2223571 – avc: denied { sendto write } for pid=518 comm="systemd-network"

Bug 2223571 - avc: denied { sendto write } for pid=518 comm="systemd-network"

Summary: avc: denied { sendto write } for pid=518 comm="systemd-network"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://cockpit-logs.us-east-1.linode...
Whiteboard:	CockpitTest
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-18 10:02 UTC by Martin Pitt
Modified:	2023-08-01 02:49 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-38.22-1.fc38
Clone Of:
Environment:
Last Closed:	2023-08-01 02:49:20 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1785	0	None	Merged	Allow systemd_network_generator_t notify systemd manager	2023-08-11 11:59:57 UTC

Description Martin Pitt 2023-07-18 10:02:30 UTC

With the recent updates of selinux-policy 38.21-1.fc38 [1] and systemd 253.7-1.fc38 [2], there are a lot of these two AVCs:

avc:  denied  { sendto } for  pid=518 comm="systemd-network" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
avc:  denied  { write } for  pid=518 comm="systemd-network" name="kmsg" dev="devtmpfs" ino=10 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2023-2663818afd
[2] https://bodhi.fedoraproject.org/updates/FEDORA-2023-b07a6a9665

Reproducible: Always




Full journal: https://cockpit-logs.us-east-1.linodeobjects.com/pull-5014-20230718-032330-b98bfddb-fedora-testing-daily-cockpit-project-cockpit/TestKdump-testBasic-fedora-testing-127.0.0.2-2901-FAIL.log.gz

Comment 1 Zdenek Pytela 2023-07-18 14:58:59 UTC

This seems to be a result of:
https://github.com/systemd/systemd/releases

Changes in systemd and units:

    * A new service type Type=notify-reload is defined. When such a unit is
      reloaded a UNIX process signal (typically SIGHUP) is sent to the main
      service process. The manager will then wait until it receives a
      "RELOADING=1" followed by a "READY=1" notification from the unit as
      response (via sd_notify()). Otherwise, this type is the same as
      Type=notify. A new setting ReloadSignal= may be used to change the
      signal to send from the default of SIGHUP.

      user@.service, systemd-networkd.service, systemd-udevd.service, and
      systemd-logind have been updated to this type.

Comment 2 Fedora Update System 2023-07-25 17:23:31 UTC

FEDORA-2023-0b46b767d3 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3

Comment 3 Fedora Update System 2023-07-26 02:09:50 UTC

FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-0b46b767d3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2023-08-01 02:49:20 UTC

FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.