2137085 – Update to selinux-policy-targeted-34.1.44-1.el9.noarch triggers bpf alerts

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2137085 - Update to selinux-policy-targeted-34.1.44-1.el9.noarch triggers bpf alerts

Summary: Update to selinux-policy-targeted-34.1.44-1.el9.noarch triggers bpf alerts

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	CentOS Stream
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	9.2
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-10-23 08:24 UTC by alex
Modified:	2023-05-09 10:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-38.1.4-1.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-09 08:16:52 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
One of the alerts I got. (2.36 KB, text/plain) 2022-10-23 08:24 UTC, alex	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1529	None	open	Sd rfkill bpf	2022-12-19 13:59:01 UTC
Red Hat Issue Tracker	RHELPLAN-137339	None	None	None	2022-10-23 08:45:02 UTC
Red Hat Product Errata	RHBA-2023:2483	None	None	None	2023-05-09 08:17:08 UTC

Internal Links: 2149390

Description alex 2022-10-23 08:24:35 UTC

Created attachment 1919676 [details]
One of the alerts I got.

Description of problem:

Since the last dnf update I applied to my CentOS 9 Stream workstation, I'm getting constant SELinux alerts.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-34.1.44-1.el9.noarch

How reproducible:

I believe this happens in more cases, but resuming from suspend always triggers alerts, I think.

Steps to Reproduce:

1. Suspend the system
2. Resume the system

Actual results:

I normally get three SELinux alerts; systemd-rfkill, fprintd, and wpa_supplicant try to access bpf.

I have attached the details shown by the SELinux app for one of the alerts.

Expected results:

System should not produce SELinux alerts in normal operation.

Comment 1 Milos Malik 2022-10-23 17:25:51 UTC

SELinux denials generated by fprintd are already reported under BZ#2134827.

Sofar I had no luck reproducing them via systemd-rfkill or wpa_supplicant.

Comment 2 alex 2022-10-23 17:32:46 UTC

Hmmm, maybe then close this bug? I can reproduce the issues I have with suspension [this is an X1 Carbon Gen 3], and add any required information to the other bug.

Just for testing:

[root@molly ~]# ausearch -x rf | tail
----
time->Sun Oct 23 18:00:32 2022
type=PROCTITLE msg=audit(1666540832.736:1603): proctitle="/usr/lib/systemd/systemd-rfkill"
type=SYSCALL msg=audit(1666540832.736:1603): arch=c000003e syscall=54 success=yes exit=0 a0=6 a1=1 a2=1a a3=7ffdb4b21150 items=0 ppid=1 pid=95157 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-rfkill" exe="/usr/lib/systemd/systemd-rfkill" subj=system_u:system_r:systemd_rfkill_t:s0 key=(null)
type=AVC msg=audit(1666540832.736:1603): avc:  denied  { bpf } for  pid=95157 comm="systemd-rfkill" capability=39  scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0
----
time->Sun Oct 23 19:29:46 2022
type=PROCTITLE msg=audit(1666546186.664:1668): proctitle="/usr/lib/systemd/systemd-rfkill"
type=SYSCALL msg=audit(1666546186.664:1668): arch=c000003e syscall=54 success=yes exit=0 a0=6 a1=1 a2=1a a3=7ffe090efbe0 items=0 ppid=1 pid=105448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-rfkill" exe="/usr/lib/systemd/systemd-rfkill" subj=system_u:system_r:systemd_rfkill_t:s0 key=(null)
type=AVC msg=audit(1666546186.664:1668): avc:  denied  { bpf } for  pid=105448 comm="systemd-rfkill" capability=39  scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0

[root@molly ~]# ausearch -x rf | audit2allow


#============= systemd_rfkill_t ==============
allow systemd_rfkill_t self:capability2 bpf;

[root@molly ~]# ausearch -x wpa | tail
time->Sun Oct 23 19:29:47 2022
type=PROCTITLE msg=audit(1666546187.030:1673): proctitle=2F7573722F7362696E2F7770615F737570706C6963616E74002D63002F6574632F7770615F737570706C6963616E742F7770615F737570706C6963616E742E636F6E66002D75002D73
type=SYSCALL msg=audit(1666546187.030:1673): arch=c000003e syscall=54 success=yes exit=0 a0=c a1=1 a2=1a a3=55f15ed093a0 items=0 ppid=1 pid=1637 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1666546187.030:1673): avc:  denied  { bpf } for  pid=1637 comm="wpa_supplicant" capability=39  scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability2 permissive=0


[root@molly ~]# ausearch -x wpa | audit2allow


#============= NetworkManager_t ==============
allow NetworkManager_t self:capability2 bpf;


..................

I'm happy to do any other testing you want. And I'm happy to continue tracking this issue on the existing bug.

Cheers,

Álex

Comment 3 Zdenek Pytela 2022-12-15 13:32:07 UTC

The denial interpreted:

type=AVC msg=audit(23.10.2022 19:29:46.664:1668) : avc:  denied  { bpf } for  pid=105448 comm=systemd-rfkill capability=bpf  scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0
type=SYSCALL msg=audit(23.10.2022 19:29:46.664:1668) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x6 a1=SOL_SOCKET a2=SO_ATTACH_FILTER a3=0x7ffe090efbe0 items=0 ppid=1 pid=105448 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-rfkill exe=/usr/lib/systemd/systemd-rfkill subj=system_u:system_r:systemd_rfkill_t:s0 key=(null)

Comment 4 Zdenek Pytela 2022-12-19 13:59:02 UTC

(In reply to alex from comment #2)
> I'm happy to do any other testing you want. And I'm happy to continue
> tracking this issue on the existing bug.
Hello Álex,

In the end we use both the bugs. If you can reproduce the issues in Fedora, you can try
https://github.com/fedora-selinux/selinux-policy/pull/1529
Checks -> Artifacts -> rpms.zip

Comment 5 Zdenek Pytela 2022-12-19 15:47:51 UTC

Commit to backport:
commit b42deb870faaa63be41cd6b6b9d8a5846205e6ea (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Mon Dec 19 14:46:41 2022 +0100

    Allow NetworkManager and wpa_supplicant the bpf capability

Comment 11 alex 2023-01-15 10:59:07 UTC

Just did

$ sudo dnf install https://kojihub.stream.centos.org/kojifiles/packages/selinux-policy/38.1.4/1.el9/noarch/selinux-policy-38.1.4-1.el9.noarch.rpm https://kojihub.stream.centos.org/kojifiles/packages/selinux-policy/38.1.4/1.el9/noarch/selinux-policy-targeted-38.1.4-1.el9.noarch.rpm

I'll reboot and report back in 1-2 days, I guess.

Comment 12 alex 2023-01-20 20:56:54 UTC

No messages anymore since the update, so good job!

Comment 15 errata-xmlrpc 2023-05-09 08:16:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483

Note You need to log in before you can comment on or make changes to this bug.