2224352 – named AVCs in Fedora OpenQA tests

Bug 2224352 - named AVCs in Fedora OpenQA tests

Summary: named AVCs in Fedora OpenQA tests

Keywords:
Status:	CLOSED DUPLICATE of bug 2223725
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-20 13:55 UTC by Alexander Bokovoy
Modified:	2023-07-20 15:16 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-07-20 15:16:04 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alexander Bokovoy 2023-07-20 13:55:22 UTC

Running FreeIPA OpenQA tests, I see new AVCs with DNS server that haven't been there before. This is visible with tests in https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76 update, for example.

https://openqa.fedoraproject.org/tests/2024112/logfile?filename=_console_avc_crash-avcs.txt contains full list of AVCs. Some of those already known and will be fixed in FreeIPA SELinux policy but named ones have to be fixed in the main SELinux policy.



Reproducible: Always




time->Thu Jul 20 08:06:44 2023
type=AVC msg=audit(1689854804.286:2011): avc:  denied  { sqpoll } for  pid=8129 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0
----
time->Thu Jul 20 08:06:44 2023
type=AVC msg=audit(1689854804.286:2012): avc:  denied  { sqpoll } for  pid=8129 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0
time->Thu Jul 20 08:15:59 2023
type=AVC msg=audit(1689855359.087:2239): avc:  denied  { ipc_lock } for  pid=9623 comm="rndc" capability=14  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=0
----
time->Thu Jul 20 08:15:59 2023
type=AVC msg=audit(1689855359.087:2240): avc:  denied  { sqpoll } for  pid=9623 comm="rndc" scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=io_uring permissive=0
----
time->Thu Jul 20 08:15:59 2023
type=AVC msg=audit(1689855359.090:2241): avc:  denied  { ipc_lock } for  pid=9623 comm="rndc" capability=14  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=0
----
time->Thu Jul 20 08:28:41 2023
type=AVC msg=audit(1689856121.389:101): avc:  denied  { sqpoll } for  pid=1071 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0
----
time->Thu Jul 20 08:28:41 2023
type=AVC msg=audit(1689856121.389:102): avc:  denied  { sqpoll } for  pid=1071 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0

Comment 1 Milos Malik 2023-07-20 14:03:42 UTC

Based on the SELinux denials shown in comment#0, I believe this BZ is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=2223725.

Comment 2 Alexander Bokovoy 2023-07-20 14:10:45 UTC

Thank you, Milos. I didn't check whether those already reported.

However, this is in F38, not Rawhide.

Comment 3 Zdenek Pytela 2023-07-20 15:16:04 UTC


*** This bug has been marked as a duplicate of bug 2223725 ***

Note You need to log in before you can comment on or make changes to this bug.