1958025 – running bcc-tools filelife reuslts in AVC denial

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1958025 - running bcc-tools filelife reuslts in AVC denial

Summary: running bcc-tools filelife reuslts in AVC denial

Keywords:
Status:	CLOSED DUPLICATE of bug 1955585
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	34
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-07 04:19 UTC by Chris Murphy
Modified:	2021-05-07 08:49 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-07 08:49:42 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Chris Murphy 2021-05-07 04:19:44 UTC

Description of problem:

Constant AVC errors when running bcc-tools filelife to detect short lived files, which then results in setroubleshoot generating small files that filelife then detects.


Version-Release number of selected component (if applicable):
selinux-policy-34.4-1.fc34.noarch

How reproducible:
Only on Fedora Server, Fedora Workstation seems unaffected.

Steps to Reproduce:
1. sudo /usr/share/bcc/tools/filelife
2.
3.

Actual results:

Every 10 seconds:

May 06 22:10:27 fnuc.local audit[446]: AVC avc:  denied  { confidentiality } for  pid=446 comm="systemd-journal" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=lockdown permissive=0
May 06 22:10:27 fnuc.local audit[446]: SYSCALL arch=c000003e syscall=87 success=yes exit=0 a0=55a1a7f3c680 a1=0 a2=0 a3=7ffd7a048080 items=2 ppid=1 pid=446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
May 06 22:10:27 fnuc.local audit: CWD cwd="/"
May 06 22:10:27 fnuc.local audit: PATH item=0 name="/run/systemd/journal/streams/" inode=58 dev=00:19 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
May 06 22:10:27 fnuc.local audit: PATH item=1 name="/run/systemd/journal/streams/8:108450" inode=3688 dev=00:19 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
May 06 22:10:27 fnuc.local audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-journald"
May 06 22:10:27 fnuc.local systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Main process exited, code=killed, status=14/ALRM
May 06 22:10:27 fnuc.local audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@658 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
May 06 22:10:27 fnuc.local systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Failed with result 'signal'.
May 06 22:10:27 fnuc.local systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Consumed 2.376s CPU time.
May 06 22:10:27 fnuc.local setroubleshoot[8950]: AnalyzeThread.run(): Cancel pending alarm
May 06 22:10:28 fnuc.local systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged.
May 06 22:10:28 fnuc.local audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@659 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 06 22:10:30 fnuc.local setroubleshoot[8950]: SELinux is preventing /usr/lib/systemd/systemd-journald from confidentiality access on the lockdown /run/systemd/journal/streams/8:108450. For complete SELinux messages run: sealert -l 3f3ac395-199e-4f06-be13-fa9fb17b3e56
May 06 22:10:30 fnuc.local setroubleshoot[8950]: SELinux is preventing /usr/lib/systemd/systemd-journald from confidentiality access on the lockdown /run/systemd/journal/streams/8:108450.
                                                 
                                                 *****  Plugin catchall (100. confidence) suggests   **************************
                                                 
                                                 If you believe that systemd-journald should be allowed confidentiality access on the 8:108450 lockdown by default.
                                                 Then you should report this as a bug.
                                                 You can generate a local policy module to allow this access.
                                                 Do
                                                 allow this access for now by executing:
                                                 # ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal
                                                 # semodule -X 300 -i my-systemdjournal.pp
                                                 
May 06 22:10:30 fnuc.local setroubleshoot[8950]: AnalyzeThread.run(): Set alarm timeout to 10

Expected results:

No denial

Additional info:

Output I get from filelife

22:08:43 8946   SetroubleshootP  0.00    ffisM4bFm
22:08:53 1      systemd          10.93   dbus-:1.3-org.fedoraproject.Setr
22:08:54 1      systemd          118.12  dbus-:1.3-org.fedoraproject.Setr
22:08:57 8959   SetroubleshootP  0.00    ffiKlRwDG
22:09:09 1      systemd          12.69   dbus-:1.3-org.fedoraproject.Setr
22:09:10 8971   SetroubleshootP  0.00    ffibyH6LP
22:09:20 1      systemd          2980.07 invocation:dbus-:1.3-org.fedorap
22:09:20 1      systemd          10.92   dbus-:1.3-org.fedoraproject.Setr
22:09:21 8978   SetroubleshootP  0.00    ffiJczV61
22:09:32 1      systemd          10.90   dbus-:1.3-org.fedoraproject.Setr
22:09:33 8985   SetroubleshootP  0.00    ffigt6Xjr
22:09:43 1      systemd          10.94   dbus-:1.3-org.fedoraproject.Setr
22:09:44 8993   SetroubleshootP  0.00    ffiIniFf5
22:09:54 1      systemd          10.92   dbus-:1.3-org.fedoraproject.Setr
22:09:55 9000   SetroubleshootP  0.00    ffieAe1YQ
22:10:05 1      systemd          22.09   invocation:dbus-:1.3-org.fedorap
22:10:05 1      systemd          10.91   dbus-:1.3-org.fedoraproject.Setr
22:10:06 9007   SetroubleshootP  0.00    ffiLzK7WY
22:10:16 1      systemd          10.93   dbus-:1.3-org.fedoraproject.Setr
22:10:17 9017   SetroubleshootP  0.00    ffiDcllu0
22:10:27 1      systemd          965.57  invocation:dbus-:1.3-org.fedorap
22:10:27 1      systemd          10.93   dbus-:1.3-org.fedoraproject.Setr
22:10:28 9024   SetroubleshootP  0.00    ffihhy9um

Comment 1 Ondrej Mosnacek 2021-05-07 07:57:55 UTC

This is likely a duplicate of BZ 1955585, but I'll need to double-check...

Comment 2 Ondrej Mosnacek 2021-05-07 08:49:42 UTC

Yep, there is a bpf_probe_read_kernel() call in that BPF program, so it's pretty much the same issue.

*** This bug has been marked as a duplicate of bug 1955585 ***

Note You need to log in before you can comment on or make changes to this bug.