Description of problem: Version-Release number of selected component (if applicable): kernel-6.2.0-0.rc5.20230126git7c46948a6e9c.41.fc38.x86_64 kernel-core-6.2.0-0.rc5.20230126git7c46948a6e9c.41.fc38.x86_64 kernel-devel-6.2.0-0.rc5.20230126git7c46948a6e9c.41.fc38.x86_64 kernel-headers-6.2.0-0.rc4.git0.1.fc38.x86_64 kernel-modules-6.2.0-0.rc5.20230126git7c46948a6e9c.41.fc38.x86_64 kernel-modules-core-6.2.0-0.rc5.20230126git7c46948a6e9c.41.fc38.x86_64 kernel-srpm-macros-1.0-16.fc38.noarch selinux-policy-38.5-2.fc38.noarch selinux-policy-targeted-38.5-2.fc38.noarch systemd-253~rc1-3.fc38.x86_64 systemd-libs-253~rc1-3.fc38.x86_64 systemd-networkd-253~rc1-3.fc38.x86_64 systemd-pam-253~rc1-3.fc38.x86_64 systemd-resolved-253~rc1-3.fc38.x86_64 systemd-udev-253~rc1-3.fc38.x86_64 How reproducible: * always Steps to Reproduce: 1. get a Fedora rawhide machine (targeted policy is active) 2. # systemctl daemon-reload 3. # ausearch -m avc -m user_avc -m selinux_err -i -ts recent Actual results: output from ausearch ... | audit2allow allow kernel_generic_helper_t bin_t:file execute_no_trans; allow kernel_generic_helper_t kernel_t:key { read view }; allow kernel_generic_helper_t self:unix_dgram_socket create; Expected results: * no SELinux denials
Created attachment 1941484 [details] SELinux denials caught in enforcing mode
Created attachment 1941485 [details] SELinux denials caught in permissive mode
Reproducer executed in permissive mode -> ausearch ... | audit2allow: allow kernel_generic_helper_t bin_t:file execute_no_trans; allow kernel_generic_helper_t devlog_t:lnk_file read; allow kernel_generic_helper_t devlog_t:sock_file write; allow kernel_generic_helper_t init_var_run_t:dir search; allow kernel_generic_helper_t kernel_t:key { read setattr view }; allow kernel_generic_helper_t kernel_t:unix_dgram_socket sendto; allow kernel_generic_helper_t net_conf_t:file { getattr open read }; allow kernel_generic_helper_t net_conf_t:lnk_file read; allow kernel_generic_helper_t passwd_file_t:file { getattr open read }; allow kernel_generic_helper_t self:key write; allow kernel_generic_helper_t self:netlink_route_socket { bind create getattr getopt nlmsg_read setopt }; allow kernel_generic_helper_t self:udp_socket { connect create setopt }; allow kernel_generic_helper_t self:unix_dgram_socket { connect create }; allow kernel_generic_helper_t syslogd_var_run_t:dir search; Most of the SELinux denials were triggered by the nfsidmap program which was executed by the request-key program.
It seems that any program labeled bin_t or usr_t transitions into kernel_generic_helper_t when executed by the kernel: # sesearch -c process -T | grep kernel_generic_helper_t type_transition kernel_generic_helper_t abrt_helper_exec_t:process abrt_helper_t; type_transition kernel_t bin_t:process kernel_generic_helper_t; type_transition kernel_t usr_t:process kernel_generic_helper_t; # sesearch -s kernel_t -t bin_t -c file -p execute -A allow kernel_t bin_t:file { execute map }; # sesearch -s kernel_t -t usr_t -c file -p execute -A allow kernel_t usr_t:file execute; #
Should be fixed by the linked PR. Side note: it is not reproducible in this way on a clean machine - I suppose it needs to be a machine set up by 1minutetip? (In reply to Milos Malik from comment #4) > It seems that any program labeled bin_t or usr_t transitions into > kernel_generic_helper_t when executed by the kernel: Yes, this is intended.
Yes, I reproduced it on a 1minutetip machine.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle. Changing version to 38.
FEDORA-2023-eaebcb91e7 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7
FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.