2231340 – SELinux is preventing key.dns_resolve from 'write' accesses on the sock_file socket.

Bug 2231340 - SELinux is preventing key.dns_resolve from 'write' accesses on the sock_file socket.

Summary: SELinux is preventing key.dns_resolve from 'write' accesses on the sock_file ...

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:2aba29417bb63f9292a4170d33a...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-11 09:44 UTC by Julian Sikorski
Modified:	2023-08-12 07:03 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (2.04 KB, text/plain) 2023-08-11 09:44 UTC, Julian Sikorski	no flags	Details
File: os_info (734 bytes, text/plain) 2023-08-11 09:44 UTC, Julian Sikorski	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1832	0	None	open	Allow key.dns_resolve create and use unix datagram socket	2023-08-11 10:41:34 UTC

Description Julian Sikorski 2023-08-11 09:44:39 UTC

Description of problem:
SELinux is preventing key.dns_resolve from 'write' accesses on the sock_file socket.

*****  Plugin catchall (100. confidence) suggests   **************************

Wenn Sie denken, dass es key.dns_resolve standardmäßig erlaubt sein sollte, write Zugriff auf socket sock_file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'key.dns_resolve' --raw | audit2allow -M my-keydnsresolve
# semodule -X 300 -i my-keydnsresolve.pp

Additional Information:
Source Context                system_u:system_r:keyutils_dns_resolver_t:s0
Target Context                system_u:object_r:avahi_var_run_t:s0
Target Objects                socket [ sock_file ]
Source                        key.dns_resolve
Source Path                   key.dns_resolve
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.22-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.22-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.4.9-200.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Tue Aug 8 21:21:11 UTC 2023 x86_64
Alert Count                   18
First Seen                    2023-07-04 16:34:13 CEST
Last Seen                     2023-08-11 11:44:04 CEST
Local ID                      3eb9e030-368e-4be8-8c10-ac5c21e82f4f

Raw Audit Messages
type=AVC msg=audit(1691747044.495:581): avc:  denied  { write } for  pid=95403 comm="key.dns_resolve" name="socket" dev="tmpfs" ino=1932 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:avahi_var_run_t:s0 tclass=sock_file permissive=0


Hash: key.dns_resolve,keyutils_dns_resolver_t,avahi_var_run_t,sock_file,write

Version-Release number of selected component:
selinux-policy-targeted-38.22-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.11
reason:         SELinux is preventing key.dns_resolve from 'write' accesses on the sock_file socket.
package:        selinux-policy-targeted-38.22-1.fc38.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.4.9-200.fc38.x86_64
component:      selinux-policy

Comment 1 Julian Sikorski 2023-08-11 09:44:41 UTC

Created attachment 1982960 [details]
File: description

Comment 2 Julian Sikorski 2023-08-11 09:44:43 UTC

Created attachment 1982961 [details]
File: os_info

Comment 3 Zdenek Pytela 2023-08-11 10:04:21 UTC

Julian,

Do you know which configuration change is needed to trigger this issue and what is the consequence of the denial?

Comment 4 Julian Sikorski 2023-08-11 10:11:55 UTC

Hi,

I am not sure whether this is causing any issues to be honest. I am running in Enforcing mode but there does not appear to be any obvious missing functionality. I can see this on both machines and both of them have a cifs mount provided by openmediavault:

//odroidxu4.local/julian on /mnt/openmediavault type cifs (rw,relatime,vers=3.1.1,cache=strict,username=julas,uid=1000,noforceuid,gid=1000,noforcegid,addr=192.168.0.220,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1,_netdev,x-systemd.automount)

The corresponding fstab entry looks as follows:

//odroidxu4.local/julian /mnt/openmediavault    cifs    credentials=/home/julas/.credentials,uid=julas,gid=julas,vers=3.1.1,_netdev,x-systemd.automount,noauto 0 0

Comment 5 Zdenek Pytela 2023-08-11 10:39:05 UTC

Thank you. If you can reproduce the issue, please switch the system or just the domain to permissive mode and gather all denials, I believe there will be stream socket communication.

setenforce 0
-or-
semanage permissive -a keyutils_dns_resolver_t
<reproduce>
ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
then
setenforce 1
-or-
semanage permissive -d keyutils_dns_resolver_t

Comment 6 Julian Sikorski 2023-08-12 07:03:30 UTC

Setting SELinux to permissive indeed caused more messages to appear, but not every time it seems:

$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(12.08.2023 09:00:16.505:428) : avc:  denied  { write } for  pid=160980 comm=key.dns_resolve name=socket dev="tmpfs" ino=1700 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:avahi_var_run_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(12.08.2023 09:00:16.505:429) : avc:  denied  { connectto } for  pid=160980 comm=key.dns_resolve path=/run/avahi-daemon/socket scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=unix_stream_socket permissive=1 

$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts yesterday
----
type=AVC msg=audit(11.08.2023 09:06:41.754:878) : avc:  denied  { write } for  pid=141526 comm=key.dns_resolve name=socket dev="tmpfs" ino=1701 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:avahi_var_run_t:s0 tclass=sock_file permissive=0 
----
type=AVC msg=audit(11.08.2023 09:06:41.755:879) : avc:  denied  { create } for  pid=141526 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:keyutils_dns_resolver_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=AVC msg=audit(11.08.2023 12:05:57.027:1067) : avc:  denied  { write } for  pid=176425 comm=key.dns_resolve name=socket dev="tmpfs" ino=1701 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:avahi_var_run_t:s0 tclass=sock_file permissive=0 
----
type=AVC msg=audit(11.08.2023 12:05:57.029:1068) : avc:  denied  { create } for  pid=176425 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:keyutils_dns_resolver_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=AVC msg=audit(11.08.2023 14:45:49.470:1177) : avc:  denied  { write } for  pid=244794 comm=key.dns_resolve name=socket dev="tmpfs" ino=1701 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:avahi_var_run_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(11.08.2023 14:45:49.470:1178) : avc:  denied  { connectto } for  pid=244794 comm=key.dns_resolve path=/run/avahi-daemon/socket scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(11.08.2023 14:45:54.473:1181) : avc:  denied  { create } for  pid=244794 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:keyutils_dns_resolver_t:s0 tclass=unix_dgram_socket permissive=1 
----
type=AVC msg=audit(11.08.2023 14:45:54.473:1182) : avc:  denied  { connect } for  pid=244794 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:keyutils_dns_resolver_t:s0 tclass=unix_dgram_socket permissive=1 
----
type=AVC msg=audit(11.08.2023 14:45:54.473:1183) : avc:  denied  { read } for  pid=244794 comm=key.dns_resolve name=log dev="devtmpfs" ino=185 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=1 
----
type=AVC msg=audit(11.08.2023 14:45:54.473:1184) : avc:  denied  { write } for  pid=244794 comm=key.dns_resolve name=dev-log dev="tmpfs" ino=44 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(11.08.2023 14:45:54.473:1185) : avc:  denied  { sendto } for  pid=244794 comm=key.dns_resolve path=/run/systemd/journal/dev-log scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 
----
type=AVC msg=audit(11.08.2023 14:46:02.682:1186) : avc:  denied  { write } for  pid=245001 comm=key.dns_resolve name=socket dev="tmpfs" ino=1701 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:avahi_var_run_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(11.08.2023 14:46:02.682:1187) : avc:  denied  { connectto } for  pid=245001 comm=key.dns_resolve path=/run/avahi-daemon/socket scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(11.08.2023 14:46:07.685:1188) : avc:  denied  { create } for  pid=245001 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:keyutils_dns_resolver_t:s0 tclass=unix_dgram_socket permissive=1 
----
type=AVC msg=audit(11.08.2023 14:46:07.685:1189) : avc:  denied  { connect } for  pid=245001 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:keyutils_dns_resolver_t:s0 tclass=unix_dgram_socket permissive=1 
----
type=AVC msg=audit(11.08.2023 14:46:07.685:1190) : avc:  denied  { read } for  pid=245001 comm=key.dns_resolve name=log dev="devtmpfs" ino=185 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=1 
----
type=AVC msg=audit(11.08.2023 14:46:07.685:1191) : avc:  denied  { sendto } for  pid=245001 comm=key.dns_resolve path=/run/systemd/journal/dev-log scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 
----
type=AVC msg=audit(11.08.2023 14:46:15.993:1192) : avc:  denied  { connectto } for  pid=245193 comm=key.dns_resolve path=/run/avahi-daemon/socket scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(12.08.2023 09:00:16.505:428) : avc:  denied  { write } for  pid=160980 comm=key.dns_resolve name=socket dev="tmpfs" ino=1700 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:avahi_var_run_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(12.08.2023 09:00:16.505:429) : avc:  denied  { connectto } for  pid=160980 comm=key.dns_resolve path=/run/avahi-daemon/socket scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=unix_stream_socket permissive=1

Note You need to log in before you can comment on or make changes to this bug.