1927599 – avahi-daemon watch denials on /etc/avahi with selinux-policy-3.14.7-18.fc34

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1927599 - avahi-daemon watch denials on /etc/avahi with selinux-policy-3.14.7-18.fc34

Summary: avahi-daemon watch denials on /etc/avahi with selinux-policy-3.14.7-18.fc34

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	34
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1927901 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-11 05:51 UTC by Matt Fagnani
Modified:	2021-03-16 00:28 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.14.7-25.fc34
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-03-16 00:28:47 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matt Fagnani 2021-02-11 05:51:12 UTC

Description of problem:

I updated a Fedora 34 KDE Plasma installation with sudo dnf upgrade. The update included selinux-policy-3.14.7-18.fc34. I rebooted. avahi-daemon was denied watch accesses on directories listed as /services and / which I think were /etc/avahi/services and /etc/avahi because avahi-daemon called chroot() and the directories were labelled etc_t as /etc/avahi is.

journalctl -b --no-hostname | grep avahi
Feb 11 00:19:07 avahi-daemon[782]: Found user 'avahi' (UID 70) and group 'avahi' (GID 70).
Feb 11 00:19:07 avahi-daemon[782]: Successfully dropped root privileges.
Feb 11 00:19:07 avahi-daemon[782]: avahi-daemon 0.8 starting up.
Feb 11 00:19:07 audit[782]: AVC avc:  denied  { watch } for  pid=782 comm="avahi-daemon" path="/services" dev="dm-0" ino=3408127 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Feb 11 00:19:07 audit[782]: AVC avc:  denied  { watch } for  pid=782 comm="avahi-daemon" path="/" dev="dm-0" ino=3407906 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Feb 11 00:19:07 avahi-daemon[782]: Successfully called chroot().
Feb 11 00:19:07 avahi-daemon[782]: Successfully dropped remaining capabilities.
Feb 11 00:19:07 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=avahi-daemon comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 11 00:19:07 avahi-daemon[782]: No service file found in /etc/avahi/services.
Feb 11 00:19:07 avahi-daemon[782]: System host name is set to 'localhost'. This is not a suitable mDNS host name, looking for alternatives.
Feb 11 00:19:07 avahi-daemon[782]: Joining mDNS multicast group on interface lo.IPv6 with address ::1.
Feb 11 00:19:07 avahi-daemon[782]: New relevant interface lo.IPv6 for mDNS.
Feb 11 00:19:07 avahi-daemon[782]: Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
Feb 11 00:19:07 avahi-daemon[782]: New relevant interface lo.IPv4 for mDNS.
Feb 11 00:19:07 avahi-daemon[782]: Network interface enumeration completed.
Feb 11 00:19:07 avahi-daemon[782]: Registering new address record for ::1 on lo.*.
Feb 11 00:19:07 avahi-daemon[782]: Registering new address record for 127.0.0.1 on lo.IPv4.
Feb 11 00:19:08 avahi-daemon[782]: Server startup complete. Host name is linux.local. Local service cookie is 2565993485.
Feb 11 00:19:15 avahi-daemon[782]: Joining mDNS multicast group on interface enp1s0.IPv6 with address fe80::265c:5b24:c7aa:102b.
Feb 11 00:19:15 avahi-daemon[782]: New relevant interface enp1s0.IPv6 for mDNS.
Feb 11 00:19:15 avahi-daemon[782]: Registering new address record for fe80::265c:5b24:c7aa:102b on enp1s0.*.
Feb 11 00:20:00 avahi-daemon[782]: Withdrawing address record for fe80::265c:5b24:c7aa:102b on enp1s0.
Feb 11 00:20:00 avahi-daemon[782]: Leaving mDNS multicast group on interface enp1s0.IPv6 with address fe80::265c:5b24:c7aa:102b.
Feb 11 00:20:00 avahi-daemon[782]: Interface enp1s0.IPv6 no longer relevant for mDNS.
Feb 11 00:20:00 avahi-daemon[782]: Joining mDNS multicast group on interface enp1s0.IPv6 with address fe80::265c:5b24:c7aa:102b.
Feb 11 00:20:00 avahi-daemon[782]: New relevant interface enp1s0.IPv6 for mDNS.
Feb 11 00:20:00 avahi-daemon[782]: Registering new address record for fe80::265c:5b24:c7aa:102b on enp1s0.*.
Feb 11 00:20:00 setroubleshoot[841]: SELinux is preventing avahi-daemon from watch access on the directory /services. For complete SELinux messages run: sealert -l 9104c4df-e283-4ec4-bcbf-5cf82c530cab
Feb 11 00:20:00 setroubleshoot[841]: SELinux is preventing avahi-daemon from watch access on the directory /services.
                                     If you believe that avahi-daemon should be allowed watch access on the services directory by default.
                                     # ausearch -c 'avahi-daemon' --raw | audit2allow -M my-avahidaemon
                                     # semodule -X 300 -i my-avahidaemon.pp
Feb 11 00:20:05 setroubleshoot[841]: SELinux is preventing avahi-daemon from watch access on the directory /. For complete SELinux messages run: sealert -l 9104c4df-e283-4ec4-bcbf-5cf82c530cab
Feb 11 00:20:05 setroubleshoot[841]: SELinux is preventing avahi-daemon from watch access on the directory /.
                                     If you believe that avahi-daemon should be allowed watch access on the  directory by default.
                                     # ausearch -c 'avahi-daemon' --raw | audit2allow -M my-avahidaemon
                                     # semodule -X 300 -i my-avahidaemon.pp
Feb 11 00:20:34 avahi-daemon[782]: Joining mDNS multicast group on interface enp1s0.IPv4 with address 192.168.2.10.
Feb 11 00:20:34 avahi-daemon[782]: New relevant interface enp1s0.IPv4 for mDNS.
Feb 11 00:20:34 avahi-daemon[782]: Registering new address record for 192.168.2.10 on enp1s0.IPv4.


Version-Release number of selected component (if applicable):
selinux-policy-3.14.7-18.fc34
avahi-0.8-6.fc34

How reproducible:
These denials have happened on each of a few boots.

Steps to Reproduce:
1. Boot a Fedora 34 KDE Plasma installation updated to 2021-2-11
2. Log in to Plasma
3. sudo dnf upgrade --refresh
4. Reboot

Actual results:
avahi-daemon watch denials on /etc/avahi with selinux-policy-3.14.7-18.fc34

Expected results:
No denials would happen.

Additional info:
I'm using the targeted policy in enforcing mode. The denials didn't happen with 
selinux-policy-3.14.7-17.fc34 or earlier

Comment 1 Zdenek Pytela 2021-02-11 08:01:22 UTC

Thank you for reporting, I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/572

Comment 2 Zdenek Pytela 2021-02-11 20:02:07 UTC

*** Bug 1927901 has been marked as a duplicate of this bug. ***

Comment 3 Fedora Update System 2021-02-24 10:09:15 UTC

FEDORA-2021-ccd3bb057b has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ccd3bb057b

Comment 4 Fedora Update System 2021-02-24 19:18:14 UTC

FEDORA-2021-ccd3bb057b has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ccd3bb057b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ccd3bb057b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2021-03-03 15:47:31 UTC

FEDORA-2021-1cb3d5cac1 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1cb3d5cac1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1cb3d5cac1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2021-03-12 18:56:53 UTC

FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1e99f2ed79`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2021-03-16 00:28:47 UTC

FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.