2223725 – SELinux prevents named and rndc from io_uring actions

Bug 2223725 - SELinux prevents named and rndc from io_uring actions

Summary: SELinux prevents named and rndc from io_uring actions

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	2224352 2226703 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-18 16:20 UTC by Milos Malik
Modified:	2023-08-01 02:49 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-38.22-1.fc38
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-01 02:49:23 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1784	0	None	open	Allow sssd io_uring sqpoll permission	2023-07-18 18:02:49 UTC

Description Milos Malik 2023-07-18 16:20:36 UTC

bind-9.18.16-1.fc39.x86_64
bind-chroot-9.18.16-1.fc39.x86_64
bind-dnssec-utils-9.18.16-1.fc39.x86_64
bind-libs-9.18.16-1.fc39.x86_64
bind-license-9.18.16-1.fc39.noarch
bind-utils-9.18.16-1.fc39.x86_64
selinux-policy-38.20-1.fc39.noarch
selinux-policy-devel-38.20-1.fc39.noarch
selinux-policy-targeted-38.20-1.fc39.noarch


Reproducible: Always

Steps to Reproduce:
1. get a Fedora rawhide machine (targeted policy is active)
2. start the named service
3. search for SELinux denials
Actual Results:  
----
type=PROCTITLE msg=audit(07/18/2023 11:57:52.157:925) : proctitle=/usr/sbin/named -u named -c /etc/named.conf 
type=SYSCALL msg=audit(07/18/2023 11:57:52.157:925) : arch=x86_64 syscall=io_uring_setup success=no exit=EACCES(Permission denied) a0=0x40 a1=0x7fffbb6a9020 a2=0x0 a3=0x56537b7683f0 items=0 ppid=35360 pid=35361 auid=unset uid=named gid=named euid=named suid=named fsuid=named egid=named sgid=named fsgid=named tty=(none) ses=unset comm=named exe=/usr/sbin/named subj=system_u:system_r:named_t:s0 key=(null) 
type=AVC msg=audit(07/18/2023 11:57:52.157:925) : avc:  denied  { sqpoll } for  pid=35361 comm=named scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0 
----
type=PROCTITLE msg=audit(07/18/2023 11:57:57.489:927) : proctitle=rndc querylog 
type=SYSCALL msg=audit(07/18/2023 11:57:57.489:927) : arch=x86_64 syscall=io_uring_setup success=no exit=EACCES(Permission denied) a0=0x40 a1=0x7ffcb21285e0 a2=0x0 a3=0x1f0 items=0 ppid=24105 pid=35595 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=rndc exe=/usr/sbin/rndc subj=system_u:system_r:ndc_t:s0 key=(null) 
type=AVC msg=audit(07/18/2023 11:57:57.489:927) : avc:  denied  { sqpoll } for  pid=35595 comm=rndc scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=io_uring permissive=0 
type=AVC msg=audit(07/18/2023 11:57:57.489:927) : avc:  denied  { ipc_lock } for  pid=35595 comm=rndc capability=ipc_lock  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=0 
----


Expected Results:  
no SELinux denials

Comment 1 Milos Malik 2023-07-18 16:24:19 UTC

The same SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(07/18/2023 12:21:52.481:952) : proctitle=/usr/sbin/rndc stop 
type=SYSCALL msg=audit(07/18/2023 12:21:52.481:952) : arch=x86_64 syscall=io_uring_setup success=yes exit=4 a0=0x40 a1=0x7ffdf703b930 a2=0x0 a3=0x1f0 items=0 ppid=36835 pid=36836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rndc exe=/usr/sbin/rndc subj=system_u:system_r:ndc_t:s0 key=(null) 
type=AVC msg=audit(07/18/2023 12:21:52.481:952) : avc:  denied  { sqpoll } for  pid=36836 comm=rndc scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=io_uring permissive=1 
type=AVC msg=audit(07/18/2023 12:21:52.481:952) : avc:  denied  { ipc_lock } for  pid=36836 comm=rndc capability=ipc_lock  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(07/18/2023 12:21:52.541:956) : proctitle=/usr/sbin/named -u named -c /etc/named.conf 
type=SYSCALL msg=audit(07/18/2023 12:21:52.541:956) : arch=x86_64 syscall=io_uring_setup success=yes exit=8 a0=0x40 a1=0x7ffde6aa82a0 a2=0x0 a3=0x555cd9be63f0 items=0 ppid=36845 pid=36846 auid=unset uid=named gid=named euid=named suid=named fsuid=named egid=named sgid=named fsgid=named tty=(none) ses=unset comm=named exe=/usr/sbin/named subj=system_u:system_r:named_t:s0 key=(null) 
type=AVC msg=audit(07/18/2023 12:21:52.541:956) : avc:  denied  { sqpoll } for  pid=36846 comm=named scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=1 
----

One of the reproducers is:

# service named restart

Comment 2 Milos Malik 2023-07-18 16:26:16 UTC

# ldd /usr/sbin/rndc | grep libuv
	libuv.so.1 => /lib64/libuv.so.1 (0x00007f853a9bb000)
# ldd /usr/sbin/named | grep libuv
	libuv.so.1 => /lib64/libuv.so.1 (0x00007f252b7a4000)
# strings /lib64/libuv.so.1 | grep io_uring
libuv: io_uring_enter(wakeup)
libuv: io_uring_enter(getevents)
uv__poll_io_uring
#

Comment 4 Zdenek Pytela 2023-07-20 15:16:04 UTC

*** Bug 2224352 has been marked as a duplicate of this bug. ***

Comment 5 Fedora Update System 2023-07-25 17:23:35 UTC

FEDORA-2023-0b46b767d3 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3

Comment 6 Fedora Update System 2023-07-26 02:09:53 UTC

FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-0b46b767d3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Zdenek Pytela 2023-07-26 09:14:24 UTC

*** Bug 2226703 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2023-08-01 02:49:23 UTC

FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.