Bug 2280320 - Confine the new nsresourced service
Summary: Confine the new nsresourced service
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2280521 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-05-14 07:55 UTC by Bruno Goncalves
Modified: 2024-06-10 10:37 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-06-10 10:37:29 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2135 0 None open Add policy for systemd-nsresourced 2024-05-28 16:27:30 UTC

Description Bruno Goncalves 2024-05-14 07:55:00 UTC 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-40.18-2.eln136.noarch
----
time->Mon May 13 12:18:28 2024
type=AVC msg=audit(1715617108.404:76): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Mon May 13 12:18:28 2024
type=AVC msg=audit(1715617108.404:77): avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Mon May 13 12:18:28 2024
type=AVC msg=audit(1715617108.404:78): avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Mon May 13 12:18:28 2024
type=AVC msg=audit(1715617108.404:79): avc:  denied  { listen } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Mon May 13 12:18:28 2024
type=PROCTITLE msg=audit(1715617108.885:97): proctitle="/usr/lib/systemd/systemd-logind"
type=SYSCALL msg=audit(1715617108.885:97): arch=c000003e syscall=16 success=no exit=-25 a0=6 a1=5401 a2=7ffecd918bd0 a3=ff items=0 ppid=1 pid=666 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1715617108.885:97): avc:  denied  { ioctl } for  pid=666 comm="systemd-logind" path="/usr/lib/systemd/logind.conf" dev="vda4" ino=100762171 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1


Reproducible: Always

Steps to Reproduce:
1.Booting Fedora-ELN (Fedora-ELN-20240513.3) trigger the avc denials




I haven't seen the same problem on Rawhide

cki issue tracker: https://datawarehouse.cki-project.org/issue/2722
Comment 1 Bruno Goncalves 2024-05-14 10:49:11 UTC 
with audit enabled I got

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-40.18-2.eln136.noarch
----
time->Tue May 14 05:59:44 2024
type=PROCTITLE msg=audit(1715680784.545:265): proctitle="/usr/lib/systemd/systemd-nsresourced"
type=SYSCALL msg=audit(1715680784.545:265): arch=c000003e syscall=16 success=yes exit=0 a0=17 a1=2401 a2=0 a3=55ff35ca9f70 items=0 ppid=1 pid=565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-nsresou" exe="/usr/lib/systemd/systemd-nsresourced" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1715680784.545:265): avc:  denied  { write } for  pid=565 comm="systemd-nsresou" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=perf_event permissive=1
----
time->Tue May 14 06:01:09 2024
type=AVC msg=audit(1715680869.505:77): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Tue May 14 06:01:09 2024
type=AVC msg=audit(1715680869.506:78): avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Tue May 14 06:01:09 2024
type=AVC msg=audit(1715680869.506:79): avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Tue May 14 06:01:09 2024
type=AVC msg=audit(1715680869.506:80): avc:  denied  { listen } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Tue May 14 06:01:09 2024
type=PROCTITLE msg=audit(1715680869.828:102): proctitle="/usr/lib/systemd/systemd-logind"
type=PATH msg=audit(1715680869.828:102): item=0 name="/usr/lib/systemd/logind.conf" inode=150304 dev=fd:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:init_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1715680869.828:102): cwd="/"
type=SYSCALL msg=audit(1715680869.828:102): arch=c000003e syscall=257 success=yes exit=6 a0=ffffff9c a1=55f7382d3da0 a2=80000 a3=0 items=1 ppid=1 pid=691 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1715680869.828:102): avc:  denied  { open } for  pid=691 comm="systemd-logind" path="/usr/lib/systemd/logind.conf" dev="vda4" ino=150304 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1715680869.828:102): avc:  denied  { read } for  pid=691 comm="systemd-logind" name="logind.conf" dev="vda4" ino=150304 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Tue May 14 06:01:09 2024
type=PROCTITLE msg=audit(1715680869.828:103): proctitle="/usr/lib/systemd/systemd-logind"
type=SYSCALL msg=audit(1715680869.828:103): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7ffdcfbf73e0 a2=55f73807c2c0 a3=0 items=0 ppid=1 pid=691 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1715680869.828:103): avc:  denied  { getattr } for  pid=691 comm="systemd-logind" path="/usr/lib/systemd/logind.conf" dev="vda4" ino=150304 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Tue May 14 06:01:09 2024
type=PROCTITLE msg=audit(1715680869.828:104): proctitle="/usr/lib/systemd/systemd-logind"
type=SYSCALL msg=audit(1715680869.828:104): arch=c000003e syscall=16 success=no exit=-25 a0=6 a1=5401 a2=7ffdcfbf7210 a3=ff items=0 ppid=1 pid=691 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1715680869.828:104): avc:  denied  { ioctl } for  pid=691 comm="systemd-logind" path="/usr/lib/systemd/logind.conf" dev="vda4" ino=150304 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Tue May 14 06:01:09 2024
type=PROCTITLE msg=audit(1715680869.905:107): proctitle="/usr/lib/systemd/systemd-hostnamed"
type=PATH msg=audit(1715680869.905:107): item=0 name="/dev/vsock" inode=298 dev=00:06 mode=020666 ouid=0 ogid=0 rdev=0a:7c obj=system_u:object_r:vsock_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1715680869.905:107): cwd="/"
type=SYSCALL msg=audit(1715680869.905:107): arch=c000003e syscall=257 success=yes exit=10 a0=ffffff9c a1=7f99753424fa a2=80000 a3=0 items=1 ppid=1 pid=701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1715680869.905:107): avc:  denied  { open } for  pid=701 comm="systemd-hostnam" path="/dev/vsock" dev="devtmpfs" ino=298 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1715680869.905:107): avc:  denied  { read } for  pid=701 comm="systemd-hostnam" name="vsock" dev="devtmpfs" ino=298 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
----
time->Tue May 14 06:01:09 2024
type=PROCTITLE msg=audit(1715680869.905:108): proctitle="/usr/lib/systemd/systemd-hostnamed"
type=SYSCALL msg=audit(1715680869.905:108): arch=c000003e syscall=16 success=yes exit=0 a0=a a1=7b9 a2=7fff3287c5c4 a3=0 items=0 ppid=1 pid=701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1715680869.905:108): avc:  denied  { ioctl } for  pid=701 comm="systemd-hostnam" path="/dev/vsock" dev="devtmpfs" ino=298 ioctlcmd=0x7b9 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
----
time->Tue May 14 06:02:29 2024
type=PROCTITLE msg=audit(1715680949.907:141): proctitle="/usr/lib/systemd/systemd-hostnamed"
type=PATH msg=audit(1715680949.907:141): item=0 name="/dev/vsock" inode=298 dev=00:06 mode=020666 ouid=0 ogid=0 rdev=0a:7c obj=system_u:object_r:vsock_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1715680949.907:141): cwd="/"
type=SYSCALL msg=audit(1715680949.907:141): arch=c000003e syscall=257 success=yes exit=10 a0=ffffff9c a1=7f7be99424fa a2=80000 a3=0 items=1 ppid=1 pid=18123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1715680949.907:141): avc:  denied  { open } for  pid=18123 comm="systemd-hostnam" path="/dev/vsock" dev="devtmpfs" ino=298 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1715680949.907:141): avc:  denied  { read } for  pid=18123 comm="systemd-hostnam" name="vsock" dev="devtmpfs" ino=298 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
----
time->Tue May 14 06:02:29 2024
type=PROCTITLE msg=audit(1715680949.907:142): proctitle="/usr/lib/systemd/systemd-hostnamed"
type=SYSCALL msg=audit(1715680949.907:142): arch=c000003e syscall=16 success=yes exit=0 a0=a a1=7b9 a2=7ffcbeba5db4 a3=0 items=0 ppid=1 pid=18123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1715680949.907:142): avc:  denied  { ioctl } for  pid=18123 comm="systemd-hostnam" path="/dev/vsock" dev="devtmpfs" ino=298 ioctlcmd=0x7b9 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
Comment 3 Zdenek Pytela 2024-05-17 17:45:15 UTC 
This one is new:
----
type=PROCTITLE msg=audit(1715680784.545:265): proctitle="/usr/lib/systemd/systemd-nsresourced"
type=SYSCALL msg=audit(1715680784.545:265): arch=c000003e syscall=16 success=yes exit=0 a0=17 a1=2401 a2=0 a3=55ff35ca9f70 items=0 ppid=1 pid=565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-nsresou" exe="/usr/lib/systemd/systemd-nsresourced" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1715680784.545:265): avc:  denied  { write } for  pid=565 comm="systemd-nsresou" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=perf_event permissive=1
----

the rest seem to be duplicates.

Anyway, I cannot reproduce this one. Do you know what is the triggering condition?
Did you notice any service failing?
What is the systemd version?
Comment 4 Zdenek Pytela 2024-05-20 07:38:48 UTC 
I can reproduce it in rawhide with systemd-256~rc2-1.fc41.x86_64. The nsresourced service did not fail.
 
----
type=PROCTITLE msg=audit(05/20/2024 03:34:52.933:307) : proctitle=/usr/lib/systemd/systemd-nsresourced 
type=SYSCALL msg=audit(05/20/2024 03:34:52.933:307) : arch=x86_64 syscall=perf_event_open success=no exit=EACCES(Permission denied) a0=0x7ffc404c6670 a1=0xffffffff a2=0x0 a3=0xffffffff items=0 ppid=1 pid=1237 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-nsresou exe=/usr/lib/systemd/systemd-nsresourced subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/20/2024 03:34:52.933:307) : avc:  denied  { open } for  pid=1237 comm=systemd-nsresou scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=perf_event permissive=0 
----

systemd-nsresou    1237 [000]  2178.976986: avc:selinux_audited: requested=0x1 denied=0x1 audited=0x1 result=-13 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=perf_event
        ffffffff877678e6 avc_audit_post_callback+0x216 ([kernel.kallsyms])
        ffffffff877678e6 avc_audit_post_callback+0x216 ([kernel.kallsyms])
        ffffffff8779309b common_lsm_audit+0x2ab ([kernel.kallsyms])
        ffffffff87768db3 slow_avc_audit+0xb3 ([kernel.kallsyms])
        ffffffff8776966f avc_has_perm+0xbf ([kernel.kallsyms])
        ffffffff87766b53 security_perf_event_open+0x33 ([kernel.kallsyms])
        ffffffff873819d9 __do_sys_perf_event_open+0x99 ([kernel.kallsyms])
        ffffffff8816e4b2 do_syscall_64+0x82 ([kernel.kallsyms])
        ffffffff8820012f entry_SYSCALL_64_after_hwframe+0x76 ([kernel.kallsyms])
            7f06bbcfb21d syscall+0x1d (/usr/lib64/libc.so.6)
            7f06bb3ddd9d [unknown] (/usr/lib64/libbpf.so.1.4.1)
            7f06bb3eb997 bpf_program__attach_kprobe_opts+0x367 (/usr/lib64/libbpf.so.1.4.1)
            7f06bb3ebfc0 [unknown] (/usr/lib64/libbpf.so.1.4.1)
            7f06bb3ef9b1 bpf_program__attach+0x51 (/usr/lib64/libbpf.so.1.4.1)
            55eeace0c80b userns_restrict_install+0x18eb (inlined)
            55eeace0c80b manager_setup_bpf+0x18eb (inlined)
            55eeace0c80b manager_startup+0x18eb (inlined)
            55eeace0c80b run+0x18eb (inlined)
            55eeace0c80b main+0x18eb (/usr/lib/systemd/systemd-nsresourced)
            7f06bbc0f1c7 __libc_start_call_main+0x77 (/usr/lib64/libc.so.6)
            7f06bbc0f28a __libc_start_main@@GLIBC_2.34+0x8a (/usr/lib64/libc.so.6)
            55eeace0ce74 _start+0x24 (/usr/lib/systemd/systemd-nsresourced)
Comment 5 Bruno Goncalves 2024-05-20 07:41:48 UTC 
As you reproduced it I think you don't need any info from me anymore.

We run it as permissive and we also didn't notice any service failing.
Comment 6 Zdenek Pytela 2024-05-23 10:58:32 UTC 
I've changed the summary as the other denials are already being worked on in different bz.
Comment 7 Zdenek Pytela 2024-06-03 15:40:07 UTC 
*** Bug 2280521 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.