2263825 – [rawhide] [s390x] avc: denied { read write } for pid=4373 comm="16" name="z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1

Bug 2263825 - [rawhide] [s390x] avc: denied { read write } for pid=4373 comm="16" name="z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1

Summary: [rawhide] [s390x] avc: denied { read write } for pid=4373 comm="16" name="...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	s390x
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-02-12 08:41 UTC by Bruno Goncalves
Modified:	2024-05-20 15:25 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-05-20 15:25:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 2121	0	None	open	Allow various services read and write z90crypt device	2024-05-14 17:39:16 UTC

Description Bruno Goncalves 2024-02-12 08:41:06 UTC

The following avc denial happens when booting on s390x machines:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-40.12-1.fc40.noarch
----
time->Sun Feb 11 07:58:04 2024
type=AVC msg=audit(1707656284.212:633): avc:  denied  { read write } for  pid=4373 comm="16" name="z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Sun Feb 11 07:58:04 2024
type=AVC msg=audit(1707656284.212:634): avc:  denied  { open } for  pid=4373 comm="16" path="/dev/z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Sun Feb 11 07:58:04 2024
type=AVC msg=audit(1707656284.212:635): avc:  denied  { ioctl } for  pid=4373 comm="16" path="/dev/z90crypt" dev="devtmpfs" ino=113 ioctlcmd=0x7a05 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1



Reproducible: Always

Steps to Reproduce:
1.Boot latest rawhide on s390x machines
2.
3.

Comment 1 Bruno Goncalves 2024-02-12 08:43:41 UTC

example with full audit:


SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-40.12-1.fc40.noarch
----
time->Mon Feb 12 03:41:02 2024
type=PROCTITLE msg=audit(1707727262.990:225): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6578656375746F72002D2D646573657269616C697A65003339002D2D6C6F672D6C6576656C00696E666F002D2D6C6F672D746172676574006A6F75726E616C2D6F722D6B6D7367
type=PATH msg=audit(1707727262.990:225): item=0 name="/dev/z90crypt" inode=113 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=0a:7a obj=system_u:object_r:crypt_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1707727262.990:225): cwd="/"
type=SYSCALL msg=audit(1707727262.990:225): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3ffafae03b0 a2=80002 a3=0 items=1 ppid=1 pid=2380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="16" exe="/usr/lib/systemd/systemd-executor" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1707727262.990:225): avc:  denied  { open } for  pid=2380 comm="16" path="/dev/z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1707727262.990:225): avc:  denied  { read write } for  pid=2380 comm="16" name="z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:02 2024
type=PROCTITLE msg=audit(1707727262.990:226): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6578656375746F72002D2D646573657269616C697A65003339002D2D6C6F672D6C6576656C00696E666F002D2D6C6F672D746172676574006A6F75726E616C2D6F722D6B6D7367
type=SYSCALL msg=audit(1707727262.990:226): arch=80000016 syscall=54 success=yes exit=0 a0=3 a1=c0007a05 a2=3ffe8779960 a3=3ffe87798b0 items=0 ppid=1 pid=2380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="16" exe="/usr/lib/systemd/systemd-executor" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1707727262.990:226): avc:  denied  { ioctl } for  pid=2380 comm="16" path="/dev/z90crypt" dev="devtmpfs" ino=113 ioctlcmd=0x7a05 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:03 2024
type=PROCTITLE msg=audit(1707727263.050:240): proctitle=2F7573722F7362696E2F706C796D6F75746864002D2D6D6F64653D7265626F6F74002D2D6174746163682D746F2D73657373696F6E
type=PATH msg=audit(1707727263.050:240): item=0 name="/dev/kmsg" inode=8 dev=00:05 mode=020644 ouid=0 ogid=0 rdev=01:0b obj=system_u:object_r:kmsg_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1707727263.050:240): cwd="/"
type=SYSCALL msg=audit(1707727263.050:240): arch=80000016 syscall=288 success=yes exit=9 a0=ffffffffffffff9c a1=3ff8af30912 a2=802 a3=0 items=1 ppid=2395 pid=2397 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="plymouthd" exe="/usr/sbin/plymouthd" subj=system_u:system_r:plymouthd_t:s0 key=(null)
type=AVC msg=audit(1707727263.050:240): avc:  denied  { syslog_read } for  pid=2397 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
type=AVC msg=audit(1707727263.050:240): avc:  denied  { open } for  pid=2397 comm="plymouthd" path="/dev/kmsg" dev="devtmpfs" ino=8 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1707727263.050:240): avc:  denied  { read write } for  pid=2397 comm="plymouthd" name="kmsg" dev="devtmpfs" ino=8 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:03 2024
type=PROCTITLE msg=audit(1707727263.270:251): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D757365722D72756E74696D652D6469720073746F700030
type=PATH msg=audit(1707727263.270:251): item=0 name="/dev/z90crypt" inode=113 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=0a:7a obj=system_u:object_r:crypt_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1707727263.270:251): cwd="/"
type=SYSCALL msg=audit(1707727263.270:251): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3ffaca603b0 a2=80002 a3=0 items=1 ppid=1 pid=2421 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-user-ru" exe="/usr/lib/systemd/systemd-user-runtime-dir" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1707727263.270:251): avc:  denied  { open } for  pid=2421 comm="systemd-user-ru" path="/dev/z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1707727263.270:251): avc:  denied  { read write } for  pid=2421 comm="systemd-user-ru" name="z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:03 2024
type=PROCTITLE msg=audit(1707727263.270:255): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D757365722D72756E74696D652D6469720073746F700030
type=SYSCALL msg=audit(1707727263.270:255): arch=80000016 syscall=54 success=yes exit=0 a0=3 a1=c0007a05 a2=3ffdc479d60 a3=3ffdc479cb0 items=0 ppid=1 pid=2421 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-user-ru" exe="/usr/lib/systemd/systemd-user-runtime-dir" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1707727263.270:255): avc:  denied  { ioctl } for  pid=2421 comm="systemd-user-ru" path="/dev/z90crypt" dev="devtmpfs" ino=113 ioctlcmd=0x7a05 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:58 2024
type=PROCTITLE msg=audit(1707727318.191:96): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6578656375746F72002D2D646573657269616C697A6500313230002D2D6C6F672D6C6576656C00696E666F002D2D6C6F672D746172676574006A6F75726E616C2D6F722D6B6D7367
type=PATH msg=audit(1707727318.191:96): item=0 name="/dev/z90crypt" inode=113 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=0a:7a obj=system_u:object_r:crypt_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1707727318.191:96): cwd="/"
type=SYSCALL msg=audit(1707727318.191:96): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3ff9afe03b0 a2=80002 a3=0 items=1 ppid=1 pid=1076 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="16" exe="/usr/lib/systemd/systemd-executor" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1707727318.191:96): avc:  denied  { open } for  pid=1076 comm="16" path="/dev/z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1707727318.191:96): avc:  denied  { read write } for  pid=1076 comm="16" name="z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:58 2024
type=PROCTITLE msg=audit(1707727318.191:97): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6578656375746F72002D2D646573657269616C697A6500313230002D2D6C6F672D6C6576656C00696E666F002D2D6C6F672D746172676574006A6F75726E616C2D6F722D6B6D7367
type=SYSCALL msg=audit(1707727318.191:97): arch=80000016 syscall=54 success=yes exit=0 a0=3 a1=c0007a05 a2=3fff47f9b00 a3=3fff47f9a50 items=0 ppid=1 pid=1076 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="16" exe="/usr/lib/systemd/systemd-executor" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1707727318.191:97): avc:  denied  { ioctl } for  pid=1076 comm="16" path="/dev/z90crypt" dev="devtmpfs" ino=113 ioctlcmd=0x7a05 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:58 2024
type=PROCTITLE msg=audit(1707727318.291:102): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D757365722D72756E74696D652D6469720073746172740030
type=PATH msg=audit(1707727318.291:102): item=0 name="/dev/z90crypt" inode=113 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=0a:7a obj=system_u:object_r:crypt_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1707727318.291:102): cwd="/"
type=SYSCALL msg=audit(1707727318.291:102): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3ffa7de03b0 a2=80002 a3=0 items=1 ppid=1 pid=1083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-user-ru" exe="/usr/lib/systemd/systemd-user-runtime-dir" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1707727318.291:102): avc:  denied  { open } for  pid=1083 comm="systemd-user-ru" path="/dev/z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1707727318.291:102): avc:  denied  { read write } for  pid=1083 comm="systemd-user-ru" name="z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:58 2024
type=PROCTITLE msg=audit(1707727318.291:103): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D757365722D72756E74696D652D6469720073746172740030
type=SYSCALL msg=audit(1707727318.291:103): arch=80000016 syscall=54 success=yes exit=0 a0=3 a1=c0007a05 a2=3ffde97a2c0 a3=3ffde97a210 items=0 ppid=1 pid=1083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-user-ru" exe="/usr/lib/systemd/systemd-user-runtime-dir" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1707727318.291:103): avc:  denied  { ioctl } for  pid=1083 comm="systemd-user-ru" path="/dev/z90crypt" dev="devtmpfs" ino=113 ioctlcmd=0x7a05 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:58 2024
type=PROCTITLE msg=audit(1707727318.441:127): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6578656375746F72002D2D646573657269616C697A6500313335002D2D6C6F672D6C6576656C00696E666F002D2D6C6F672D746172676574006A6F75726E616C2D6F722D6B6D7367
type=PATH msg=audit(1707727318.441:127): item=0 name="/dev/z90crypt" inode=113 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=0a:7a obj=system_u:object_r:crypt_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1707727318.441:127): cwd="/"
type=SYSCALL msg=audit(1707727318.441:127): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3ff83fe03b0 a2=80002 a3=0 items=1 ppid=1 pid=1105 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="16" exe="/usr/lib/systemd/systemd-executor" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1707727318.441:127): avc:  denied  { open } for  pid=1105 comm="16" path="/dev/z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1707727318.441:127): avc:  denied  { read write } for  pid=1105 comm="16" name="z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:58 2024
type=PROCTITLE msg=audit(1707727318.441:128): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6578656375746F72002D2D646573657269616C697A6500313335002D2D6C6F672D6C6576656C00696E666F002D2D6C6F672D746172676574006A6F75726E616C2D6F722D6B6D7367
type=SYSCALL msg=audit(1707727318.441:128): arch=80000016 syscall=54 success=yes exit=0 a0=3 a1=c0007a05 a2=3ffe3afa050 a3=3ffe3af9fa0 items=0 ppid=1 pid=1105 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="16" exe="/usr/lib/systemd/systemd-executor" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1707727318.441:128): avc:  denied  { ioctl } for  pid=1105 comm="16" path="/dev/z90crypt" dev="devtmpfs" ino=113 ioctlcmd=0x7a05 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:58 2024
type=PROCTITLE msg=audit(1707727318.471:148): proctitle="/usr/sbin/sm-notify"
type=PATH msg=audit(1707727318.471:148): item=0 name="/dev/z90crypt" inode=113 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=0a:7a obj=system_u:object_r:crypt_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1707727318.471:148): cwd="/"
type=SYSCALL msg=audit(1707727318.471:148): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3ff8f4603b0 a2=80002 a3=0 items=1 ppid=1 pid=1106 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sm-notify" exe="/usr/sbin/sm-notify" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1707727318.471:148): avc:  denied  { open } for  pid=1106 comm="sm-notify" path="/dev/z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1707727318.471:148): avc:  denied  { read write } for  pid=1106 comm="sm-notify" name="z90crypt" dev="devtmpfs" ino=113 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Mon Feb 12 03:41:58 2024
type=PROCTITLE msg=audit(1707727318.471:149): proctitle="/usr/sbin/sm-notify"
type=SYSCALL msg=audit(1707727318.471:149): arch=80000016 syscall=54 success=yes exit=0 a0=3 a1=c0007a05 a2=3fff12797d0 a3=3fff1279720 items=0 ppid=1 pid=1106 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sm-notify" exe="/usr/sbin/sm-notify" subj=system_u:system_r:rpcd_t:s0 key=(null)
type=AVC msg=audit(1707727318.471:149): avc:  denied  { ioctl } for  pid=1106 comm="sm-notify" path="/dev/z90crypt" dev="devtmpfs" ino=113 ioctlcmd=0x7a05 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1

Comment 2 Zdenek Pytela 2024-02-12 09:24:29 UTC

Bruno,

Can you share some additional information? Like why systemd needs the access or if there is a service involved, if it is expected systemd-logind needs the access, what kind of interaction with rpc there is? Were there some modifications made to the system configuration?

brief audit2allow output:
allow init_t crypt_device_t:chr_file { ioctl open read write };
allow rpcd_t crypt_device_t:chr_file { ioctl open read write };
allow systemd_logind_t crypt_device_t:chr_file { ioctl open read write };

Details:
----
type=PROCTITLE msg=audit(02/12/2024 03:41:02.990:225) : proctitle=/usr/lib/systemd/systemd-executor --deserialize 39 --log-level info --log-target journal-or-kmsg 
type=AVC msg=audit(02/12/2024 03:41:02.990:225) : avc:  denied  { read write } for  pid=2380 comm=16 name=z90crypt dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1 
type=AVC msg=audit(02/12/2024 03:41:02.990:225) : avc:  denied  { open } for  pid=2380 comm=16 path=/dev/z90crypt dev="devtmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1 
type=SYSCALL msg=audit(02/12/2024 03:41:02.990:225) : arch=s390x syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x3ffafae03b0 a2=O_RDWR|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=2380 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=16 exe=/usr/lib/systemd/systemd-executor subj=system_u:system_r:init_t:s0 key=(null) 
type=PATH msg=audit(02/12/2024 03:41:02.990:225) : item=0 name=/dev/z90crypt inode=113 dev=00:05 mode=character,666 ouid=root ogid=root rdev=0a:7a obj=system_u:object_r:crypt_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
 
----
type=PROCTITLE msg=audit(02/12/2024 03:41:03.270:251) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 0 
type=AVC msg=audit(02/12/2024 03:41:03.270:251) : avc:  denied  { read write } for  pid=2421 comm=systemd-user-ru name=z90crypt dev="devtmpfs" ino=113 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1 
type=AVC msg=audit(02/12/2024 03:41:03.270:251) : avc:  denied  { open } for  pid=2421 comm=systemd-user-ru path=/dev/z90crypt dev="devtmpfs" ino=113 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1 
type=SYSCALL msg=audit(02/12/2024 03:41:03.270:251) : arch=s390x syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x3ffaca603b0 a2=O_RDWR|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=2421 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir subj=system_u:system_r:systemd_logind_t:s0 key=(null) 
type=PATH msg=audit(02/12/2024 03:41:03.270:251) : item=0 name=/dev/z90crypt inode=113 dev=00:05 mode=character,666 ouid=root ogid=root rdev=0a:7a obj=system_u:object_r:crypt_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 

----
type=PROCTITLE msg=audit(02/12/2024 03:41:58.471:148) : proctitle=/usr/sbin/sm-notify 
type=AVC msg=audit(02/12/2024 03:41:58.471:148) : avc:  denied  { read write } for  pid=1106 comm=sm-notify name=z90crypt dev="devtmpfs" ino=113 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1 
type=AVC msg=audit(02/12/2024 03:41:58.471:148) : avc:  denied  { open } for  pid=1106 comm=sm-notify path=/dev/z90crypt dev="devtmpfs" ino=113 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1 
type=SYSCALL msg=audit(02/12/2024 03:41:58.471:148) : arch=s390x syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x3ff8f4603b0 a2=O_RDWR|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1106 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sm-notify exe=/usr/sbin/sm-notify subj=system_u:system_r:rpcd_t:s0 key=(null) 
type=PATH msg=audit(02/12/2024 03:41:58.471:148) : item=0 name=/dev/z90crypt inode=113 dev=00:05 mode=character,666 ouid=root ogid=root rdev=0a:7a obj=system_u:object_r:crypt_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0

Comment 3 Bruno Goncalves 2024-02-12 09:49:45 UTC

I'm not doing anything in particular, this can be easily reproducible in beaker using Fedora-Rawhide-20240211.n.0. Just have a test that report results using restraint as restraint has an avc check task and it will detect it.

Comment 5 Bruno Goncalves 2024-02-19 10:18:47 UTC

Another similar denial, it seems to have happened when uploaded some core files, the script is: https://gitlab.com/redhat/centos-stream/tests/kernel/kernel-tests/-/blob/main/distribution/ltp/lite/grab_corefiles.sh?ref_type=heads

https://datawarehouse.cki-project.org/kcidb/tests/11386782#result-17401171


SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-40.13-1.eln135.noarch
----
time->Mon Jan 18 22:14:06 2038
type=PROCTITLE msg=audit(2147483646.489:386): proctitle=2F7573722F7362696E2F756E626F756E642D616E63686F72002D66002F6574632F7265736F6C762E636F6E66002D52
type=SYSCALL msg=audit(2147483646.489:386): arch=80000016 syscall=54 success=no exit=-19 a0=3 a1=c0007a05 a2=3ffeae7a330 a3=3ffeae7a280 items=0 ppid=54462 pid=54464 auid=4294967295 uid=994 gid=994 euid=994 suid=994 fsuid=994 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="unbound-anchor" exe="/usr/sbin/unbound-anchor" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(2147483646.489:386): avc:  denied  { ioctl } for  pid=54464 comm="unbound-anchor" path="/dev/z90crypt" dev="devtmpfs" ino=99 ioctlcmd=0x7a05 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1

Comment 6 Bruno Goncalves 2024-02-19 10:28:24 UTC

another one https://datawarehouse.cki-project.org/kcidb/tests/11386796#result-17397401

time->Sun Feb 18 09:08:05 2024
type=PROCTITLE msg=audit(1708265285.126:456): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F65746830002D2D7072656669783D2F6E65742F697076342F6E656967682F65746830002D2D7072656669783D2F6E65742F697076362F636F6E662F65746830002D2D707265666978
type=SYSCALL msg=audit(1708265285.126:456): arch=80000016 syscall=54 success=no exit=-19 a0=3 a1=c0007a05 a2=3ffd27fa5b0 a3=3ffd27fa500 items=0 ppid=388148 pid=389698 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1708265285.126:456): avc:  denied  { ioctl } for  pid=389698 comm="systemd-sysctl" path="/dev/z90crypt" dev="devtmpfs" ino=99 ioctlcmd=0x7a05 scontext=system_u:system_r:systemd_sysctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1

Comment 7 Michal Schmidt 2024-04-18 08:19:33 UTC

I think it comes from openssl
https://github.com/openssl/openssl/blob/openssl-3.2.1/crypto/s390xcap.c#L219

Note You need to log in before you can comment on or make changes to this bug.