Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1944597 - AVC message: avc: denied { search } comm="radiusd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:radiusd_t:s0
Summary: AVC message: avc: denied { search } comm="radiusd" name="/" dev="cgroup2" i...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1935763 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-30 10:21 UTC by Filip Dvorak
Modified: 2021-04-05 00:17 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-34-1.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-05 00:17:50 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Filip Dvorak 2021-03-30 10:21:56 UTC
Description of problem:
There is an AVC message during "systemctl start radiusd".

Version-Release number of selected component (if applicable):
Fedora 34
selinux-policy-3.14.7-24.fc34.noarch
freeradius-3.0.21-11.fc34.x86_64

How reproducible:


Steps to Reproduce:
1. dnf install freeradius -y
2. systemctl start radiusd

Actual results:

type=AVC msg=audit(1617097648.526:2779): avc:  denied  { search } for  pid=109628 comm="radiusd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0

Expected results:
--- NO AVC message ---

Additional info:

Comment 1 Filip Dvorak 2021-03-30 11:52:37 UTC
The same issue is with slapd.

type=AVC msg=audit(1617043025.118:6661): avc:  denied  { search } for  pid=254784 comm="slapd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0

Comment 2 Zdenek Pytela 2021-03-30 12:53:37 UTC
Filipe,

Dou you happen to know why the daemons want to get through /sys/fs/cgroup and read /proc/1/environ?

----
type=PROCTITLE msg=audit(30.3.2021 08:43:21.626:675) : proctitle=/usr/sbin/slapd -u ldap -h ldap:/// ldaps:/// ldapi:///
type=PATH msg=audit(30.3.2021 08:43:21.626:675) : item=0 name=/proc/1/environ inode=13493 dev=00:16 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(30.3.2021 08:43:21.626:675) : cwd=/
type=SYSCALL msg=audit(30.3.2021 08:43:21.626:675) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x7fff620755c0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=3871 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=slapd exe=/usr/sbin/slapd subj=system_u:system_r:slapd_t:s0 key=(null)
type=AVC msg=audit(30.3.2021 08:43:21.626:675) : avc:  denied  { open } for  pid=3871 comm=slapd path=/proc/1/environ dev="proc" ino=13493 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
type=AVC msg=audit(30.3.2021 08:43:21.626:675) : avc:  denied  { read } for  pid=3871 comm=slapd name=environ dev="proc" ino=13493 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1

----
type=PROCTITLE msg=audit(03/30/21 08:43:21.628:678) : proctitle=/usr/sbin/slapd -u ldap -h ldap:/// ldaps:/// ldapi:///
type=PATH msg=audit(03/30/21 08:43:21.628:678) : item=0 name=/sys/fs/cgroup/cgroup.events nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(03/30/21 08:43:21.628:678) : cwd=/
type=SYSCALL msg=audit(03/30/21 08:43:21.628:678) : arch=x86_64 syscall=access success=no exit=ENOENT(No such file or directory) a0=0x7f43355bf3d6 a1=F_OK a2=0x7f43355df260 a3=0xffffffff items=1 ppid=1 pid=3871 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=slapd exe=/usr/sbin/slapd subj=system_u:system_r:slapd_t:s0 key=(null)
type=AVC msg=audit(03/30/21 08:43:21.628:678) : avc:  denied  { search } for  pid=3871 comm=slapd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1

Comment 3 Milos Malik 2021-03-30 13:14:14 UTC
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(03/30/2021 09:09:43.005:726) : proctitle=/usr/sbin/radiusd -C 
type=PATH msg=audit(03/30/2021 09:09:43.005:726) : item=0 name=/sys/fs/cgroup/cgroup.events nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/30/2021 09:09:43.005:726) : cwd=/ 
type=SYSCALL msg=audit(03/30/2021 09:09:43.005:726) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7f615a9b7555 a1=F_OK a2=0x7f615c46b160 a3=0xffffffff items=1 ppid=1 pid=18142 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null) 
type=AVC msg=audit(03/30/2021 09:09:43.005:726) : avc:  denied  { search } for  pid=18142 comm=radiusd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 
----

Caught in permissive mode:
----
type=PROCTITLE msg=audit(03/30/2021 09:10:41.858:729) : proctitle=/usr/sbin/radiusd -C 
type=PATH msg=audit(03/30/2021 09:10:41.858:729) : item=0 name=/proc/1/environ inode=13371 dev=00:16 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/30/2021 09:10:41.858:729) : cwd=/ 
type=SYSCALL msg=audit(03/30/2021 09:10:41.858:729) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x7ffd53209e10 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=18167 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null) 
type=AVC msg=audit(03/30/2021 09:10:41.858:729) : avc:  denied  { open } for  pid=18167 comm=radiusd path=/proc/1/environ dev="proc" ino=13371 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 
type=AVC msg=audit(03/30/2021 09:10:41.858:729) : avc:  denied  { read } for  pid=18167 comm=radiusd name=environ dev="proc" ino=13371 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(03/30/2021 09:10:41.861:730) : proctitle=/usr/sbin/radiusd -C 
type=PATH msg=audit(03/30/2021 09:10:41.861:730) : item=0 name= inode=13371 dev=00:16 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/30/2021 09:10:41.861:730) : cwd=/ 
type=SYSCALL msg=audit(03/30/2021 09:10:41.861:730) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x6 a1=0x7ff20831b95a a2=0x7ffd53209c10 a3=0x1000 items=1 ppid=1 pid=18167 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null) 
type=AVC msg=audit(03/30/2021 09:10:41.861:730) : avc:  denied  { getattr } for  pid=18167 comm=radiusd path=/proc/1/environ dev="proc" ino=13371 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(03/30/2021 09:10:41.864:731) : proctitle=/usr/sbin/radiusd -C 
type=SYSCALL msg=audit(03/30/2021 09:10:41.864:731) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x6 a1=TCGETS a2=0x7ffd53209ce0 a3=0x1000 items=0 ppid=1 pid=18167 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null) 
type=AVC msg=audit(03/30/2021 09:10:41.864:731) : avc:  denied  { ioctl } for  pid=18167 comm=radiusd path=/proc/1/environ dev="proc" ino=13371 ioctlcmd=TCGETS scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(03/30/2021 09:10:41.865:732) : proctitle=/usr/sbin/radiusd -C 
type=PATH msg=audit(03/30/2021 09:10:41.865:732) : item=0 name=/sys/fs/cgroup/cgroup.events nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/30/2021 09:10:41.865:732) : cwd=/ 
type=SYSCALL msg=audit(03/30/2021 09:10:41.865:732) : arch=x86_64 syscall=access success=no exit=ENOENT(No such file or directory) a0=0x7ff206529555 a1=F_OK a2=0x7ff207fdd160 a3=0xffffffff items=1 ppid=1 pid=18167 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null) 
type=AVC msg=audit(03/30/2021 09:10:41.865:732) : avc:  denied  { search } for  pid=18167 comm=radiusd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 
----

I wonder why is there the ioctl call.

Comment 4 Milos Malik 2021-03-30 13:35:05 UTC
Important thing is that the radiusd service does not start in enforcing or permissive mode:

# journalctl -l -u radiusd
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Trying to enqueue job radiusd.service/start/replace
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Installed new job radiusd.service/start as 2738
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Enqueued job radiusd.service/start as 2738
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: About to execute /bin/chown -R radiusd.radiusd /var/run/radiusd
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Forked /bin/chown as 19064
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Changed failed -> start-pre
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: Starting FreeRADIUS high performance RADIUS server....
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Child 19064 belongs to radiusd.service.
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Control process exited, code=exited, status=0/SUCCESS
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Running next control command for state start-pre.
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: About to execute /usr/sbin/radiusd -C
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Forked /usr/sbin/radiusd as 19065
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Control group is empty.
Mar 30 09:33:12 host-10-0-138-114 systemd[19065]: radiusd.service: Executing: /usr/sbin/radiusd -C
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Child 19065 belongs to radiusd.service.
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Control process exited, code=exited, status=1/FAILURE
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Got final SIGCHLD for state start-pre.
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Failed with result 'exit-code'.
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Service will not restart (restart setting)
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Changed start-pre -> failed
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Job 2738 radiusd.service/start finished, result=failed
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: Failed to start FreeRADIUS high performance RADIUS server..
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Unit entered failed state.
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Consumed 95ms CPU time.
Mar 30 09:33:12 host-10-0-138-114 systemd[1]: radiusd.service: Control group is empty.
#

I guess that some systemd magic is in play.

Comment 5 Milos Malik 2021-03-30 13:42:50 UTC
Sorry, my test results come from Fedora rawhide.

# rpm -qa freeradius\* selinux-policy\* | sort
freeradius-3.0.21-11.fc35.x86_64
selinux-policy-3.14.8-7.fc35.noarch
selinux-policy-devel-3.14.8-7.fc35.noarch
selinux-policy-targeted-3.14.8-7.fc35.noarch
#

Comment 6 Filip Dvorak 2021-03-30 14:30:00 UTC
Hello Zdenek,
sorry but I do not know it. I have asked Robbie (Freeradius devel) about it and he does not know it too.

Comment 7 Ondrej Mosnacek 2021-03-30 14:45:07 UTC
According to the backtrace obtained via `perf record -e avc:selinux_audited -a -g --call-graph dwarf`, the cgroupfs access happens via initgroups(3) (libc) -> ... -> detect_container() (libnss_systemd):

radiusd  8678 [004]   270.141023: avc:selinux_audited: requested=0x10000000 denied=0x10000000 audited=0x10000000 result=-13 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=>
        ffffffffa0551293 avc_audit_post_callback+0x1d3 ([kernel.kallsyms])
        ffffffffa0551293 avc_audit_post_callback+0x1d3 ([kernel.kallsyms])
        ffffffffa05728b1 common_lsm_audit+0x111 ([kernel.kallsyms])
        ffffffffa0551d39 slow_avc_audit+0x69 ([kernel.kallsyms])
        ffffffffa05544cb audit_inode_permission+0x6b ([kernel.kallsyms])
        ffffffffa0559c2a selinux_inode_permission+0x19a ([kernel.kallsyms])
        ffffffffa054dc80 security_inode_permission+0x30 ([kernel.kallsyms])
        ffffffffa033cf57 link_path_walk.part.0.constprop.0+0x257 ([kernel.kallsyms])
        ffffffffa033d11a path_lookupat+0x3a ([kernel.kallsyms])
        ffffffffa033f17b filename_lookup+0x9b ([kernel.kallsyms])
        ffffffffa0327eae do_faccessat+0x6e ([kernel.kallsyms])
        ffffffffa0bc58a3 do_syscall_64+0x33 ([kernel.kallsyms])
        ffffffffa0c0008c entry_SYSCALL_64_after_hwframe+0x44 ([kernel.kallsyms])
            7f4d3b22586b __GI___access+0xb (/usr/lib64/libc-2.33.so)
            7f4d394a5680 detect_container+0xa60 (/usr/lib64/libnss_systemd.so.2)
            7f4d394a5f24 setup_logging+0x414 (/usr/lib64/libnss_systemd.so.2)
            7f4d3b34dc97 __pthread_once_slow+0xe7 (/usr/lib64/libpthread-2.33.so)
            7f4d394aab31 _nss_systemd_initgroups_dyn+0xd1 (/usr/lib64/libnss_systemd.so.2)
            7f4d3b1fd980 internal_getgrouplist+0x100 (/usr/lib64/libc-2.33.so)
            7f4d3b1fdcad initgroups+0x7d (/usr/lib64/libc-2.33.so)
            55ba2271d81a main_config_init+0x30a (/usr/sbin/radiusd)
            55ba2270dcb4 main+0x434 (/usr/sbin/radiusd)
            7f4d3b15bb74 __libc_start_main+0xd4 (/usr/lib64/libc-2.33.so)
            55ba2270e3dd _start+0x2d (/usr/sbin/radiusd)

Comment 8 Zdenek Pytela 2021-03-30 19:25:03 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/669

It pops up when the systemd nss module is used.

Not touching the /proc/1/environ access (which appears in permissive mode only because the access to the parent directory is dontaudited) unless it was confirmed required.

Comment 9 Zdenek Pytela 2021-03-30 19:25:21 UTC
*** Bug 1935763 has been marked as a duplicate of this bug. ***

Comment 10 Fedora Update System 2021-04-02 14:44:45 UTC
FEDORA-2021-e221a38cfe has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e221a38cfe

Comment 11 Fedora Update System 2021-04-03 01:09:15 UTC
FEDORA-2021-e221a38cfe has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e221a38cfe`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e221a38cfe

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2021-04-05 00:17:50 UTC
FEDORA-2021-e221a38cfe has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.