Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-24346

SELinux prevents NetworkManager from using the sys_ptrace capability in user namespaces

    XMLWordPrintable

Details

    • sst_security_selinux
    • ssg_security
    • 9
    • Hide

      Investigation spike ticket was created to understand the root cause (See NMT-1037)

      Show
      Investigation spike ticket was created to understand the root cause (See NMT-1037)
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • CY24Q2
    • Hide

      The start of nm-cloud-setup service does not trigger SELinux denials. The nm-cloud-setup service works as expected in enforcing mode.

      Show
      The start of nm-cloud-setup service does not trigger SELinux denials. The nm-cloud-setup service works as expected in enforcing mode.
    • Pass
    • Yes
    • Unspecified Release Note Type - Unknown

    Description

      What were you trying to do that didn't work?

      I'm from the Image Builder team. We test our tooling on RHEL-9.4 nightly and also boot-test the images. One of the tests checks that there are no AVC denials on the booted system. This started to fail recently with NetworkManager generating some denials. Is this known issue tracked in Jira, or should I report it? More details are in https://gitlab.com/redhat/services/products/image-builder/ci/osbuild-composer/-/jobs/6098178173#L4233

      Please provide the package NVR for which bug is seen:

      NetworkManager-1.45.90-1.el9

      How reproducible:

      Happens consistently in our CI.

      Steps to reproduce

      1.  
      2.  
      3.  

      Expected results

      no AVC denials

      Actual results

      Multiple instances of:

      type=PROCTITLE msg=audit(1707148428.626:37): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E type=SYSCALL msg=audit(1707148428.626:37): arch=c000003e syscall=0 success=yes exit=178 a0=1b a1=7ffec1f6b060 a2=1000 a3=0 items=0 ppid=1 pid=685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1707148428.626:37): avc: denied { sys_ptrace } for pid=685 comm="NetworkManager" capability=19 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=cap_userns permissive=0

      Attachments

        Issue Links

          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. RHEL-27503 Remove `PrivateUsers` directive from the nm-cloud-setup systemd unit

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Release Pending
          links to

          Web Link Allow NetworkManager the sys_ptrace capability in user namespace

          Web Link RHBA-2024:130707 selinux-policy update

          Web Link TCMS Test Case 105820

          Activity

            People

              rhn-support-zpytela Zdenek Pytela
              thozza@redhat.com Tomas Hozza
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated: