1449643 – Running groupadd produces AVC denials about net_admin and write to system_dbusd_var_run_t

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1449643 - Running groupadd produces AVC denials about net_admin and write to system_dbusd_var_run_t

Summary: Running groupadd produces AVC denials about net_admin and write to system_dbu...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedBlocker
Duplicates (2):	1416961 1416962 (view as bug list)
Depends On:
Blocks:	F26FinalBlocker F26FinalFreezeException
TreeView+	depends on / blocked

Reported:	2017-05-10 12:03 UTC by Jan Pazdziora
Modified:	2017-06-15 21:43 UTC (History)
CC List:	20 users (show)
Fixed In Version:	selinux-policy-3.13.1-257.fc26
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-06-12 13:05:31 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pazdziora 2017-05-10 12:03:29 UTC

Description of problem:

Installing libcgroup seems to run groupadd which in turn produces AVC denials.

Version-Release number of selected component (if applicable):

shadow-utils-4.3.1-3.fc26.x86_64
kernel-4.11.0-0.rc8.git0.1.fc26.x86_64
selinux-policy-3.13.1-249.fc26.noarch
libcgroup-0.41-11.fc26.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y libcgroup
2. Check audit.log.

Actual results:

type=AVC msg=audit(1494387026.407:124): avc:  denied  { net_admin } for  pid=1244 comm="groupadd" capability=12  scontext=system_u:unconfined_r:groupadd_t:s0 tcontext=system_u:unconfined_r:groupadd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1494387026.407:125): avc:  denied  { net_admin } for  pid=1244 comm="groupadd" capability=12  scontext=system_u:unconfined_r:groupadd_t:s0 tcontext=system_u:unconfined_r:groupadd_t:s0 tclass=capability permissive=0

type=AVC msg=audit(1494387026.407:126): avc:  denied  { write } for  pid=1244 comm="groupadd" name="system_bus_socket" dev="tmpfs" ino=14232 scontext=system_u:unconfined_r:groupadd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0

Expected results:

No AVC denials.

Additional info:

Filing against shadow-utils in case this is something which needs to be addressed in groupadd, rather than in selinux-policy.

Comment 2 Tomas Mraz 2017-05-10 12:49:16 UTC

Lukáš, can you please look at it? I don't think this is something solvable by groupadd itself.

Comment 3 Tomas Mraz 2017-05-12 15:51:16 UTC

I see only the first AVC - net_admin denial when I try to reproduce. This is legitimate and caused by kernel.

I do not see the dbus related one.

What is in your /etc/nsswitch.conf.

Is this running in container or regular install?

Comment 4 Jan Pazdziora 2017-05-15 14:20:47 UTC

This is regular, on host install. The nsswitch.conf contains

passwd:      sss files systemd
shadow:     files sss
group:       sss files systemd

#hosts:     db files nisplus nis dns
hosts:      files dns myhostname

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   nisplus sss

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

Comment 6 Jan Pazdziora 2017-05-15 14:21:47 UTC

Sorry for clearing the wrong needinfo.

Comment 7 Tomas Mraz 2017-05-15 14:27:54 UTC

I'd expect some dbus communication from the systemd module. So if it is now by default there (should it really really be there?) there could be some dbus accesses by all processes possible.

Comment 8 Lukas Vrabec 2017-05-17 10:31:47 UTC

I'm not able reproduce this bug and get SELinux denials from description. But if dbus communication is excepted I have no problem to allow it. 

Moving this issue to selinux-policy component.

Comment 9 Lukas Vrabec 2017-05-17 10:33:37 UTC

*** Bug 1416961 has been marked as a duplicate of this bug. ***

Comment 10 Lukas Vrabec 2017-05-17 10:33:41 UTC

*** Bug 1416962 has been marked as a duplicate of this bug. ***

Comment 12 Kamil Páral 2017-05-31 11:15:23 UTC

Description of problem:
This happened during a default installation of F26 Beta 1.3 Workstation Live.

Version-Release number of selected component:
selinux-policy-3.13.1-251.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.0-2.fc26.x86_64
type:           libreport

Comment 13 Kamil Páral 2017-05-31 11:17:04 UTC

Proposing as a F26 Final blocker:
"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. "
https://fedoraproject.org/wiki/Fedora_26_Final_Release_Criteria#SELinux_and_crash_notifications

Comment 14 Kamil Páral 2017-06-05 10:29:13 UTC

Description of problem:
The same as in https://bugzilla.redhat.com/show_bug.cgi?id=1416964#c7 . I was installing bzflag from repos.

Version-Release number of selected component:
selinux-policy-3.13.1-254.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.3-300.fc26.x86_64
type:           libreport

Comment 15 Peter Hjalmarsson 2017-06-05 13:41:57 UTC

Description of problem:
Ran "dnf upgrade -y --refresh"

Version-Release number of selected component:
selinux-policy-3.13.1-254.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.3-300.fc26.x86_64
type:           libreport

Comment 16 Pavel Roskin 2017-06-05 16:06:31 UTC

Description of problem:
Running "sudo dnf -y upgrade --refresh"


Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.3-300.fc26.x86_64
type:           libreport

Comment 17 Adam Williamson 2017-06-05 18:58:30 UTC

Discussed at 2017-06-05 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-06-05/f26-blocker-review.2017-06-05-16.01.html . Accepted as a blocker per Kamil's claim that it happens during a default Workstation install, as a violation of criterion "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

Comment 18 Fedora Update System 2017-06-08 11:09:43 UTC

selinux-policy-3.13.1-257.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6a43388229

Comment 19 Fedora Update System 2017-06-10 01:09:36 UTC

selinux-policy-3.13.1-257.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6a43388229

Comment 20 Fedora Update System 2017-06-12 13:05:31 UTC

selinux-policy-3.13.1-257.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Jesse 2017-06-14 02:30:25 UTC

Description of problem:
Not sure just found this bug, possible from a program script or code from Kodi program??

Version-Release number of selected component:
selinux-policy-3.13.1-249.fc26.noarch
selinux-policy-3.13.1-257.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.4-300.fc26.x86_64
type:           libreport

Note You need to log in before you can comment on or make changes to this bug.

arturpolak1
awilliam
bugzilla
dominick.grift
dwalsh
jfrieben
jpazdziora
kanelxake
kparal
lennart_reuther
lvrabec
mgrepl
plautrba
plroskin
pmoore
pvrabec
robatino
securedigitalco
ssekidde
tmraz