2230856 – MLS: kmod-static-nodes.service fails at boot due to a AVC popping up

Bug 2230856 - MLS: kmod-static-nodes.service fails at boot due to a AVC popping up

Summary: MLS: kmod-static-nodes.service fails at boot due to a AVC popping up

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nikola Knazekova
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-10 07:36 UTC by Renaud Métrich
Modified:	2023-08-11 07:28 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-165347	0	None	None	None	2023-08-10 07:38:00 UTC

Description Renaud Métrich 2023-08-10 07:36:32 UTC

Description of problem:

After switching the system from Targeted to MLS, relabelling while in permissive and switching back to Enforcing, we can see that kmod-static-nodes.service fails during boot due to hidden AVC:

   ~~~
   # systemctl --failed
     UNIT                      LOAD   ACTIVE SUB    DESCRIPTION                       
   ● kmod-static-nodes.service loaded failed failed Create List of Static Device Nodes

   # systemctl status kmod-static-nodes.service 
   [...]
   Aug 10 09:06:03 vm-mls9 systemd[1]: Starting Create List of Static Device Nodes...
   Aug 10 09:06:03 vm-mls9 kmod[655]: Error: could not create /run/tmpfiles.d/static-nodes.conf - Permission denied
   Aug 10 09:06:03 vm-mls9 systemd[1]: kmod-static-nodes.service: Main process exited, code=exited, status=1/FAILURE
   Aug 10 09:06:03 vm-mls9 systemd[1]: kmod-static-nodes.service: Failed with result 'exit-code'.
   Aug 10 09:06:03 vm-mls9 systemd[1]: Failed to start Create List of Static Device Nodes.
   ~~~

   AVC (not showing without dontaudit rules):
   ~~~
   type=PROCTITLE msg=audit(08/10/2023 09:16:26.228:147) : proctitle=/usr/bin/kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/static-nodes.conf 
   type=SYSCALL msg=audit(08/10/2023 09:16:26.228:147) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fff817c3f24 a2=O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC a3=0x1b6 items=0 ppid=1 pid=1208 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kmod exe=/usr/bin/kmod subj=system_u:system_r:kmod_t:s0-s15:c0.c1023 key=(null) 
   type=AVC msg=audit(08/10/2023 09:16:26.228:147) : avc:  denied  { write } for  pid=1208 comm=kmod name=static-nodes.conf dev="tmpfs" ino=56 scontext=system_u:system_r:kmod_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 
   ~~~

Version-Release number of selected component (if applicable):

selinux-policy-mls-38.1.11-2.el9_2.3.noarch

How reproducible:

Always in MLS

Note You need to log in before you can comment on or make changes to this bug.