Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-34078

SELinux prevents the setroubleshootd process from getattr on /proc/sys/vm/max_map_count file [rhel-9]

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.5
    • rhel-9.5
    • selinux-policy
    • None
    • selinux-policy-38.1.38-1.el9
    • None
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 12
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The setroubleshootd processes can access (getattr) the /proc/sys/vm/max_map_count file without triggering any SELinux denials.

      Show
      The setroubleshootd processes can access (getattr) the /proc/sys/vm/max_map_count file without triggering any SELinux denials.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • x86_64
    • None

      What were you trying to do that didn't work?

      When the setroubleshootd service is installed and enabled before the qemu-guest-agent service is restarted, then 2 different SELinux denials are triggered. The first SELinux denial is already reported as RHEL-31892. The second SELinux denial is reported here.

      Please provide the package NVR for which bug is seen:

      qemu-guest-agent-8.2.0-11.el9.x86_64
      selinux-policy-38.1.35-2.el9.noarch
      selinux-policy-devel-38.1.35-2.el9.noarch
      selinux-policy-doc-38.1.35-2.el9.noarch
      selinux-policy-mls-38.1.35-2.el9.noarch
      selinux-policy-sandbox-38.1.35-2.el9.noarch
      selinux-policy-targeted-38.1.35-2.el9.noarch
      setroubleshoot-plugins-3.3.14-4.el9.noarch
      setroubleshoot-server-3.3.32-1.el9.x86_64

      How reproducible:

      • always

      Expected results

      • no SELinux denials

      Actual results (enforcing mode)

      ----
type=PROCTITLE msg=audit(04/24/2024 20:21:11.708:1626) : proctitle=/usr/bin/python3 -Es /usr/sbin/setroubleshootd -f 
type=PATH msg=audit(04/24/2024 20:21:11.708:1626) : item=0 name=/proc/sys/vm/max_map_count inode=137784 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/24/2024 20:21:11.708:1626) : cwd=/ 
type=SYSCALL msg=audit(04/24/2024 20:21:11.708:1626) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f799d8a8ad0 a2=0x7f799d881050 a3=0x0 items=1 ppid=1 pid=65298 auid=unset uid=setroubleshoot gid=setroubleshoot euid=setroubleshoot suid=setroubleshoot fsuid=setroubleshoot egid=setroubleshoot sgid=setroubleshoot fsgid=setroubleshoot tty=(none) ses=unset comm=setroubleshootd exe=/usr/bin/python3.9 subj=system_u:system_r:setroubleshootd_t:s0 key=(null) 
type=AVC msg=audit(04/24/2024 20:21:11.708:1626) : avc:  denied  { getattr } for  pid=65298 comm=setroubleshootd path=/proc/sys/vm/max_map_count dev="proc" ino=137784 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0
----

              rhn-support-zpytela Zdenek Pytela
              mmalik@redhat.com Milos Malik
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: