Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1513399 - avc: denied { map } for systemd on modules.dep.bin
Summary: avc: denied { map } for systemd on modules.dep.bin
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: openvswitch
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Aaron Conole
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1517239 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-15 10:51 UTC by Martin Pitt
Modified: 2019-04-29 09:18 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-29 14:46:59 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Martin Pitt 2017-11-15 10:51:55 UTC 
Description of problem:

A recent update on Fedora 27 now causes the following SELinux denial, right after booting:

# journalctl -b |grep avc.*denied.*modules.dep
Nov 15 05:44:17 localhost.localdomain audit[1]: AVC avc:  denied  { map } for  pid=1 comm="systemd" path="/usr/lib/modules/4.13.11-300.fc27.x86_64/modules.dep.bin" dev="dm-0" ino=4291251 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file permissive=0

We noticed this when refreshing Cockpit's fedora-27 test VM (https://github.com/cockpit-project/cockpit/pull/8082). The previous refresh was just a few days ago, so this is a very recent regression.


Version-Release number of selected component (if applicable):


# rpm -qa | egrep 'selinux-policy|kernel-core|systemd-2'
selinux-policy-3.13.1-283.14.fc27.noarch
selinux-policy-targeted-3.13.1-283.14.fc27.noarch
kernel-core-4.13.11-300.fc27.x86_64
systemd-234-9.fc27.x86_64

The previous image (where this does not happen) has the same selinux, but an older kernel and systemd:

selinux-policy-3.13.1-283.14.fc27.noarch
selinux-policy-targeted-3.13.1-283.14.fc27.noarch
systemd-234-8.fc27.x86_64
kernel-core-4.13.9-300.fc27.x86_64

How reproducible: Always
Comment 1 Martin Pitt 2017-11-15 10:53:38 UTC 
Bug 1508336 was filed against openvswitch and is very similar, although there it's not systemd but modprobe which is being denied map access to modules.dep.bin.
Comment 2 Fedora Update System 2017-11-16 15:12:48 UTC 
selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393
Comment 3 Fedora Update System 2017-11-17 18:56:36 UTC 
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393
Comment 4 Fedora Update System 2017-11-20 16:56:56 UTC 
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Bradi 2017-11-28 02:37:20 UTC 
Just encountered this problem after installing openvswitch-2.8.1-1 on Fedora 27 (4.13.13-300.fc27.x86_64 with selinux-policy-3.13.1-283.16).

Resolved with the following policy update:

module openvswitch_1 1.0;

require {
	type openvswitch_t;
	type modules_object_t;
	class file map;
	class system module_load;
}

#============= openvswitch_t ==============
allow openvswitch_t modules_object_t:file map;
allow openvswitch_t self:system module_load;
Comment 6 Jan Pazdziora 2017-11-28 08:46:01 UTC 
I confirm that with selinux-policy-3.13.1-283.16.fc27.noarch I still see the AVC denial. Lukáš, what fix was supposed to go to that version? Do you want this bugzilla reopened, or new filed? Alternatively, bug 1508336 could be used for the final fix.

Overall, is allowing module_load what should be done for openvswitch_t, should that be isolated into some one-purpose helper?
Comment 8 Jan Pazdziora 2017-12-04 09:44:08 UTC 
Reopening per comment 6.
Comment 10 Lukas Vrabec 2017-12-13 12:43:38 UTC 
*** Bug 1517239 has been marked as a duplicate of this bug. ***
Comment 11 Jan Pazdziora 2017-12-18 09:32:50 UTC 
Any chance of getting proper fix to updates-testing?
Comment 13 Lukas Vrabec 2017-12-19 14:01:13 UTC 
I like the idea to create new SELinux type for openvswitch doamin (e.g: openvswitch_load_module_t) and there will be transition like: 

type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t 

And we'll label this one purpose helper with openvswitch_load_module_exec_t. 

Main issue here is that if we allow module_load for openvswitch_t we basically make this domain unconfined. 

Is this possible from openvswitch POV? 

Thanks,
Lukas.
Comment 14 Aaron Conole 2018-02-05 19:59:38 UTC 
I am about to propose a script upstream to do just that.  Is it possible to get your assistance to review?
Comment 15 Aaron Conole 2018-03-20 21:36:17 UTC 
https://mail.openvswitch.org/pipermail/ovs-dev/2018-March/345333.html
Comment 17 Aaron Conole 2018-06-29 14:46:59 UTC 
This was accepted.  OvS 2.10 will have the appropriate tools for the selinux domain transitions to prevent these AVC denials.
Comment 18 Jan Pazdziora 2018-06-29 15:36:30 UTC 
Thank you for the information. What is the plan for bringing 2.10 (and thus the fix) to Fedora 27 / Fedora 28 / rawhide?
Note You need to log in before you can comment on or make changes to this bug.