Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-26663

SELinux prevents the wdmd from reading the /sys/class/watchdog/watchdog0/identity symlink [rhel-9]

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.4
    • rhel-9.4
    • selinux-policy
    • None
    • selinux-policy-38.1.35-2.el9_4
    • None
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • 30
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Approved Exception
    • Release Note Not Required
    • All
    • None

      What were you trying to do that didn't work?

      everything seems to work as expected, but the SELinux denials are triggered

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.33-1.el9.noarch
      selinux-policy-targeted-38.1.33-1.el9.noarch
      sanlock-3.9.1-1.el9.x86_64

      How reproducible:

      Steps to reproduce

      1. get a RHEL-9.4 machine (targeted policy is active)
      2. run the following automated test: /CoreOS/selinux-policy/Regression/bz691828-sanlock-and-similar
      3. search for SELinux denials

      Expected results

      no SELinux denials

      Actual results

      ----
type=PROCTITLE msg=audit(02/23/2024 23:59:13.212:1911) : proctitle=/usr/sbin/wdmd --probe 
type=PATH msg=audit(02/23/2024 23:59:13.212:1911) : item=0 name=/sys/class/watchdog/watchdog0/identity nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/23/2024 23:59:13.212:1911) : cwd=/ 
type=SYSCALL msg=audit(02/23/2024 23:59:13.212:1911) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffce5f5ed10 a2=O_RDONLY a3=0x0 items=1 ppid=182355 pid=182356 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wdmd exe=/usr/sbin/wdmd subj=system_u:system_r:wdmd_t:s0 key=(null) 
type=AVC msg=audit(02/23/2024 23:59:13.212:1911) : avc:  denied  { read } for  pid=182356 comm=wdmd name=watchdog0 dev="sysfs" ino=22335 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 
----
type=PROCTITLE msg=audit(02/23/2024 23:59:13.225:1912) : proctitle=/usr/sbin/wdmd 
type=PATH msg=audit(02/23/2024 23:59:13.225:1912) : item=0 name=/sys/class/watchdog/watchdog0/identity nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/23/2024 23:59:13.225:1912) : cwd=/ 
type=SYSCALL msg=audit(02/23/2024 23:59:13.225:1912) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffecdb4afd0 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=182358 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wdmd exe=/usr/sbin/wdmd subj=system_u:system_r:wdmd_t:s0 key=(null) 
type=AVC msg=audit(02/23/2024 23:59:13.225:1912) : avc:  denied  { read } for  pid=182358 comm=wdmd name=watchdog0 dev="sysfs" ino=22335 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 
----

              rhn-support-zpytela Zdenek Pytela
              mmalik@redhat.com Milos Malik
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: