Bug 2125416 - SELinux is preventing libvirt_leasesh from using the 'execmem' accesses on a process.
Summary: SELinux is preventing libvirt_leasesh from using the 'execmem' accesses on a ...
Keywords:
Status: CLOSED DUPLICATE of bug 2122918
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 37
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:c96c9631d0026e889c24a390044...
: 2142965 2143364 2143745 2144364 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-08 23:40 UTC by Ian Laurie
Modified: 2022-11-21 01:50 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2022-09-09 15:28:13 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Ian Laurie 2022-09-08 23:40:30 UTC 
Description of problem:
SELinux is preventing libvirt_leasesh from using the 'execmem' accesses on a process.

*****  Plugin allow_execmem (91.4 confidence) suggests   *********************

If this issue occurred during normal system operation.
Then this alert could be a serious issue and your system could be compromised.
Do
contact your security administrator and report this issue

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that libvirt_leasesh should be allowed execmem access on processes labeled dnsmasq_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'libvirt_leasesh' --raw | audit2allow -M my-libvirtleasesh
# semodule -X 300 -i my-libvirtleasesh.pp

Additional Information:
Source Context                system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
Target Context                system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        libvirt_leasesh
Source Path                   libvirt_leasesh
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-37.8-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.8-1.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.19.7-300.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Sep 5 15:09:01 UTC 2022 x86_64
                              x86_64
Alert Count                   1
First Seen                    2022-09-08 16:14:35 AEST
Last Seen                     2022-09-08 16:14:35 AEST
Local ID                      87655b42-cb18-431d-aad6-81b875d47068

Raw Audit Messages
type=AVC msg=audit(1662617675.101:311): avc:  denied  { execmem } for  pid=1695 comm="libvirt_leasesh" scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tclass=process permissive=1


Hash: libvirt_leasesh,dnsmasq_t,dnsmasq_t,process,execmem

Version-Release number of selected component:
selinux-policy-targeted-37.8-1.fc37.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.2
hashmarkername: setroubleshoot
kernel:         5.19.7-300.fc37.x86_64
type:           libreport
Comment 1 Milos Malik 2022-09-09 15:27:00 UTC 
I believe this BZ is a duplicate of BZ#2122918.

The same SELinux denial is visible in the following comments:
 * https://bugzilla.redhat.com/show_bug.cgi?id=2122918#c0
 * https://bugzilla.redhat.com/show_bug.cgi?id=2122918#c4
Comment 2 Milos Malik 2022-09-09 15:28:13 UTC 

*** This bug has been marked as a duplicate of bug 2122918 ***
Comment 3 Martin Wolf 2022-11-15 16:31:10 UTC 
*** Bug 2142965 has been marked as a duplicate of this bug. ***
Comment 4 Ricardo 2022-11-16 18:10:40 UTC 
*** Bug 2143364 has been marked as a duplicate of this bug. ***
Comment 5 Ricardo 2022-11-17 17:52:50 UTC 
*** Bug 2143745 has been marked as a duplicate of this bug. ***
Comment 6 Ricardo 2022-11-21 01:50:19 UTC 
*** Bug 2144364 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.