2415644 – access to /proc/sysinfo blocked for systemd-ssh-iss

Bug 2415644 - access to /proc/sysinfo blocked for systemd-ssh-iss

Summary: access to /proc/sysinfo blocked for systemd-ssh-iss

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	s390x
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-18 15:54 UTC by Dan Horák
Modified:	2025-11-21 10:53 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2025-11-20 18:38:33 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 2949	0	None	open	Allow systemd-ssh-issue read kernel sysctls	2025-11-18 18:03:45 UTC

Description Dan Horák 2025-11-18 15:54:48 UTC

Looks like the policy is blocking access to the /proc/sysinfo file which is specific to s390x for the systemd-ssh-issue process.

Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc:  denied  { read } for  pid=815 comm="systemd-ssh-iss" name="sysinfo" dev="proc" ino=4026531943 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1
Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc:  denied  { open } for  pid=815 comm="systemd-ssh-iss" path="/proc/sysinfo" dev="proc" ino=4026531943 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1
Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc:  denied  { getattr } for  pid=815 comm="systemd-ssh-iss" path="/proc/sysinfo" dev="proc" ino=4026531943 scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1
Nov 18 10:06:59 s390x-kvm-123.lab.eng.rdu2.redhat.com audit[815]: AVC avc:  denied  { ioctl } for  pid=815 comm="systemd-ssh-iss" path="/proc/sysinfo" dev="proc" ino=4026531943 ioctlcmd=0x542a scontext=system_u:system_r:systemd_ssh_issue_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=1

At least F-43 and Rawhide are affected, haven't checked F<43 yet.

Likely related to 2399623 and 2391966

Reproducible: Always

Comment 1 Dan Horák 2025-11-18 15:58:10 UTC

setting as "High" as it blocks Testing Farm from using s390x systems in beaker

Comment 2 Zdenek Pytela 2025-11-18 18:03:46 UTC

FYI the domain is permissive which means no action is actually denied

Comment 3 Dan Horák 2025-11-18 18:16:15 UTC

(In reply to Zdenek Pytela from comment #2)
> FYI the domain is permissive which means no action is actually denied

ah, right, so the 10_avc_check in beaker should be updated as well, so it won't fail on messages like this

Comment 4 Dan Horák 2025-11-21 10:53:05 UTC

Thanks, no more AVCs with selinux-policy-42.16-1.fc44.noarch

Note You need to log in before you can comment on or make changes to this bug.