Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1931954
Summary: | SELinux is preventing sssd from 'getattr' accesses on the filesystem /sys/fs/cgroup. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matt Fagnani <matthew.fagnani> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 34 | CC: | awilliam, dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:abc61acb035455d0a9a8f41d2e04260184078299c412e506ce82d12e0b6115f3;VARIANT_ID=kde; AcceptedFreezeException | ||
Fixed In Version: | selinux-policy-3.14.7-25.fc34 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-16 00:28:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1829023 |
Description
Matt Fagnani
2021-02-23 16:17:46 UTC
Thank you for reporting the issue. I've submitted a Fedora PR to address it: https://github.com/fedora-selinux/selinux-policy/pull/610 FEDORA-2021-ccd3bb057b has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ccd3bb057b FEDORA-2021-ccd3bb057b has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ccd3bb057b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ccd3bb057b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-1cb3d5cac1 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1cb3d5cac1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1cb3d5cac1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. Proposing this as a Beta FE as a kind of proxy for fixing several SELinux denials. Without this update, after a simple default install and boot test, we see all these denials on F34: ---- time->Thu Mar 11 16:01:24 2021 type=AVC msg=audit(1615496484.059:126): avc: denied { getattr } for pid=459 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0 ---- time->Thu Mar 11 16:01:24 2021 type=AVC msg=audit(1615496484.810:146): avc: denied { read } for pid=526 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=866 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 ---- time->Thu Mar 11 16:01:24 2021 type=AVC msg=audit(1615496484.810:147): avc: denied { read } for pid=526 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=866 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 ---- time->Thu Mar 11 16:01:24 2021 type=AVC msg=audit(1615496484.810:148): avc: denied { read } for pid=526 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=866 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 ---- time->Thu Mar 11 16:01:24 2021 type=AVC msg=audit(1615496484.810:149): avc: denied { read } for pid=526 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=866 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 With this update, those are all resolved. I think it'd be a good idea to get that done for Beta. FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1e99f2ed79` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. +4 in https://pagure.io/fedora-qa/blocker-review/issue/304 , marking accepted. FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |