Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-27507

SELinux prevents the wdmd from reading the /sys/class/watchdog/watchdog0/identity symlink [rhel-8]

XMLWordPrintable

    • selinux-policy-3.14.3-139.el8_10
    • None
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • 30
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Approved Exception
    • Release Note Not Required
    • All
    • None

      What were you trying to do that didn't work?

      everything seems to work as expected, but the SELinux denials are triggered

      Please provide the package NVR for which bug is seen:

      sanlock-3.8.4-5.el8.aarch64
      sanlock-lib-3.8.4-5.el8.aarch64
      selinux-policy-3.14.3-137.el8.noarch
      selinux-policy-devel-3.14.3-137.el8.noarch
      selinux-policy-mls-3.14.3-137.el8.noarch
      selinux-policy-targeted-3.14.3-137.el8.noarch

      How reproducible:

      Steps to reproduce

      1. get a RHEL-8.10 machine (targeted policy is active)
      2. run the following automated test: /CoreOS/selinux-policy/Regression/bz691828-sanlock-and-similar
      3. search for SELinux denials

      Expected results

      no SELinux denials

      Actual results

      ----
type=PROCTITLE msg=audit(02/29/2024 09:24:57.789:390) : proctitle=/usr/sbin/wdmd --probe 
type=PATH msg=audit(02/29/2024 09:24:57.789:390) : item=0 name=/sys/class/watchdog/watchdog0/identity nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2024 09:24:57.789:390) : cwd=/ 
type=SYSCALL msg=audit(02/29/2024 09:24:57.789:390) : arch=aarch64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xffffdcc7e688 a2=O_RDONLY a3=0x0 items=1 ppid=76419 pid=76455 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wdmd exe=/usr/sbin/wdmd subj=system_u:system_r:wdmd_t:s0 key=(null) 
type=AVC msg=audit(02/29/2024 09:24:57.789:390) : avc:  denied  { read } for  pid=76455 comm=wdmd name=watchdog0 dev="sysfs" ino=18279 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 
----
type=PROCTITLE msg=audit(02/29/2024 09:24:57.799:391) : proctitle=/usr/sbin/wdmd 
type=PATH msg=audit(02/29/2024 09:24:57.799:391) : item=0 name=/sys/class/watchdog/watchdog0/identity nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2024 09:24:57.799:391) : cwd=/ 
type=SYSCALL msg=audit(02/29/2024 09:24:57.799:391) : arch=aarch64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xffffc1e65288 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=76458 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wdmd exe=/usr/sbin/wdmd subj=system_u:system_r:wdmd_t:s0 key=(null) 
type=AVC msg=audit(02/29/2024 09:24:57.799:391) : avc:  denied  { read } for  pid=76458 comm=wdmd name=watchdog0 dev="sysfs" ino=18279 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
----

              rhn-support-zpytela Zdenek Pytela
              mmalik@redhat.com Milos Malik
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: