Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-24346

SELinux prevents NetworkManager from using the sys_ptrace capability in user namespaces

XMLWordPrintable

    • selinux-policy-38.1.36-1.el9
    • None
    • None
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 9
    • None
    • Hide

      Investigation spike ticket was created to understand the root cause (See NMT-1037)

      Show
      Investigation spike ticket was created to understand the root cause (See NMT-1037)
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • CY24Q2
    • Hide

      The start of nm-cloud-setup service does not trigger SELinux denials. The nm-cloud-setup service works as expected in enforcing mode.

      Show
      The start of nm-cloud-setup service does not trigger SELinux denials. The nm-cloud-setup service works as expected in enforcing mode.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      I'm from the Image Builder team. We test our tooling on RHEL-9.4 nightly and also boot-test the images. One of the tests checks that there are no AVC denials on the booted system. This started to fail recently with NetworkManager generating some denials. Is this known issue tracked in Jira, or should I report it? More details are in https://gitlab.com/redhat/services/products/image-builder/ci/osbuild-composer/-/jobs/6098178173#L4233

      Please provide the package NVR for which bug is seen:

      NetworkManager-1.45.90-1.el9

      How reproducible:

      Happens consistently in our CI.

      Steps to reproduce

      1.  
      2.  
      3.  

      Expected results

      no AVC denials

      Actual results

      Multiple instances of:

      type=PROCTITLE msg=audit(1707148428.626:37): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E type=SYSCALL msg=audit(1707148428.626:37): arch=c000003e syscall=0 success=yes exit=178 a0=1b a1=7ffec1f6b060 a2=1000 a3=0 items=0 ppid=1 pid=685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1707148428.626:37): avc: denied { sys_ptrace } for pid=685 comm="NetworkManager" capability=19 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=cap_userns permissive=0

              rhn-support-zpytela Zdenek Pytela
              thozza@redhat.com Tomas Hozza
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: