Loading...

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: rhel-10.0.beta
Affects Version/s: rhel-10.0
Component/s: libbpf
Labels:

Fixed in Build:
libbpf-1.5.0-1.el10
Regression:
None
Severity:
Important
sprint_count:
3

Pool Team:

sst_kernel_tps
Sub-System Group:

ssg_core_kernel

Dev Target Milestone:
19
Internal Target Milestone:
25
Story Points:
3
ACKs Check:

QE ack, Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
CK-June-2024, CK-July-2024, CK-August-2024

Acceptance Criteria:

Hide

The "systemctl daemon-reload" command does not trigger any SELinux denials on freshly installed RHEL-10 machine.

Show
The "systemctl daemon-reload" command does not trigger any SELinux denials on freshly installed RHEL-10 machine.
Preliminary Testing:
Pass
Testable Builds:
libbpf-1.5.0-1.el10
Errata Link:
https://errata.engineering.redhat.com/advisory/132839
Test Coverage:

Manual

Experience:
Architecture:

x86_64

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

selinux-policy-40.13.1-1.el10.noarch
selinux-policy-devel-40.13.1-1.el10.noarch
selinux-policy-doc-40.13.1-1.el10.noarch
selinux-policy-mls-40.13.1-1.el10.noarch
selinux-policy-sandbox-40.13.1-1.el10.noarch
selinux-policy-targeted-40.13.1-1.el10.noarch
systemd-255.3-1.el10.x86_64
systemd-container-255.3-1.el10.x86_64
systemd-journal-remote-255.3-1.el10.x86_64
systemd-libs-255.3-1.el10.x86_64
systemd-pam-255.3-1.el10.x86_64
systemd-rpm-macros-255.3-1.el10.noarch
systemd-udev-255.3-1.el10.x86_64

How reproducible:

always

Steps to reproduce

get a RHEL-10.0 machine (the targeted policy is active)
systemctl daemon-reload
search for SELinux denials

Expected results

no SELinux denials

Actual results

----
type=PROCTITLE msg=audit(05/21/24 16:04:01.207:217) : proctitle=/usr/lib/systemd/system-generators/nfs-server-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/generat 
type=PATH msg=audit(05/21/24 16:04:01.207:217) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25166004 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/21/24 16:04:01.207:217) : item=0 name=/usr/lib/systemd/system-generators/nfs-server-generator inode=17343971 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nfsd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/21/24 16:04:01.207:217) : cwd=/ 
type=EXECVE msg=audit(05/21/24 16:04:01.207:217) : argc=4 a0=/usr/lib/systemd/system-generators/nfs-server-generator a1=/run/systemd/generator a2=/run/systemd/generator.early a3=/run/systemd/generator.late 
type=SYSCALL msg=audit(05/21/24 16:04:01.207:217) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bf4a1b9ff0 a1=0x7ffdf4d31630 a2=0x55bf494a1200 a3=0xffffffff items=2 ppid=24320 pid=24322 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nfs-server-gene exe=/usr/lib/systemd/system-generators/nfs-server-generator subj=system_u:system_r:nfsd_t:s0 key=(null) 
type=AVC msg=audit(05/21/24 16:04:01.207:217) : avc:  denied  { map_read map_write } for  pid=24322 comm=nfs-server-gene scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 
----
type=PROCTITLE msg=audit(05/21/24 16:04:01.213:218) : proctitle=/usr/lib/systemd/system-generators/systemd-fstab-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/gene 
type=PATH msg=audit(05/21/24 16:04:01.213:218) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25166004 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/21/24 16:04:01.213:218) : item=0 name=/usr/lib/systemd/system-generators/systemd-fstab-generator inode=17042413 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_fstab_generator_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/21/24 16:04:01.213:218) : cwd=/ 
type=EXECVE msg=audit(05/21/24 16:04:01.213:218) : argc=4 a0=/usr/lib/systemd/system-generators/systemd-fstab-generator a1=/run/systemd/generator a2=/run/systemd/generator.early a3=/run/systemd/generator.late 
type=SYSCALL msg=audit(05/21/24 16:04:01.213:218) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bf49208220 a1=0x7ffdf4d31630 a2=0x55bf494a1200 a3=0xffffffff items=2 ppid=24320 pid=24333 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-fstab-g exe=/usr/lib/systemd/system-generators/systemd-fstab-generator subj=system_u:system_r:systemd_fstab_generator_t:s0 key=(null) 
type=AVC msg=audit(05/21/24 16:04:01.213:218) : avc:  denied  { map_read map_write } for  pid=24333 comm=systemd-fstab-g scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 
----
type=PROCTITLE msg=audit(05/21/24 16:04:01.222:219) : proctitle=/usr/lib/systemd/system-generators/systemd-gpt-auto-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/g 
type=PATH msg=audit(05/21/24 16:04:01.222:219) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25166004 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/21/24 16:04:01.222:219) : item=0 name=/usr/lib/systemd/system-generators/systemd-gpt-auto-generator inode=17044135 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_gpt_generator_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/21/24 16:04:01.222:219) : cwd=/ 
type=EXECVE msg=audit(05/21/24 16:04:01.222:219) : argc=4 a0=/usr/lib/systemd/system-generators/systemd-gpt-auto-generator a1=/run/systemd/generator a2=/run/systemd/generator.early a3=/run/systemd/generator.late 
type=SYSCALL msg=audit(05/21/24 16:04:01.222:219) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bf4926c080 a1=0x7ffdf4d31630 a2=0x55bf494a1200 a3=0xffffffff items=2 ppid=24320 pid=24338 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-gpt-aut exe=/usr/lib/systemd/system-generators/systemd-gpt-auto-generator subj=system_u:system_r:systemd_gpt_generator_t:s0 key=(null) 
type=AVC msg=audit(05/21/24 16:04:01.222:219) : avc:  denied  { map_read map_write } for  pid=24338 comm=systemd-gpt-aut scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 
----
type=PROCTITLE msg=audit(05/21/24 16:04:01.233:220) : proctitle=/usr/lib/systemd/system-generators/systemd-rc-local-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/g 
type=PATH msg=audit(05/21/24 16:04:01.233:220) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25166004 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/21/24 16:04:01.233:220) : item=0 name=/usr/lib/systemd/system-generators/systemd-rc-local-generator inode=17042415 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_rc_local_generator_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/21/24 16:04:01.233:220) : cwd=/ 
type=EXECVE msg=audit(05/21/24 16:04:01.233:220) : argc=4 a0=/usr/lib/systemd/system-generators/systemd-rc-local-generator a1=/run/systemd/generator a2=/run/systemd/generator.early a3=/run/systemd/generator.late 
type=SYSCALL msg=audit(05/21/24 16:04:01.233:220) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bf492296f0 a1=0x7ffdf4d31630 a2=0x55bf494a1200 a3=0xffffffff items=2 ppid=24320 pid=24343 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-rc-loca exe=/usr/lib/systemd/system-generators/systemd-rc-local-generator subj=system_u:system_r:systemd_rc_local_generator_t:s0 key=(null) 
type=AVC msg=audit(05/21/24 16:04:01.233:220) : avc:  denied  { map_read map_write } for  pid=24343 comm=systemd-rc-loca scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 
----
type=PROCTITLE msg=audit(05/21/24 16:04:01.237:221) : proctitle=/usr/lib/systemd/system-generators/systemd-sysv-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/gener 
type=PATH msg=audit(05/21/24 16:04:01.237:221) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25166004 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/21/24 16:04:01.237:221) : item=0 name=/usr/lib/systemd/system-generators/systemd-sysv-generator inode=17042418 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_sysv_generator_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/21/24 16:04:01.237:221) : cwd=/ 
type=EXECVE msg=audit(05/21/24 16:04:01.237:221) : argc=4 a0=/usr/lib/systemd/system-generators/systemd-sysv-generator a1=/run/systemd/generator a2=/run/systemd/generator.early a3=/run/systemd/generator.late 
type=SYSCALL msg=audit(05/21/24 16:04:01.237:221) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bf499145a0 a1=0x7ffdf4d31630 a2=0x55bf494a1200 a3=0xffffffff items=2 ppid=24320 pid=24346 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-sysv-ge exe=/usr/lib/systemd/system-generators/systemd-sysv-generator subj=system_u:system_r:systemd_sysv_generator_t:s0 key=(null) 
type=AVC msg=audit(05/21/24 16:04:01.237:221) : avc:  denied  { map_read map_write } for  pid=24346 comm=systemd-sysv-ge scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 
----

is duplicated by

RHEL-39350 [RHEL-10-beta] AVC avc: denied { map_read map_write } for pid=3123 comm="nfs-server-gene" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0

Closed

RHEL-40094 [RHEL-10] avc: denied { map_read map_write }

Closed

RHEL-40563 systemd_gpt_generator_t and systemd_fstab_generator_t are denied to mmap init_t

Closed

RHEL-46205 AVC denials in RHEL10

Closed

links to

RHBA-2024:132839 libbpf bug fix and enhancement update

RHBZ#2280935 - SELinux is preventing /usr/lib/systemd/system-generators/nfs-server-generator from map_read, map_write access on the bpf /lib64/ld-linux-x86-64.so.2.

(1 links to)

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Activity

People

Dates