-
Bug
-
Resolution: Done-Errata
-
Minor
-
rhel-8.10
-
None
-
selinux-policy-3.14.3-136.el8
-
None
-
Low
-
sst_security_selinux
-
ssg_security
-
25
-
None
-
QE ack
-
False
-
-
No
-
None
-
-
Pass
-
Automated
-
Release Note Not Required
-
-
All
-
None
What were you trying to do that didn't work?
Please provide the package NVR for which bug is seen:
selinux-policy-3.14.3-134.el8.noarch
selinux-policy-targeted-3.14.3-134.el8.noarch
caddy-2.6.4-2.el8.x86_64 (comes from EPEL)
How reproducible:
always
Steps to reproduce
- get a RHEL-8.10 machine (targeted policy is active)
- start the caddy service
- search for SELinux denials
Expected results
no SELinux denials
Actual results (enforcing mode)
----
type=PROCTITLE msg=audit(01/25/2024 16:29:04.633:383) : proctitle=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
type=PATH msg=audit(01/25/2024 16:29:04.633:383) : item=0 name=/proc/sys/net/core/somaxconn inode=81663 dev=00:05 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/25/2024 16:29:04.633:383) : cwd=/
type=SYSCALL msg=audit(01/25/2024 16:29:04.633:383) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xc0004313a0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=39577 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(01/25/2024 16:29:04.633:383) : avc: denied { read } for pid=39577 comm=caddy name=somaxconn dev="proc" ino=81663 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
----
Actual results (permissive mode)
----
type=PROCTITLE msg=audit(01/25/2024 16:29:24.079:389) : proctitle=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
type=PATH msg=audit(01/25/2024 16:29:24.079:389) : item=0 name=/proc/sys/net/core/somaxconn inode=81663 dev=00:05 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/25/2024 16:29:24.079:389) : cwd=/
type=SYSCALL msg=audit(01/25/2024 16:29:24.079:389) : arch=x86_64 syscall=openat success=yes exit=7 a0=AT_FDCWD a1=0xc0004300a0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=42172 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(01/25/2024 16:29:24.079:389) : avc: denied { open } for pid=42172 comm=caddy path=/proc/sys/net/core/somaxconn dev="proc" ino=81663 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/25/2024 16:29:24.079:389) : avc: denied { read } for pid=42172 comm=caddy name=somaxconn dev="proc" ino=81663 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
- links to
-
RHBA-2023:121335
selinux-policy bug fix and enhancement update
- mentioned on
