2275266 – avc: denied { getattr } for pid=79656 comm="selinux-autorel" path="/etc/passwd" dev="dm-0" ino=17705170 scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1

Bug 2275266 - avc: denied { getattr } for pid=79656 comm="selinux-autorel" path="/etc/passwd" dev="dm-0" ino=17705170 scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1

Summary: avc: denied { getattr } for pid=79656 comm="selinux-autorel" path="/etc/passw...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	2275863 2276240 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-04-16 11:02 UTC by Bruno Goncalves
Modified:	2024-04-26 10:40 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-04-26 10:40:28 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 2094	0	None	open	Update the auth_dontaudit_read_passwd_file() interface	2024-04-24 18:21:27 UTC

Description Bruno Goncalves 2024-04-16 11:02:39 UTC

The following avc denials shows often during our tests:

avc: denied { getattr } for pid=79656 comm="selinux-autorel" path="/etc/passwd" dev="dm-0" ino=17705170 scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1


Reproducible: Always

Steps to Reproduce:
1.I'm not sure exactly how to reproduce it, but we have been hitting this often

example: https://datawarehouse.cki-project.org/kcidb/tests/12048573

test source: https://gitlab.com/redhat/centos-stream/tests/kernel/kernel-tests/-/tree/main/stress/stress-ng?ref_type=heads

But it affects multiple tests that we run: https://datawarehouse.cki-project.org/issue/2656#tests

Comment 1 Bruno Goncalves 2024-04-16 11:03:08 UTC

and example with audit enabled:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-40.16-1.fc41.noarch
----
time->Mon Apr 15 10:18:34 2024
type=PROCTITLE msg=audit(1713190714.691:152): proctitle=2F7573722F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F73656C696E75782D6175746F72656C6162656C2D67656E657261746F722E7368002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E
type=SYSCALL msg=audit(1713190714.691:152): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffee5903f70 a2=7f4739d77ea0 a3=0 items=0 ppid=2121 pid=2124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="selinux-autorel" exe="/usr/bin/bash" subj=system_u:system_r:selinux_autorelabel_generator_t:s0 key=(null)
type=AVC msg=audit(1713190714.691:152): avc:  denied  { getattr } for  pid=2124 comm="selinux-autorel" path="/etc/passwd" dev="dm-0" ino=16948602 scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Mon Apr 15 10:18:44 2024
type=PROCTITLE msg=audit(1713190724.117:246): proctitle=2F7573722F62696E2F62617368002F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F73656C696E75782D6175746F72656C6162656C2D67656E657261746F722E7368002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E
type=SYSCALL msg=audit(1713190724.117:246): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc17cce920 a2=7f428f21dea0 a3=0 items=0 ppid=2786 pid=2789 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="selinux-autorel" exe="/usr/bin/bash" subj=system_u:system_r:selinux_autorelabel_generator_t:s0 key=(null)
type=AVC msg=audit(1713190724.117:246): avc:  denied  { getattr } for  pid=2789 comm="selinux-autorel" path="/etc/passwd" dev="dm-0" ino=16948602 scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1

Comment 2 Zdenek Pytela 2024-04-22 13:14:30 UTC

Thanks for the report. This issue does not manifest in enforcing mode though.

Comment 3 Zdenek Pytela 2024-04-22 13:46:02 UTC

(In reply to Bruno Goncalves from comment #0)
> The following avc denials shows often during our tests:
> 
> avc: denied { getattr } for pid=79656 comm="selinux-autorel"
> path="/etc/passwd" dev="dm-0" ino=17705170
> scontext=system_u:system_r:selinux_autorelabel_generator_t:s0
> tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
> 
> 
> Reproducible: Always
> 
> Steps to Reproduce:
> 1.I'm not sure exactly how to reproduce it, but we have been hitting this
> often
It should be as easy as
systemctl daemon-reload

This is the current state:
f41# sesearch -A --dontaudit -s selinux_autorelabel_generator_t -t passwd_file_t -c file 
...
dontaudit selinux_autorelabel_generator_t passwd_file_t:file { open read };

The confined generator was tested only in enforcing mode.

Comment 4 Zdenek Pytela 2024-04-24 19:28:20 UTC

*** Bug 2276240 has been marked as a duplicate of this bug. ***

Comment 5 Zdenek Pytela 2024-04-24 19:33:45 UTC

*** Bug 2275863 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.