Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1958210
Summary: | selinux-policy is blocking alsa-state.service from executing modprobe and from writing to sysfs | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Hans de Goede <hdegoede> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pbrobinson, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Hans de Goede
2021-05-07 13:00:33 UTC
Hans, Thank you for the detailed description. I think you are also correct with the solution. # cat local_alsa_state.cil (allow alsa_t kmod_exec_t (file (getattr open map read execute ioctl execute_no_trans))) (allow alsa_t kmod_t (process (transition))) (typetransition alsa_t kmod_exec_t process kmod_t) (allow kmod_t alsa_t (fd (use))) (allow kmod_t alsa_t (fifo_file (getattr read write append ioctl lock))) (allow kmod_t alsa_t (process (sigchld))) (allow alsa_t sysfs_t (file (getattr write))) # semodule -i local_alsa_state.cil Regarding sysfs: There is only need to write to existing files? The file descriptor is inherited so that just write permission is needed? Once implemented, will there be a way to test the feature? Will this kernel also get to F34 later? If there are further denials, it would be helpful to enable full auditing: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run the scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today (In reply to Zdenek Pytela from comment #1) > Regarding sysfs: There is only need to write to existing files? Sysfs files are usually created by the kernel, so that wouldn't be surprising. > The file descriptor is inherited so that just write permission is needed? $ sesearch -s alsa_t -t sysfs_t -A allow alsa_t sysfs_t:dir { ioctl lock read }; allow alsa_t sysfs_t:file { getattr ioctl lock open read }; allow alsa_t sysfs_t:lnk_file { getattr read }; allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True allow domain file_type:file map; [ domain_can_mmap_files ]:True allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True allow domain sysfs_t:dir { getattr open search }; allow domain sysfs_t:filesystem getattr; So I think it needs also open/read/getattr, but these are already granted today. > Will this kernel also get to F34 later? I'd say it's very likely. F33 started with 5.8.x and now it's at 5.11.x. F34 is starting at 5.11.x, so it'll probably get up to 5.14 or 5.15 before going EOL. |