Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1513399
Summary: | avc: denied { map } for systemd on modules.dep.bin | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin Pitt <mpitt> |
Component: | openvswitch | Assignee: | Aaron Conole <aconole> |
Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | aconole, apevec, apo, brad.inch, chrisw, dwalsh, fleitner, jpazdziora, lvrabec, mgrepl, plautrba, pmoore, tgraf, tredaelli |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-06-29 14:46:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Pitt
2017-11-15 10:51:55 UTC
Bug 1508336 was filed against openvswitch and is very similar, although there it's not systemd but modprobe which is being denied map access to modules.dep.bin. selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393 selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393 selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. Just encountered this problem after installing openvswitch-2.8.1-1 on Fedora 27 (4.13.13-300.fc27.x86_64 with selinux-policy-3.13.1-283.16). Resolved with the following policy update: module openvswitch_1 1.0; require { type openvswitch_t; type modules_object_t; class file map; class system module_load; } #============= openvswitch_t ============== allow openvswitch_t modules_object_t:file map; allow openvswitch_t self:system module_load; I confirm that with selinux-policy-3.13.1-283.16.fc27.noarch I still see the AVC denial. Lukáš, what fix was supposed to go to that version? Do you want this bugzilla reopened, or new filed? Alternatively, bug 1508336 could be used for the final fix. Overall, is allowing module_load what should be done for openvswitch_t, should that be isolated into some one-purpose helper? *** Bug 1517239 has been marked as a duplicate of this bug. *** Any chance of getting proper fix to updates-testing? I like the idea to create new SELinux type for openvswitch doamin (e.g: openvswitch_load_module_t) and there will be transition like: type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t And we'll label this one purpose helper with openvswitch_load_module_exec_t. Main issue here is that if we allow module_load for openvswitch_t we basically make this domain unconfined. Is this possible from openvswitch POV? Thanks, Lukas. I am about to propose a script upstream to do just that. Is it possible to get your assistance to review? This was accepted. OvS 2.10 will have the appropriate tools for the selinux domain transitions to prevent these AVC denials. Thank you for the information. What is the plan for bringing 2.10 (and thus the fix) to Fedora 27 / Fedora 28 / rawhide? |