Bug 2222199 - SELinux prevents the targetd service from searching under /proc/sys/net/
Summary: SELinux prevents the targetd service from searching under /proc/sys/net/
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-12 08:37 UTC by Milos Malik
Modified: 2023-07-18 01:24 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-38.21-1.fc38
Clone Of:
Environment:
Last Closed: 2023-07-18 01:24:35 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1778 0 None open Allow targetd read network sysctls 2023-07-12 11:32:27 UTC

Description Milos Malik 2023-07-12 08:37:45 UTC 
selinux-policy-38.20-1.fc39.noarch
selinux-policy-devel-38.20-1.fc39.noarch
selinux-policy-targeted-38.20-1.fc39.noarch
targetcli-2.1.56-2.fc39.noarch
targetd-0.10.2-2.fc39.noarch
target-restore-2.1.76-2.fc39.noarch


Reproducible: Always

Steps to Reproduce:
1. get a Fedora rawhide machine (targeted policy is active)
2. run the following automated TC:
 * /CoreOS/selinux-policy/Regression/targetd-and-similar
3. search for SELinux denials
Actual Results:  
----
type=PROCTITLE msg=audit(07/12/2023 02:24:03.329:718) : proctitle=targetd 
type=PATH msg=audit(07/12/2023 02:24:03.329:718) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/12/2023 02:24:03.329:718) : cwd=/ 
type=SYSCALL msg=audit(07/12/2023 02:24:03.329:718) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffc3799e500 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=10509 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=targetd exe=/usr/bin/python3.12 subj=system_u:system_r:targetd_t:s0 key=(null) 
type=AVC msg=audit(07/12/2023 02:24:03.329:718) : avc:  denied  { search } for  pid=10509 comm=targetd name=net dev="proc" ino=14870 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 
----


Expected Results:  
No SELinux denials
Comment 1 Milos Malik 2023-07-12 12:54:25 UTC 
SELinux denials caught in permissive mode:
----
type=PROCTITLE msg=audit(07/12/2023 08:52:31.334:759) : proctitle=targetd 
type=PATH msg=audit(07/12/2023 08:52:31.334:759) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 inode=36543 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/12/2023 08:52:31.334:759) : cwd=/ 
type=SYSCALL msg=audit(07/12/2023 08:52:31.334:759) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x7ffee5e2a6c0 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=8770 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=targetd exe=/usr/bin/python3.12 subj=system_u:system_r:targetd_t:s0 key=(null) 
type=AVC msg=audit(07/12/2023 08:52:31.334:759) : avc:  denied  { open } for  pid=8770 comm=targetd path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=36543 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/12/2023 08:52:31.334:759) : avc:  denied  { read } for  pid=8770 comm=targetd name=disable_ipv6 dev="proc" ino=36543 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/12/2023 08:52:31.334:759) : avc:  denied  { search } for  pid=8770 comm=targetd name=net dev="proc" ino=14870 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(07/12/2023 08:52:31.337:760) : proctitle=targetd 
type=PATH msg=audit(07/12/2023 08:52:31.337:760) : item=0 name= inode=36543 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/12/2023 08:52:31.337:760) : cwd=/ 
type=SYSCALL msg=audit(07/12/2023 08:52:31.337:760) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x4 a1=0x7f63d899fbce a2=0x7ffee5e2a720 a3=0x1000 items=1 ppid=1 pid=8770 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=targetd exe=/usr/bin/python3.12 subj=system_u:system_r:targetd_t:s0 key=(null) 
type=AVC msg=audit(07/12/2023 08:52:31.337:760) : avc:  denied  { getattr } for  pid=8770 comm=targetd path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=36543 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
----
Comment 2 Milos Malik 2023-07-13 07:58:04 UTC 
Test coverage for this BZ exists in a form of PR:
 * https://src.fedoraproject.org/tests/selinux/pull-request/405
Comment 3 Zdenek Pytela 2023-07-13 08:09:40 UTC 
The policy PR has been just merged.
Comment 4 Fedora Update System 2023-07-14 12:00:00 UTC 
FEDORA-2023-2663818afd has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-2663818afd
Comment 5 Fedora Update System 2023-07-15 01:32:37 UTC 
FEDORA-2023-2663818afd has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-2663818afd`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-2663818afd

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2023-07-18 01:24:35 UTC 
FEDORA-2023-2663818afd has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.