Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1853730
Summary: | Multiple "denied { getattr } for pid=856 comm="login" name="/" dev="proc"" AVCs with Fedora-Rawhide-20200703.n.0 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | selinux-policy | Assignee: | Patrik Koncity <pkoncity> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 33 | CC: | cyberabattoir, dwalsh, fdvorak, grepl.miroslav, lvrabec, matthew.fagnani, mmalik, mmarusak, omejzlik, pkoncity, plautrba, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | AcceptedFreezeException | ||
Fixed In Version: | selinux-policy-3.14.6-25.fc33 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-02 15:42:02 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1766776 |
Description
Adam Williamson
2020-07-03 17:27:45 UTC
*** Bug 1855413 has been marked as a duplicate of this bug. *** *** Bug 1858738 has been marked as a duplicate of this bug. *** *** Bug 1855731 has been marked as a duplicate of this bug. *** # useradd tested-user # passwd tested-user Changing password for user tested-user. New password: Retype new password: passwd: all authentication tokens updated successfully. # Above-mentioned scenario triggers the following SELinux denials: ---- type=PROCTITLE msg=audit(07/28/2020 08:40:12.410:360) : proctitle=passwd tested-user type=SYSCALL msg=audit(07/28/2020 08:40:12.410:360) : arch=x86_64 syscall=fstatfs success=no exit=EACCES(Permission denied) a0=0x9 a1=0x7ffec766d1e0 a2=0x8041 a3=0x2 items=0 ppid=1097 pid=1098 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/28/2020 08:40:12.410:360) : avc: denied { getattr } for pid=1098 comm=passwd name=/ dev="proc" ino=1 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- type=PROCTITLE msg=audit(07/28/2020 08:40:12.526:361) : proctitle=passwd tested-user type=SYSCALL msg=audit(07/28/2020 08:40:12.526:361) : arch=x86_64 syscall=fstatfs success=no exit=EACCES(Permission denied) a0=0x9 a1=0x7ffec766d1e0 a2=0x8041 a3=0x8 items=0 ppid=1097 pid=1099 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/28/2020 08:40:12.526:361) : avc: denied { getattr } for pid=1099 comm=passwd name=/ dev="proc" ino=1 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- type=PROCTITLE msg=audit(07/28/2020 08:40:21.096:362) : proctitle=passwd tested-user type=SYSCALL msg=audit(07/28/2020 08:40:21.096:362) : arch=x86_64 syscall=fstatfs success=no exit=EACCES(Permission denied) a0=0xa a1=0x7ffec766d1e0 a2=0x8041 a3=0x8 items=0 ppid=1097 pid=1100 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/28/2020 08:40:21.096:362) : avc: denied { getattr } for pid=1100 comm=passwd name=/ dev="proc" ino=1 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- The only SELinux denial that appears in permissive mode is: ---- type=PROCTITLE msg=audit(07/28/2020 08:47:16.767:380) : proctitle=passwd tested-user type=SYSCALL msg=audit(07/28/2020 08:47:16.767:380) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x9 a1=0x7ffd2fd4c810 a2=0x8041 a3=0x2 items=0 ppid=1130 pid=1131 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/28/2020 08:47:16.767:380) : avc: denied { getattr } for pid=1131 comm=passwd name=/ dev="proc" ino=1 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 ---- Backtracing the syscall: passwd calls /usr/sbin/unix_chkpwd three times each times there is this sequence caught by strace: 3089 openat(AT_FDCWD, "/proc/self/fd", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 9</proc/3089/fd> 3089 fstat(9</proc/3089/fd>, {st_dev=makedev(0, 0x17), st_ino=32847, st_mode=S_IFDIR|0500, st_nlink=2, st_uid=0, st_gid=0, st_blksize=1024, st_blocks=0, st_size=0, st_atime=1596052185 /* 2020-07-29T15:49:45.322404691-0400 */, st_atime_nsec=322404691, st_mtime=1596052185 /* 2020-07-29T15:49:45.322404691-0400 */, st_mtime_nsec=322404691, st_ctime=1596052185 /* 2020-07-29T15:49:45.322404691-0400 */, st_ctime_nsec=322404691}) = 0 3089 fstatfs(9</proc/3089/fd>, 0x7fff071f1550) = -1 EACCES (Permission denied) 3089 close(9</proc/3089/fd>) = 0 Seems to match this code: linux-pam/libpam/pam_modutil_sanitize.c 112 /* Closes all descriptors after stderr. */ 113 static void 114 close_fds(void) ... 131 /* If /proc is mounted, we can optimize which fd can be closed. */ 132 if ((dir = opendir("/proc/self/fd")) != NULL) { 133 if ((dfd = dirfd(dir)) >= 0 && is_in_procfs(dfd) > 0) { 134 while ((dent = readdir(dir)) != NULL) { 135 fd = atoi(dent->d_name); 136 if (fd > STDERR_FILENO && fd != dfd) 137 close(fd); 138 } 139 } else { 140 dfd = -1; 141 } 142 closedir(dir); 143 } 94 /* Check if path is in a procfs. */ 95 static int 96 is_in_procfs(int fd) 97 { 98 #if defined HAVE_SYS_VFS_H && defined PROC_SUPER_MAGIC 99 struct statfs stfs; 100 101 if (fstatfs(fd, &stfs) == 0) { 102 if (stfs.f_type == PROC_SUPER_MAGIC) 103 return 1; 104 } else { 105 return 0; 106 } 107 #endif /* HAVE_SYS_VFS_H && PROC_SUPER_MAGIC */ So I think it makes no harm to ignore it (certainly apart from ~200000 close syscalls), but is worth allowing in selinux-policy. This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle. Changing version to 33. commit b6a11abf50ad2b7e08b36b26b0a44fad86eada72 (HEAD -> rawhide, origin/rawhide) Author: Patrik Koncity <pkoncity> Date: Wed Aug 19 13:59:30 2020 +0200 Allow login_pgm attribute to get attributes in proc_t Allow login_pgm attribute, which contain domain like local_login_t and cockpit_session_t, get attributes on filesystem /proc. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1853730 *** Bug 1871351 has been marked as a duplicate of this bug. *** *** Bug 1871183 has been marked as a duplicate of this bug. *** FEDORA-2020-8f3381648b has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b FEDORA-2020-8f3381648b has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8f3381648b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. Proposing this as an FE for F33 Beta as it'd be nice to avoid these denials on live boots and in openQA tests. Fix definitely works as we have way fewer softfails in Rawhide tests caused by these denials now, F33 still has a lot. We have +3 FE in the ticket - https://pagure.io/fedora-qa/blocker-review/issue/55 - setting Accepted. FEDORA-2020-8f3381648b has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. |