0x0 items=0 ppid=1 pid=1217 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null) 
type=AVC msg=audit(09/14/2022 21:11:41.132:354) : avc:  denied  { sendto } for  pid=1217 comm=lldpad path=/com/intel/lldpad/3270 scontext=system_u:system_r:lldpad_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 
----

One of reproducers:

# service lldpad restart
Redirecting to /bin/systemctl restart lldpad.service
# lldptool 
lldptool v1.1.0
Copyright (c) 2007-2010, Intel Corporation

Substantially modified from:  hostapd_cli v 0.5.7
Copyright (c) 2004-2007, Jouni Malinen <j> and contributors

This program is free software. You can distribute it and/or modify it
under the terms of the GNU General Public License version 2.



timeout
Warning: Failed to attach to lldpad.

Interactive mode

...
Comment 3 Milos Malik 2022-09-14 19:22:47 UTC 
Caught in permissive mode:
----
type=PROCTITLE msg=audit(09/14/2022 21:16:30.227:479) : proctitle=/usr/sbin/lldpad -t 
type=SOCKADDR msg=audit(09/14/2022 21:16:30.227:479) : saddr={ saddr_fam=local path=/com/intel/lldpad/5435 } 
type=SYSCALL msg=audit(09/14/2022 21:16:30.227:479) : arch=x86_64 syscall=sendto success=yes exit=12 a0=0x3 a1=0x55f1d821aae0 a2=0xc a3=0x0 items=0 ppid=1 pid=4979 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null) 
type=AVC msg=audit(09/14/2022 21:16:30.227:479) : avc:  denied  { sendto } for  pid=4979 comm=lldpad path=/com/intel/lldpad/5435 scontext=system_u:system_r:lldpad_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 
----

The same reproducer:

# service lldpad restart
Redirecting to /bin/systemctl restart lldpad.service
# lldptool 
lldptool v1.1.0
Copyright (c) 2007-2010, Intel Corporation

Substantially modified from:  hostapd_cli v 0.5.7
Copyright (c) 2004-2007, Jouni Malinen <j> and contributors

This program is free software. You can distribute it and/or modify it
under the terms of the GNU General Public License version 2.




Interactive mode

>
Comment 14 Nikola Knazekova 2022-10-24 11:25:43 UTC 
*** Bug 2136481 has been marked as a duplicate of this bug. ***
Comment 17 errata-xmlrpc 2023-05-09 08:16:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483
Note You need to log in before you can comment on or make changes to this bug.