Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-33361

[rhel9] various systemd programs want to access /dev/z90crypt

XMLWordPrintable

    • selinux-policy-38.1.38-1.el9
    • sst_security_selinux
    • ssg_security
    • 13
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Hide

      SELinux denials related to the /dev/z90crypt device are not triggered when provisioning a s390x machine or when running tests on a s390x machine.

      Show
      SELinux denials related to the /dev/z90crypt device are not triggered when provisioning a s390x machine or when running tests on a s390x machine.
    • Yes
    • s390x

      What were you trying to do that didn't work?

      Call traces like below on s390x machines:

       

      ----
time->Tue Apr 16 15:21:54 2024
type=PROCTITLE msg=audit(1713295314.076:440): proctitle=2F7573722F62696E2F73797374656D63746C007374617274006D616E2D64622D63616368652D757064617465
type=SYSCALL msg=audit(1713295314.076:440): arch=80000016 syscall=54 success=no exit=-19 a0=3 a1=c0007a05 a2=3fff78f9e50 a3=0 items=0 ppid=1 pid=19988 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1713295314.076:440): avc:  denied  { ioctl } for  pid=19988 comm="systemctl" path="/dev/z90crypt" dev="devtmpfs" ino=100 ioctlcmd=0x7a05 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1
----
time->Tue Apr 16 15:22:36 2024
type=PROCTITLE msg=audit(1713295356.206:465): proctitle="/usr/lib/systemd/systemd-hostnamed"
type=SYSCALL msg=audit(1713295356.206:465): arch=80000016 syscall=54 success=no exit=-19 a0=3 a1=c0007a05 a2=3ffc12fa630 a3=0 items=0 ppid=1 pid=31233 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1713295356.206:465): avc:  denied  { ioctl } for  pid=31233 comm="systemd-hostnam" path="/dev/z90crypt" dev="devtmpfs" ino=100 ioctlcmd=0x7a05 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=1

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.35-2.el9.noarch

      How reproducible:

      easily reproducible

      Steps to reproduce

      1. It can be reproducible by just booting a machine. This seems to happen only on s390x using KVM.
      2.  
      3.  

      test logs:  https://datawarehouse.cki-project.org/kcidb/tests/12059125

      cki issue tracker: https://datawarehouse.cki-project.org/issue/2662

       

      This seems to be the same issue reported on rhel-10 (https://issues.redhat.com/browse/RHEL-28539) and Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=2263825)

            rhn-support-zpytela Zdenek Pytela
            bgoncalv@redhat.com Bruno Goncalves
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: