Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.4
Component/s: selinux-policy
Labels:
- AutoVerified

Fixed in Build:
selinux-policy-38.1.33-1.el9
Regression:
None
Severity:
Moderate

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
26
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Acceptance Criteria:

Hide

The tumblerd processes do not trigger any SELinux denials in default configuration. SELinux policy allows the tumblerd processes to watch the /run/mount/utab.lock file.

Show
The tumblerd processes do not trigger any SELinux denials in default configuration. SELinux policy allows the tumblerd processes to watch the /run/mount/utab.lock file.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/121166
Test Coverage:

Automated

Release Note Type:
Release Note Not Required

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

The following automated test triggers SELinux denials:

/CoreOS/selinux-policy/Sanity/thumbnail-protection

Please provide the package NVR for which bug is seen:

selinux-policy-38.1.31-1.el9.noarch
selinux-policy-devel-38.1.31-1.el9.noarch
selinux-policy-targeted-38.1.31-1.el9.noarch
tumbler-4.18.1-1.el9.x86_64

How reproducible:

always

Steps to reproduce

get a RHEL-9.4 machine (the targeted policy is active)
run the automated test
search for SELinux denials

Expected results

no SELinux denials

Actual results

----
type=PROCTITLE msg=audit(02/19/2024 05:27:32.928:414) : proctitle=/usr/lib64/tumbler-1/tumblerd 
type=PATH msg=audit(02/19/2024 05:27:32.928:414) : item=0 name=/run/mount/utab.lock inode=955 dev=00:18 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:mount_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/19/2024 05:27:32.928:414) : cwd=/home/user4067 
type=SYSCALL msg=audit(02/19/2024 05:27:32.928:414) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xa a1=0x7f0414006d00 a2=0x10 a3=0x7f04249b13e0 items=1 ppid=15005 pid=15039 auid=user4067 uid=user4067 gid=user4067 euid=user4067 suid=user4067 fsuid=user4067 egid=user4067 sgid=user4067 fsgid=user4067 tty=(none) ses=7 comm=gmain exe=/usr/lib64/tumbler-1/tumblerd subj=staff_u:staff_r:thumb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/19/2024 05:27:32.928:414) : avc:  denied  { watch watch_reads } for  pid=15039 comm=gmain path=/run/mount/utab.lock dev="tmpfs" ino=955 scontext=staff_u:staff_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mount_var_run_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/19/2024 05:27:34.306:454) : proctitle=/usr/lib64/tumbler-1/tumblerd 
type=PATH msg=audit(02/19/2024 05:27:34.306:454) : item=0 name=/run/mount/utab.lock inode=955 dev=00:18 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:mount_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/19/2024 05:27:34.306:454) : cwd=/home/user31966 
type=SYSCALL msg=audit(02/19/2024 05:27:34.306:454) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xa a1=0x7f9960006d00 a2=0x10 a3=0x7f996fbb13e0 items=1 ppid=15192 pid=15225 auid=user31966 uid=user31966 gid=user31966 euid=user31966 suid=user31966 fsuid=user31966 egid=user31966 sgid=user31966 fsgid=user31966 tty=(none) ses=9 comm=gmain exe=/usr/lib64/tumbler-1/tumblerd subj=user_u:user_r:thumb_t:s0 key=(null) 
type=AVC msg=audit(02/19/2024 05:27:34.306:454) : avc:  denied  { watch watch_reads } for  pid=15225 comm=gmain path=/run/mount/utab.lock dev="tmpfs" ino=955 scontext=user_u:user_r:thumb_t:s0 tcontext=unconfined_u:object_r:mount_var_run_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/19/2024 05:27:35.595:494) : proctitle=/usr/lib64/tumbler-1/tumblerd 
type=PATH msg=audit(02/19/2024 05:27:35.595:494) : item=0 name=/run/mount/utab.lock inode=955 dev=00:18 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:mount_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/19/2024 05:27:35.595:494) : cwd=/home/user12826 
type=SYSCALL msg=audit(02/19/2024 05:27:35.595:494) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xa a1=0x7f4804006d00 a2=0x10 a3=0x7f48123b13e0 items=1 ppid=15378 pid=15411 auid=user12826 uid=user12826 gid=user12826 euid=user12826 suid=user12826 fsuid=user12826 egid=user12826 sgid=user12826 fsgid=user12826 tty=(none) ses=11 comm=gmain exe=/usr/lib64/tumbler-1/tumblerd subj=sysadm_u:sysadm_r:thumb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/19/2024 05:27:35.595:494) : avc:  denied  { watch watch_reads } for  pid=15411 comm=gmain path=/run/mount/utab.lock dev="tmpfs" ino=955 scontext=sysadm_u:sysadm_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mount_var_run_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/19/2024 05:27:36.862:534) : proctitle=/usr/lib64/tumbler-1/tumblerd 
type=PATH msg=audit(02/19/2024 05:27:36.862:534) : item=0 name=/run/mount/utab.lock inode=955 dev=00:18 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:mount_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/19/2024 05:27:36.862:534) : cwd=/home/user14541 
type=SYSCALL msg=audit(02/19/2024 05:27:36.862:534) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xa a1=0x7ff490006d00 a2=0x10 a3=0x7ff4a13b13e0 items=1 ppid=15564 pid=15597 auid=user14541 uid=user14541 gid=user14541 euid=user14541 suid=user14541 fsuid=user14541 egid=user14541 sgid=user14541 fsgid=user14541 tty=(none) ses=13 comm=gmain exe=/usr/lib64/tumbler-1/tumblerd subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/19/2024 05:27:36.862:534) : avc:  denied  { watch watch_reads } for  pid=15597 comm=gmain path=/run/mount/utab.lock dev="tmpfs" ino=955 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mount_var_run_t:s0 tclass=file permissive=0 
----

links to

Allow thumb_t to watch and watch_reads mount_var_run_t

RHBA-2023:121166 selinux-policy bug fix and enhancement update

TCMS Test Case 153344

Assignee:: Zdenek Pytela

Reporter:: Milos Malik

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/02/19 2:36 PM

Updated:: 2024/09/23 5:09 PM

Resolved:: 2024/04/30 10:13 AM

Target end:: 2024/02/26

Release Date:: 2024/04/30

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates