2224599 – fdo-client-linuxapp fails to make changes with selinux in enforcing

Bug 2224599 - fdo-client-linuxapp fails to make changes with selinux in enforcing

Summary: fdo-client-linuxapp fails to make changes with selinux in enforcing

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Nikola Knazekova
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	IoT
TreeView+	depends on / blocked

Reported:	2023-07-21 15:44 UTC by Paul Whalen
Modified:	2023-08-04 08:43 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
fdo-client-avcs (24.08 KB, text/plain) 2023-07-21 15:47 UTC, Paul Whalen	no flags	Details
View All

Description Paul Whalen 2023-07-21 15:44:30 UTC

Running `fdo-client` on an F38 IoT system fails to make configured changes due to selinux denials:

type=AVC msg=audit(1689703785.900:181): avc:  denied  { getattr } for  pid=1279 comm="fdo-client-linu" path="/boot/device-credentials" dev="vda2" ino=24 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
type=AVC msg=audit(1689704283.118:192): avc:  denied  { getattr } for  pid=1522 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

Changing to Permissive allows the fdo-client to make the configured changes, sample AVC's listed below(full list attached):

type=AVC msg=audit(1689704302.214:197): avc:  denied  { getattr } for  pid=1534 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.214:198): avc:  denied  { read } for  pid=1534 comm="fdo-client-linu" name="device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.214:199): avc:  denied  { open } for  pid=1534 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.286:200): avc:  denied  { write } for  pid=1534 comm="fdo-client-linu" name="hosts" dev="dm-1" ino=37021 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.286:201): avc:  denied  { setattr } for  pid=1534 comm="fdo-client-linu" name="hosts" dev="dm-1" ino=37021 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.288:202): avc:  denied  { read } for  pid=1534 comm="fdo-client-linu" name="passwd" dev="dm-1" ino=37071 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.288:203): avc:  denied  { open } for  pid=1534 comm="fdo-client-linu" path="/etc/passwd" dev="dm-1" ino=37071 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1


Reproducible: Always

Steps to Reproduce:
1. Start the fdo-client-linuxapp.service on a host with selinux in enforcing
2. FDO client fails to make configuration changes


Expected Results:  
Configuration changes to the running system.

Comment 1 Paul Whalen 2023-07-21 15:47:42 UTC

Created attachment 1976962 [details]
fdo-client-avcs

Note You need to log in before you can comment on or make changes to this bug.