2250935 – SELinux is preventing systemd from 'bind' accesses on the netlink_netfilter_socket labeled init_t.

Bug 2250935 - SELinux is preventing systemd from 'bind' accesses on the netlink_netfilter_socket labeled init_t.

Summary: SELinux is preventing systemd from 'bind' accesses on the netlink_netfilter_s...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:9fc85b3070ddc8db0bf5c68926a...
Duplicates (9):	2250934 2250936 2250937 2250938 2253600 2253601 2253602 2254988 2254992 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-11-21 20:58 UTC by Mikhail
Modified:	2024-05-25 04:25 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-01-25 11:23:49 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (1.90 KB, text/plain) 2023-11-21 20:58 UTC, Mikhail	no flags	Details
File: os_info (770 bytes, text/plain) 2023-11-21 20:58 UTC, Mikhail	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1981	0	None	Merged	Allow init create and use netlink netfilter socket	2023-12-21 15:33:21 UTC

Description Mikhail 2023-11-21 20:58:21 UTC

Description of problem:
Update systemd from 254.5-2.fc40 to 255~rc2-1.fc40 version
SELinux is preventing systemd from 'bind' accesses on the netlink_netfilter_socket labeled init_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed bind access on netlink_netfilter_socket labeled init_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:init_t:s0
Target Objects                Unknown [ netlink_netfilter_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.5-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.5-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 6.7.0-0.rc2.22.fc40.x86_64+debug
                              #1 SMP PREEMPT_DYNAMIC Mon Nov 20 14:05:16 UTC
                              2023 x86_64
Alert Count                   1
First Seen                    2023-11-22 01:55:16 +05
Last Seen                     2023-11-22 01:55:16 +05
Local ID                      b3adb800-d7d3-483e-be0e-a6f617dd94d9

Raw Audit Messages
type=AVC msg=audit(1700600116.340:1437): avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=1


Hash: systemd,init_t,init_t,netlink_netfilter_socket,bind

Version-Release number of selected component:
selinux-policy-targeted-40.5-1.fc40.noarch

Additional info:
reporter:       libreport-2.17.11
reason:         SELinux is preventing systemd from 'bind' accesses on the netlink_netfilter_socket labeled init_t.
package:        selinux-policy-targeted-40.5-1.fc40.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.7.0-0.rc2.22.fc40.x86_64+debug
comment:        Update systemd from 254.5-2.fc40 to 255~rc2-1.fc40 version
component:      selinux-policy

Comment 1 Mikhail 2023-11-21 20:58:23 UTC

Created attachment 2000757 [details]
File: description

Comment 2 Mikhail 2023-11-21 20:58:25 UTC

Created attachment 2000758 [details]
File: os_info

Comment 3 Zdenek Pytela 2023-11-22 07:49:10 UTC

*** Bug 2250934 has been marked as a duplicate of this bug. ***

Comment 4 Zdenek Pytela 2023-11-22 07:49:18 UTC

*** Bug 2250936 has been marked as a duplicate of this bug. ***

Comment 5 Zdenek Pytela 2023-11-22 07:49:32 UTC

*** Bug 2250938 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2023-11-22 07:50:02 UTC

*** Bug 2250937 has been marked as a duplicate of this bug. ***

Comment 7 Zdenek Pytela 2023-11-22 07:52:37 UTC

Mikhail,

Unlike the other denial, this one does not appear out of the box, do you happen to know what makes it pop up?

Comment 8 Zdenek Pytela 2023-12-04 12:50:42 UTC

Please try the latest packages if the issue still reproduces:
# rpm -q systemd selinux-policy
systemd-255~rc4-3.fc40.x86_64
selinux-policy-40.6-1.fc40.noarch

If yes, please attach the denials from full auditing mode.
https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

Comment 9 Zdenek Pytela 2023-12-08 11:16:47 UTC

*** Bug 2253602 has been marked as a duplicate of this bug. ***

Comment 10 Zdenek Pytela 2023-12-08 11:16:56 UTC

*** Bug 2253601 has been marked as a duplicate of this bug. ***

Comment 11 Zdenek Pytela 2023-12-08 11:17:06 UTC

*** Bug 2253600 has been marked as a duplicate of this bug. ***

Comment 12 Zdenek Pytela 2023-12-08 11:35:58 UTC

Reproducible on systemd update, triggered by some rpm scriptlet.
systemd-255-1.fc40.x86_64


----
type=AVC msg=audit(12/08/2023 06:07:03.373:259) : avc:  denied  { create } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=1 
----
type=AVC msg=audit(12/08/2023 06:07:03.373:260) : avc:  denied  { getopt } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=1 
----
type=AVC msg=audit(12/08/2023 06:07:03.373:261) : avc:  denied  { setopt } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=1 
----
type=AVC msg=audit(12/08/2023 06:07:03.373:262) : avc:  denied  { bind } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=1 
----
type=AVC msg=audit(12/08/2023 06:07:03.373:263) : avc:  denied  { getattr } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=1 

systemd       1 [000]   106.441036: avc:selinux_audited: requested=0x8 denied=0x8 audited=0x8 res>
        ffffffffaf70b705 avc_audit_post_callback+0x205 ([kernel.kallsyms])
        ffffffffaf70b705 avc_audit_post_callback+0x205 ([kernel.kallsyms])
        ffffffffaf73473f common_lsm_audit+0x2af ([kernel.kallsyms])
        ffffffffaf70c91c slow_avc_audit+0xbc ([kernel.kallsyms])
        ffffffffaf70d191 avc_has_perm+0xc1 ([kernel.kallsyms])
        ffffffffaf712741 selinux_socket_create+0xc1 ([kernel.kallsyms])
        ffffffffaf709991 security_socket_create+0x41 ([kernel.kallsyms])
        ffffffffafd4bce7 __sock_create+0x67 ([kernel.kallsyms])
        ffffffffafd4e93d __sys_socket+0x8d ([kernel.kallsyms])
        ffffffffafd4e9e7 __x64_sys_socket+0x17 ([kernel.kallsyms])
        ffffffffafff1461 do_syscall_64+0x61 ([kernel.kallsyms])
        ffffffffb02000ea entry_SYSCALL_64_after_hwframe+0x6e ([kernel.kallsyms])
            7f82a772e64b __socket+0xb (/usr/lib64/libc.so.6)
            7f82a7ac1abe netlink_open_family+0x1e (/usr/lib64/systemd/libsystemd-shared-255-1.fc4>
            7f82a79260ba fw_nftables_init_full+0x4a (/usr/lib64/systemd/libsystemd-shared-255-1.f>
            7f82a792634b firewall_backend_probe+0x12b (inlined)
            7f82a792634b fw_ctx_new_full+0x12b (/usr/lib64/systemd/libsystemd-shared-255-1.fc40.s>
            7f82a7f74f8d unit_modify_user_nft_set+0x22d (/usr/lib64/systemd/libsystemd-core-255-1>
            7f82a7f75144 unit_ref_uid_gid+0x84 (/usr/lib64/systemd/libsystemd-core-255-1.fc40.so)
            7f82a7f5d610 unit_deserialize_state+0x2100 (/usr/lib64/systemd/libsystemd-core-255-1.>
            7f82a7f002c0 manager_deserialize_one_unit+0x3c0 (inlined)
            7f82a7f002c0 manager_deserialize_units+0x3c0 (inlined)
            7f82a7f002c0 manager_deserialize+0x3c0 (/usr/lib64/systemd/libsystemd-core-255-1.fc40>
            7f82a7f0103d manager_startup+0x1ed (/usr/lib64/systemd/libsystemd-core-255-1.fc40.so)
            5588747b87fc main+0x157c (/usr/lib/systemd/systemd)
            7f82a7645149 __libc_start_call_main+0x79 (/usr/lib64/libc.so.6)
            7f82a764520a __libc_start_main@@GLIBC_2.34+0x8a (/usr/lib64/libc.so.6)
            5588747ba7f4 _start+0x24 (/usr/lib/systemd/systemd)

Comment 13 Zdenek Pytela 2023-12-18 11:57:19 UTC

*** Bug 2254988 has been marked as a duplicate of this bug. ***

Comment 14 Zdenek Pytela 2023-12-18 11:57:27 UTC

*** Bug 2254992 has been marked as a duplicate of this bug. ***

Comment 16 Red Hat Bugzilla 2024-05-25 04:25:12 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.