Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-33361

[rhel9] various systemd programs want to access /dev/z90crypt

    • selinux-policy-38.1.39-1.el9
    • None
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 15
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      SELinux denials related to the /dev/z90crypt device are not triggered when provisioning a s390x machine or when running tests on a s390x machine.

      Show
      SELinux denials related to the /dev/z90crypt device are not triggered when provisioning a s390x machine or when running tests on a s390x machine.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • s390x
    • None

      What were you trying to do that didn't work?

      Call traces like below on s390x machines:

       

      ----
      time->Tue Apr 16 15:21:54 2024
      type=PROCTITLE msg=audit(1713295314.076:440): proctitle=2F7573722F62696E2F73797374656D63746C007374617274006D616E2D64622D63616368652D757064617465
      type=SYSCALL msg=audit(1713295314.076:440): arch=80000016 syscall=54 success=no exit=-19 a0=3 a1=c0007a05 a2=3fff78f9e50 a3=0 items=0 ppid=1 pid=19988 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:init_t:s0 key=(null)
      type=AVC msg=audit(1713295314.076:440): avc:  denied  { ioctl } for  pid=19988 comm="systemctl" path="/dev/z90crypt" dev="devtmpfs" ino=100 ioctlcmd=0x7a05 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
      ----
      time->Tue Apr 16 15:22:36 2024
      type=PROCTITLE msg=audit(1713295356.206:465): proctitle="/usr/lib/systemd/systemd-hostnamed"
      type=SYSCALL msg=audit(1713295356.206:465): arch=80000016 syscall=54 success=no exit=-19 a0=3 a1=c0007a05 a2=3ffc12fa630 a3=0 items=0 ppid=1 pid=31233 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
      type=AVC msg=audit(1713295356.206:465): avc:  denied  { ioctl } for  pid=31233 comm="systemd-hostnam" path="/dev/z90crypt" dev="devtmpfs" ino=100 ioctlcmd=0x7a05 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1 

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.35-2.el9.noarch

      How reproducible:

      easily reproducible

      Steps to reproduce

      1. It can be reproducible by just booting a machine. This seems to happen only on s390x using KVM.
      2.  
      3.  

      test logs:  https://datawarehouse.cki-project.org/kcidb/tests/12059125

      cki issue tracker: https://datawarehouse.cki-project.org/issue/2662

       

      This seems to be the same issue reported on rhel-10 (https://issues.redhat.com/browse/RHEL-28539) and Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=2263825)

              rhn-support-zpytela Zdenek Pytela
              bgoncalv@redhat.com Bruno Goncalves
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: