Bug 2173759 - SELinux is preventing hardware initiated reboot on Azure
Summary: SELinux is preventing hardware initiated reboot on Azure
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2175889 2175895 2185490 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-02-27 21:53 UTC by Michael Armijo
Modified: 2023-04-11 17:23 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2023-03-27 15:15:04 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1616 0 None open Allow poweroff search dbus pid directory 2023-02-28 15:21:30 UTC

Description Michael Armijo 2023-02-27 21:53:47 UTC 
Description of problem:
When installing Fedora 39 rawhide branch on a Microsoft Azure VM, SELinux denies any reboot initiated by the Azure Hypervisor.

Version-Release number of selected component (if applicable):
selinux-policy-38.7-1.fc38.noarch

How reproducible:
Always

Steps to Reproduce:
1. Start with latest rawhide Microsoft Azure image
2. Attempt a reboot from the Azure UI.
3. See AVC Denial in system logs and no reboot

Actual results:
AVC Denial from SELinux prevents a hardware initiated reboot on Microsoft Azure

Expected results:
No failure. machine reboots without issue.

Additional info:

rpm -q selinux-policy
selinux-policy-38.7-1.fc38.noarch

This was first seen in: selinux-policy-38.6-1.fc38.noarch


Captured in enforcing mode:
Feb 27 19:22:08 kola-956a08b4-6dfe71ec5e systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Feb 27 19:22:08 kola-956a08b4-6dfe71ec5e audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 27 19:22:08 kola-956a08b4-6dfe71ec5e kernel: kauditd_printk_skb: 22 callbacks suppressed
Feb 27 19:22:08 kola-956a08b4-6dfe71ec5e kernel: audit: type=1131 audit(1677525728.070:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 27 19:22:08 kola-956a08b4-6dfe71ec5e audit: BPF prog-id=69 op=UNLOAD
Feb 27 19:22:08 kola-956a08b4-6dfe71ec5e audit: BPF prog-id=68 op=UNLOAD
Feb 27 19:22:08 kola-956a08b4-6dfe71ec5e audit: BPF prog-id=67 op=UNLOAD
Feb 27 19:22:08 kola-956a08b4-6dfe71ec5e kernel: audit: type=1334 audit(1677525728.094:240): prog-id=69 op=UNLOAD
Feb 27 19:22:08 kola-956a08b4-6dfe71ec5e kernel: audit: type=1334 audit(1677525728.094:241): prog-id=68 op=UNLOAD
Feb 27 19:22:08 kola-956a08b4-6dfe71ec5e kernel: audit: type=1334 audit(1677525728.094:242): prog-id=67 op=UNLOAD
Feb 27 19:22:38 kola-956a08b4-6dfe71ec5e kernel: hv_utils: Shutdown request received - graceful shutdown initiated
Feb 27 19:22:38 kola-956a08b4-6dfe71ec5e audit[1002]: AVC avc:  denied  { search } for  pid=1002 comm="poweroff" name="dbus" dev="tmpfs" ino=48 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0
Feb 27 19:22:38 kola-956a08b4-6dfe71ec5e audit[1002]: SYSCALL arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=5651733e6620 a2=1e a3=7ffe0ca2f2b4 items=0 ppid=2 pid=1002 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="poweroff" exe="/usr/bin/systemctl" subj=system_u:system_r:kernel_systemctl_t:s0 key=(null)
Feb 27 19:22:38 kola-956a08b4-6dfe71ec5e audit: PROCTITLE proctitle="/sbin/poweroff"
Feb 27 19:22:38 kola-956a08b4-6dfe71ec5e kernel: audit: type=1400 audit(1677525758.417:243): avc:  denied  { search } for  pid=1002 comm="poweroff" name="dbus" dev="tmpfs" ino=48 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0
Feb 27 19:22:38 kola-956a08b4-6dfe71ec5e kernel: audit: type=1300 audit(1677525758.417:243): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=5651733e6620 a2=1e a3=7ffe0ca2f2b4 items=0 ppid=2 pid=1002 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="poweroff" exe="/usr/bin/systemctl" subj=system_u:system_r:kernel_systemctl_t:s0 key=(null)
Feb 27 19:22:38 kola-956a08b4-6dfe71ec5e kernel: audit: type=1327 audit(1677525758.417:243): proctitle="/sbin/poweroff"


Captured in permissive mode:

Feb 27 19:36:06 kola-956a08b4-6dfe71ec5e audit[776]: USER_MAC_STATUS pid=776 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Feb 27 19:36:06 kola-956a08b4-6dfe71ec5e kernel: audit: type=2313 audit(1677526566.208:230): pid=776 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Feb 27 19:36:06 kola-956a08b4-6dfe71ec5e systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Feb 27 19:36:06 kola-956a08b4-6dfe71ec5e audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 27 19:36:06 kola-956a08b4-6dfe71ec5e kernel: audit: type=1131 audit(1677526566.217:231): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 27 19:36:06 kola-956a08b4-6dfe71ec5e audit: BPF prog-id=69 op=UNLOAD
Feb 27 19:36:06 kola-956a08b4-6dfe71ec5e audit: BPF prog-id=68 op=UNLOAD
Feb 27 19:36:06 kola-956a08b4-6dfe71ec5e audit: BPF prog-id=67 op=UNLOAD
Feb 27 19:36:06 kola-956a08b4-6dfe71ec5e kernel: audit: type=1334 audit(1677526566.238:232): prog-id=69 op=UNLOAD
Feb 27 19:36:06 kola-956a08b4-6dfe71ec5e kernel: audit: type=1334 audit(1677526566.238:233): prog-id=68 op=UNLOAD
Feb 27 19:36:06 kola-956a08b4-6dfe71ec5e kernel: audit: type=1334 audit(1677526566.238:234): prog-id=67 op=UNLOAD
Comment 1 Dusty Mabe 2023-02-27 21:58:19 UTC 
linking back to the original Fedora CoreOS issue on this: https://github.com/coreos/fedora-coreos-tracker/issues/1412
Comment 2 Zdenek Pytela 2023-02-28 15:21:31 UTC 
Can you try the PR scratchbuild?

https://github.com/fedora-selinux/selinux-policy/pull/1616
Checks -> Artifacts -> rpms.zip
Comment 3 Michael Armijo 2023-02-28 19:14:54 UTC 
The PR scratchbuild doesn't have the samne AVC denial but produces a different one and doesn't power off.

[core@kola-841f716c-d25d175243 ~]$ rpm -q selinux-policy
selinux-policy-38.7-1.20230228_151905.50e4e6b.fc38.noarch

Feb 28 18:57:13 kola-841f716c-d25d175243 kernel: hv_utils: Shutdown request received - graceful shutdown initiated
Feb 28 18:57:13 kola-841f716c-d25d175243 audit[1004]: AVC avc:  denied  { write } for  pid=1004 comm="poweroff" name="system_bus_socket" dev="tmpfs" ino=1319 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0
Feb 28 18:57:13 kola-841f716c-d25d175243 audit[1004]: SYSCALL arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=55f10f302620 a2=1e a3=7ffe7edac3d4 items=0 ppid=2 pid=1004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="poweroff" exe="/usr/bin/systemctl" subj=system_u:system_r:kernel_systemctl_t:s0 key=(null)
Feb 28 18:57:13 kola-841f716c-d25d175243 audit: PROCTITLE proctitle="/sbin/poweroff"
Feb 28 18:57:13 kola-841f716c-d25d175243 kernel: audit: type=1400 audit(1677610633.522:230): avc:  denied  { write } for  pid=1004 comm="poweroff" name="system_bus_socket" dev="tmpfs" ino=1319 scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0
Feb 28 18:57:13 kola-841f716c-d25d175243 kernel: audit: type=1300 audit(1677610633.522:230): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=55f10f302620 a2=1e a3=7ffe7edac3d4 items=0 ppid=2 pid=1004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="poweroff" exe="/usr/bin/systemctl" subj=system_u:system_r:kernel_systemctl_t:s0 key=(null)
Feb 28 18:57:13 kola-841f716c-d25d175243 kernel: audit: type=1327 audit(1677610633.522:230): proctitle="/sbin/poweroff"



captured in permissive mode:
Feb 28 19:08:23 kola-841f716c-d25d175243 systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Feb 28 19:08:23 kola-841f716c-d25d175243 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 28 19:08:23 kola-841f716c-d25d175243 kernel: audit: type=1131 audit(1677611303.285:222): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 28 19:08:23 kola-841f716c-d25d175243 audit: BPF prog-id=66 op=UNLOAD
Feb 28 19:08:23 kola-841f716c-d25d175243 audit: BPF prog-id=65 op=UNLOAD
Feb 28 19:08:23 kola-841f716c-d25d175243 audit: BPF prog-id=64 op=UNLOAD
Feb 28 19:08:23 kola-841f716c-d25d175243 kernel: audit: type=1334 audit(1677611303.309:223): prog-id=66 op=UNLOAD
Feb 28 19:08:23 kola-841f716c-d25d175243 kernel: audit: type=1334 audit(1677611303.309:224): prog-id=65 op=UNLOAD
Feb 28 19:08:23 kola-841f716c-d25d175243 kernel: audit: type=1334 audit(1677611303.309:225): prog-id=64 op=UNLOAD
Feb 28 19:08:39 kola-841f716c-d25d175243 systemd[1]: rpm-ostreed.service: Deactivated successfully.
Feb 28 19:08:39 kola-841f716c-d25d175243 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpm-ostreed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 28 19:08:39 kola-841f716c-d25d175243 kernel: audit: type=1131 audit(1677611319.819:226): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpm-ostreed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Comment 4 Zdenek Pytela 2023-03-02 19:26:14 UTC 
I've updated the PR, please download the new scratchbuild.
I wonder why the additional permissions did not show up (in #c0) in permissive mode.
Comment 5 Ondrej Mosnáček 2023-03-02 19:33:57 UTC 
In permissive mode the machine probably powers off before the audit daemon is able to process the AVC events.
Comment 6 Zdenek Pytela 2023-03-06 17:54:32 UTC 
*** Bug 2175889 has been marked as a duplicate of this bug. ***
Comment 7 Zdenek Pytela 2023-03-06 17:56:30 UTC 
Mikhail, please try the PR scratchbuild:

https://github.com/fedora-selinux/selinux-policy/pull/1616
Checks -> Artifacts -> rpms.zip

to see if the fix is sufficient.
Comment 8 Mikhail 2023-03-06 18:32:41 UTC 
(In reply to Zdenek Pytela from comment #7)
> Mikhail, please try the PR scratchbuild:
> 
> https://github.com/fedora-selinux/selinux-policy/pull/1616
> Checks -> Artifacts -> rpms.zip
> 
> to see if the fix is sufficient.

Hmm fc38?  I needs fc39 for checking.

❯ rpm -qa | grep selinux-policy
error: rpmdbNextIterator: skipping h#    1776 
Header V4 DSA/SHA1 Signature, key ID 7f8840ce: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#    3994 
Header V4 RSA/SHA256 Signature, key ID 222d23d0: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#    8762 
Header V4 RSA/SHA256 Signature, key ID 222d23d0: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#   11202 
Header V4 DSA/SHA1 Signature, key ID 7fac5991: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
selinux-policy-38.8-1.fc39.noarch
selinux-policy-targeted-38.8-1.fc39.noarch
Comment 9 Zdenek Pytela 2023-03-07 09:21:36 UTC 
F38 and F39 are built from the same sources. Anyway, if this is is an issue, try the following local module:

  # cat local_poweroff_dbus.cil
(allow kernel_systemctl_t system_dbusd_var_lib_t (dir (getattr search open)))
(allow kernel_systemctl_t system_dbusd_var_run_t (sock_file (getattr write open append)))
  # semodule -i local_poweroff_dbus.cil
<reproduce or wait>
  # semodule -r local_poweroff_dbus
Comment 10 Zdenek Pytela 2023-03-07 09:22:28 UTC 
*** Bug 2175895 has been marked as a duplicate of this bug. ***
Comment 11 Michael Armijo 2023-03-10 02:31:02 UTC 
I tried the updated scratch build, and another AVC denial came through.

$ rpm -q selinux-policy
selinux-policy-38.7-1.20230302_192011.ff2e646.fc38.noarch


Mar 10 02:11:31 kola-b25b573a-fcd26c5bdb kernel: hv_utils: Shutdown request received - graceful shutdown initiated
Mar 10 02:11:31 kola-b25b573a-fcd26c5bdb audit[779]: USER_AVC pid=779 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Mar 10 02:11:31 kola-b25b573a-fcd26c5bdb dbus-broker[779]: A security policy denied :1.25 to send method call /org/freedesktop/login1:org.freedesktop.login1.Manager.SetWallMessage to org.freedesktop.login1.
Mar 10 02:11:31 kola-b25b573a-fcd26c5bdb kernel: audit: type=1107 audit(1678414291.238:484): pid=779 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Mar 10 02:11:31 kola-b25b573a-fcd26c5bdb dbus-broker[779]: A security policy denied :1.25 to send method call /org/freedesktop/login1:org.freedesktop.login1.Manager.PowerOffWithFlags to org.freedesktop.login1.
Mar 10 02:11:31 kola-b25b573a-fcd26c5bdb audit[779]: USER_AVC pid=779 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Mar 10 02:11:31 kola-b25b573a-fcd26c5bdb kernel: audit: type=1107 audit(1678414291.238:485): pid=779 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:kernel_systemctl_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'


Nothing was captured in permissive mode. I tried 3 times and no logs were recorded during shutdown.
Comment 12 Zdenek Pytela 2023-03-10 18:15:03 UTC 
The PR has been updated.

https://github.com/fedora-selinux/selinux-policy/pull/1616
Checks -> Artifacts -> rpms.zip
Comment 13 Michael Armijo 2023-03-21 19:55:55 UTC 
Sorry for the late response, I've been out of office. I tested the updated rpm and it appears to be resolved. There are no more denials and the machine reboots without issue.
Comment 14 Zdenek Pytela 2023-03-22 07:18:07 UTC 
Thank you, Michael, merging then.
Comment 15 Michael Armijo 2023-03-27 15:43:45 UTC 
Thank you!
Comment 16 Michael Armijo 2023-04-10 19:18:17 UTC 
Hey Zdenek, thanks again. I see that this made it into the bodhi update for f38. Could we also get that backported to f37 please?
Comment 17 Zdenek Pytela 2023-04-11 08:31:02 UTC 
(In reply to Michael Armijo from comment #16)
> Hey Zdenek, thanks again. I see that this made it into the bodhi update for
> f38. Could we also get that backported to f37 please?

The kernel_systemctl_t related changes were not backported to F37, so this bz does not apply to F37 either..
Comment 18 Zdenek Pytela 2023-04-11 08:33:57 UTC 
*** Bug 2185490 has been marked as a duplicate of this bug. ***
Comment 19 Michael Armijo 2023-04-11 17:23:48 UTC 
Thank you for the info!
Note You need to log in before you can comment on or make changes to this bug.