Description of problem: Mount an SMB share SELinux is preventing key.dns_resolve from 'setattr' accesses on the key Unbekannt. ***** Plugin catchall (100. confidence) suggests ************************** Wenn Sie denken, dass es key.dns_resolve standardmäßig erlaubt sein sollte, setattr Zugriff auf Unbekannt key zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c 'key.dns_resolve' --raw | audit2allow -M my-keydnsresolve # semodule -X 300 -i my-keydnsresolve.pp Additional Information: Source Context system_u:system_r:keyutils_dns_resolver_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unbekannt [ key ] Source key.dns_resolve Source Path key.dns_resolve Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.32-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.32-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.7.7-100.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Mar 1 16:51:49 UTC 2024 x86_64 Alert Count 4 First Seen 2024-04-02 13:49:32 CEST Last Seen 2024-04-02 13:49:48 CEST Local ID e23baf35-e26b-4c78-b4b7-408ac607cd1c Raw Audit Messages type=AVC msg=audit(1712058588.587:38532): avc: denied { setattr } for pid=1342493 comm="key.dns_resolve" scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 Hash: key.dns_resolve,keyutils_dns_resolver_t,kernel_t,key,setattr Version-Release number of selected component: selinux-policy-targeted-38.32-1.fc38.noarch Additional info: reporter: libreport-2.17.11 reason: SELinux is preventing key.dns_resolve from 'setattr' accesses on the key Unbekannt. package: selinux-policy-targeted-38.32-1.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.7.7-100.fc38.x86_64 comment: Mount an SMB share component: selinux-policy
Created attachment 2024735 [details] File: description
Created attachment 2024736 [details] File: os_info
Frank, Can you reproduce this with full auditing enabled? https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing
I have tried it many times. It looks like there must also hit something other to trigger it.
*** Bug 2278611 has been marked as a duplicate of this bug. ***
*** Bug 2279469 has been marked as a duplicate of this bug. ***
Updating the version field, needs to be backported also to F39 once troubleshooting is done.
*** Bug 2280311 has been marked as a duplicate of this bug. ***
*** Bug 2290577 has been marked as a duplicate of this bug. ***
*** Bug 2290885 has been marked as a duplicate of this bug. ***
This occurred repeatedly after mounting a macOS share: Raw Audit Messages type=AVC msg=audit(1718475247.329:554): avc: denied { setattr } for pid=24179 comm="key.dns_resolve" scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 selinux-policy-39.7-1.fc39.noarch selinux-policy-targeted-39.7-1.fc39.noarch keyutils-1.6.3-1.fc39.x86_64 systemd-254.13-1.fc39.x86_64 kernel 6.9.4-100.fc39.x86_64 macOS is 12.7.5 (Monterey), fully updated. Mount options from /etc/fstab: //[mac-hostname].lan/admin\342\200\231s\040Public\040Folder /mnt/smb smb3 noauto,uid=1000,forceuid,gid=1000,forcegid,credentials=/home/[fedora-username]/.smb3credentials 0 0
AVCs with full auditing enabled. These AVCs are occurring once per second. AVCs logged before full auditing was enabled have been removed. $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ... ---- type=PROCTITLE msg=audit(06/15/2024 12:29:00.759:330) : proctitle=key.dns_resolver 935646915 type=SYSCALL msg=audit(06/15/2024 12:29:00.759:330) : arch=x86_64 syscall=keyctl success=yes exit=0 a0=0xf a1=0x37c4d6c3 a2=0x5 a3=0x55d974fca2b4 items=0 ppid=96 pid=3219 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=key.dns_resolve exe=/usr/sbin/key.dns_resolver subj=system_u:system_r:keyutils_dns_resolver_t:s0 key=(null) type=AVC msg=audit(06/15/2024 12:29:00.759:330) : avc: denied { setattr } for pid=3219 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=PROCTITLE msg=audit(06/15/2024 12:30:02.125:347) : proctitle=key.dns_resolver 323849078 type=SYSCALL msg=audit(06/15/2024 12:30:02.125:347) : arch=x86_64 syscall=keyctl success=yes exit=0 a0=0xf a1=0x134d8b76 a2=0x5 a3=0x55ce1d52e2b4 items=0 ppid=3120 pid=3290 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=key.dns_resolve exe=/usr/sbin/key.dns_resolver subj=system_u:system_r:keyutils_dns_resolver_t:s0 key=(null) type=AVC msg=audit(06/15/2024 12:30:02.125:347) : avc: denied { setattr } for pid=3290 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=PROCTITLE msg=audit(06/15/2024 12:31:03.565:353) : proctitle=key.dns_resolver 972033890 type=SYSCALL msg=audit(06/15/2024 12:31:03.565:353) : arch=x86_64 syscall=keyctl success=yes exit=0 a0=0xf a1=0x39f00f62 a2=0x5 a3=0x55fcfb3af2b4 items=0 ppid=3120 pid=3336 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=key.dns_resolve exe=/usr/sbin/key.dns_resolver subj=system_u:system_r:keyutils_dns_resolver_t:s0 key=(null) type=AVC msg=audit(06/15/2024 12:31:03.565:353) : avc: denied { setattr } for pid=3336 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
(In reply to Steve from comment #12) ... > These AVCs are occurring once per second. Correction: These AVCs are occurring once per _minute_.
(In reply to Zdenek Pytela from comment #3) ... > Can you reproduce this with full auditing enabled? > https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing Those instructions really need to be updated, because the "auditctl" command can be used without editing any files or rebooting. Since the previous report identified the relevant system call as "keyctl", I tried this: # auditctl -D No rules # auditctl -A exit,always -F arch=x86_64 -S keyctl # auditctl -l -a always,exit -F arch=b64 -S keyctl Run reproducer here. Restore default configuration: # auditctl -R /etc/audit/rules.d/audit.rules No rules # auditctl -l -a never,task That could be improved by someone with more expertise than I have. Here is a sample audit record with that configuration and the SMB mount reproducer. Notably, the "/sbin/request-key" command is identified: $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ... ---- type=PROCTITLE msg=audit(06/15/2024 17:14:05.001:591) : proctitle=/sbin/request-key create 702919827 0 0 947349407 0 632600970 type=SYSCALL msg=audit(06/15/2024 17:14:05.001:591) : arch=x86_64 syscall=keyctl success=yes exit=0 a0=0xf a1=0x29e5b493 a2=0x5 a3=0x55d872daf2b4 items=0 ppid=5830 pid=6860 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=key.dns_resolve exe=/usr/sbin/key.dns_resolver subj=system_u:system_r:keyutils_dns_resolver_t:s0 key=(null) type=AVC msg=audit(06/15/2024 17:14:05.001:591) : avc: denied { setattr } for pid=6860 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
Here is a procedure using "auditctl" and the name of the command in the original AVC. The "exe" rule requires an absolute path: $ which key.dns_resolver /usr/sbin/key.dns_resolver # auditctl -D No rules # auditctl -A always,exit -F arch=b64 -F exe=/usr/sbin/key.dns_resolver # auditctl -l -a always,exit -F arch=b64 -S all -F exe=/usr/sbin/key.dns_resolver # mount /mnt/smb Wait for up to a minute for an SELinux alert. # umount /mnt/smb # auditctl -R /etc/audit/rules.d/audit.rules $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ... ---- type=PROCTITLE msg=audit(06/15/2024 21:53:59.704:3017) : proctitle=key.dns_resolver 907940625 type=SYSCALL msg=audit(06/15/2024 21:53:59.704:3017) : arch=x86_64 syscall=keyctl success=yes exit=0 a0=0xf a1=0x361e1311 a2=0x5 a3=0x558e141272b4 items=0 ppid=9221 pid=9238 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=key.dns_resolve exe=/usr/sbin/key.dns_resolver subj=system_u:system_r:keyutils_dns_resolver_t:s0 key=(null) type=AVC msg=audit(06/15/2024 21:53:59.704:3017) : avc: denied { setattr } for pid=9238 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
FEDORA-2024-995d585c91 (selinux-policy-40.27-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-995d585c91
FEDORA-2024-995d585c91 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-995d585c91` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-995d585c91 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-995d585c91 (selinux-policy-40.27-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.