Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1932436 - avc denied related to sssd and systemd-hostnam
Summary: avc denied related to sssd and systemd-hostnam
Keywords:
Status: CLOSED DUPLICATE of bug 1931959
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-24 15:32 UTC by Bruno Goncalves
Modified: 2021-02-24 20:31 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.7-17
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-24 20:31:49 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Bruno Goncalves 2021-02-24 15:32:32 UTC 
Description of problem:
During CKI test on upstream kernel (kernel 5.11.0) we hit some avc denied:


----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:128): avc:  denied  { read } for  pid=723 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:129): avc:  denied  { open } for  pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:130): avc:  denied  { getattr } for  pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:50 2021
type=AVC msg=audit(1614179990.212:133): avc:  denied  { getattr } for  pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
----
time->Wed Feb 24 10:19:50 2021
type=AVC msg=audit(1614179990.212:134): avc:  denied  { search } for  pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:174): avc:  denied  { read } for  pid=10407 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:175): avc:  denied  { open } for  pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:176): avc:  denied  { getattr } for  pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

Version-Release number of selected component (if applicable):
selinux-policy-3.14.8-3.fc35.noarch

How reproducible:
100%

Steps to Reproduce:
1.1. Install Fedora Rawhide on beaker server, update kernel to kernel 5.11.0

kernel can be found at https://xci32.lab.eng.rdu2.redhat.com/cki-project/cki-pipeline/-/jobs/1110936/artifacts/raw/artifacts/kernel-mainline.kernel.org-clang-x86_64-f6e1e1d1e149802ed4062fa514c2d184d30aacdf.tar.gz

2. after kernel is installed and server boots on new kernel avc denied are found
3.

Actual results:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-3.14.8-3.fc35.noarch
----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:128): avc:  denied  { read } for  pid=723 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:129): avc:  denied  { open } for  pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:47 2021
type=AVC msg=audit(1614179987.728:130): avc:  denied  { getattr } for  pid=723 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:19:50 2021
type=AVC msg=audit(1614179990.212:133): avc:  denied  { getattr } for  pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
----
time->Wed Feb 24 10:19:50 2021
type=AVC msg=audit(1614179990.212:134): avc:  denied  { search } for  pid=708 comm="sssd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:174): avc:  denied  { read } for  pid=10407 comm="systemd-hostnam" name="+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:175): avc:  denied  { open } for  pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Wed Feb 24 10:22:12 2021
type=AVC msg=audit(1614180132.404:176): avc:  denied  { getattr } for  pid=10407 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=870 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
Comment 2 Zdenek Pytela 2021-02-24 20:31:49 UTC 
Already resolved:
commit 78ee0168301f21272a4ddc6f30d2a44f7a0c47fd
Author: Zdenek Pytela <zpytela>
Date:   Tue Feb 23 17:40:01 2021 +0100

    Allow sssd get cgroup filesystems attributes and search cgroup dirs

    Resolves: rhbz#1931954

commit b65f4fd6426b7abb3fa9d73a1e7b8c12092696c6
Author: Zdenek Pytela <zpytela>
Date:   Tue Feb 23 17:51:37 2021 +0100

    Allow systemd-hostnamed read udev runtime data

    Required since systemd-248-rc1:
    systemd-hostnamed now exports the "HardwareVendor" and "HardwareModel"
    D-Bus properties, which are supposed to contain a pair of cleaned up,
    human readable strings describing the system's vendor and model. It's
    typically sourced from the firmware's DMI tables, but may be augmented
    from a new hwdb database. hostnamectl shows this in the status output.

    https://github.com/systemd/systemd/blob/v248-rc1/NEWS

    Resolves: rhbz#1931959

*** This bug has been marked as a duplicate of bug 1931959 ***
Note You need to log in before you can comment on or make changes to this bug.