Description of problem: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-38.1.8-1.el9.noarch ---- time->Wed Mar 1 08:23:45 2023 type=PROCTITLE msg=audit(1677677025.236:151): proctitle="/usr/sbin/rpc.statd" type=SYSCALL msg=audit(1677677025.236:151): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffc8ff7d990 a2=80100 a3=0 items=0 ppid=1 pid=21104 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null) type=AVC msg=audit(1677677025.236:151): avc: denied { search } for pid=21104 comm="rpc.statd" name="net" dev="proc" ino=34064 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 Version-Release number of selected component (if applicable): nfs-utils-2.5.4-18.el9.x86_64 selinux-policy-38.1.8-1.el9.noarch How reproducible: once Actual results: AVC denied Expected results: No AVC denied for defined operations Additional info: beaker job: https://beaker.engineering.redhat.com/recipes/13475947#task156886730
Found 4 occurrences of the SELinux denial in the beaker job.
PR: https://github.com/fedora-selinux/selinux-policy/pull/1740
Hi, Can you reproduce the issue in permissive mode with full auditing enabled? Permissive mode: # setenforce 0 Full audit: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today Thank you
(In reply to Nikola Knazekova from comment #12) > Hi, > > Can you reproduce the issue in permissive mode with full auditing enabled? > > Permissive mode: > # setenforce 0 > > Full audit: > 1) Open the /etc/audit/rules.d/audit.rules file in an editor. > 2) Remove the following line if it exists: > -a task,never > 3) Add the following line to the end of the file: > -w /etc/shadow -p w > 4) Restart the audit daemon: > # service auditd restart > 5) Re-run your scenario. > 6) Collect AVC denials: > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today > > Thank you The SELinux denial was not reproduced in loose mode with full auditing enabled, but this problem did not find a valid trigger step, and it was not 100% reproducible in my test scenario. [root@ibm-x3650m4-01-vm-11 ]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today <no matches>