Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-17820

[9.4] avc denied when starting opa-fm service

XMLWordPrintable

    • selinux-policy-38.1.33-1.el9
    • None
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • 20
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Release Note Not Required
    • x86_64
    • None

      What were you trying to do that didn't work?

      Please provide the package NVR for which bug is seen:

      Should run the test on OPA HCA(rdma-qe-14/15).

      [root@rdma-qe-14 ~]$ rpm -q opa-fm selinux-policy kernel
      opa-fm-10.12.1.0.6-1.el9.x86_64
      selinux-policy-38.1.27-1.el9.noarch
      kernel-5.14.0-391.el9.x86_64
      kernel-5.14.0-387.3391_1079259576.el9.x86_64
      [root@rdma-qe-14 ~]$ uname -r
      5.14.0-387.3391_1079259576.el9.x86_64

      How reproducible:

      Always

      Steps to reproduce

      1. $ systemctl restart opafm.service 
      2. $ ausearch -m avc --start recent
      3. Add below lines to /usr/lib/systemd/system/opafm.service and then systemctl daemon-reload & systemctl restart opafm.service

      4. LimitAS=infinity

      5. LimitRSS=infinity

      6. LimitCORE=infinity

      7. LimitNOFILE=4096

      8.  Also test with unlimited, still can see the issue.

      9. $ ulimit -c

      10. unlimited

      11.  

      Expected results

      No such avc denied

      Actual results

      time->Thu Nov 30 22:29:46 2023
      type=PROCTITLE msg=audit(1701401386.916:163): proctitle=2F7573722F6C69622F6F70612D666D2F72756E74696D652F736D002D6500736D5F30
      type=SYSCALL msg=audit(1701401386.916:163): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=55b6fb046c00 a2=7ffe1192fa60 a3=0 items=0 ppid=2431 pid=2435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sm" exe="/usr/lib/opa-fm/runtime/sm" subj=system_u:system_r:opafm_t:s0 key=(null)
      type=AVC msg=audit(1701401386.916:163): avc:  denied  { search } for  pid=2435 comm="sm" name="/" dev="0:43" ino=4299124166 scontext=system_u:system_r:opafm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=0

      time->Thu Nov 30 22:29:46 2023
      type=PROCTITLE msg=audit(1701401386.916:164): proctitle=2F7573722F6C69622F6F70612D666D2F72756E74696D652F736D002D6500736D5F30
      type=SYSCALL msg=audit(1701401386.916:164): arch=c000003e syscall=83 success=no exit=-13 a0=55b6fb046c00 a1=1a4 a2=fffffffffffffef8 a3=0 items=0 ppid=2431 pid=2435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sm" exe="/usr/lib/opa-fm/runtime/sm" subj=system_u:system_r:opafm_t:s0 key=(null)
      type=AVC msg=audit(1701401386.916:164): avc:  denied  { search } for  pid=2435 comm="sm" name="/" dev="0:43" ino=4299124166 scontext=system_u:system_r:opafm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=0

      time->Thu Nov 30 22:29:46 2023
      type=PROCTITLE msg=audit(1701401386.916:165): proctitle=2F7573722F6C69622F6F70612D666D2F72756E74696D652F736D002D6500736D5F30
      type=SYSCALL msg=audit(1701401386.916:165): arch=c000003e syscall=80 success=no exit=-13 a0=55b6fb046c00 a1=55b6fbcce010 a2=55b6fbd8d a3=4000 items=0 ppid=2431 pid=2435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sm" exe="/usr/lib/opa-fm/runtime/sm" subj=system_u:system_r:opafm_t:s0 key=(null)
      type=AVC msg=audit(1701401386.916:165): avc:  denied  { search } for  pid=2435 comm="sm" name="/" dev="0:43" ino=4299124166 scontext=system_u:system_r:opafm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=0

              rhn-support-zpytela Zdenek Pytela
              rhn-support-zguo Zhaojuan Guo
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: