Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-37631

various systemd generators trigger { map_read map_write } denials

    • libbpf-1.5.0-1.el10
    • None
    • Important
    • 3
    • sst_kernel_tps
    • ssg_core_kernel
    • 19
    • 25
    • 3
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • CK-June-2024, CK-July-2024, CK-August-2024
    • Hide

      The "systemctl daemon-reload" command does not trigger any SELinux denials on freshly installed RHEL-10 machine.

      Show
      The "systemctl daemon-reload" command does not trigger any SELinux denials on freshly installed RHEL-10 machine.
    • Pass
    • libbpf-1.5.0-1.el10
    • Manual
    • x86_64
    • None

      What were you trying to do that didn't work?

      Please provide the package NVR for which bug is seen:

      selinux-policy-40.13.1-1.el10.noarch
      selinux-policy-devel-40.13.1-1.el10.noarch
      selinux-policy-doc-40.13.1-1.el10.noarch
      selinux-policy-mls-40.13.1-1.el10.noarch
      selinux-policy-sandbox-40.13.1-1.el10.noarch
      selinux-policy-targeted-40.13.1-1.el10.noarch
      systemd-255.3-1.el10.x86_64
      systemd-container-255.3-1.el10.x86_64
      systemd-journal-remote-255.3-1.el10.x86_64
      systemd-libs-255.3-1.el10.x86_64
      systemd-pam-255.3-1.el10.x86_64
      systemd-rpm-macros-255.3-1.el10.noarch
      systemd-udev-255.3-1.el10.x86_64

      How reproducible:

      always

      Steps to reproduce

      1. get a RHEL-10.0 machine (the targeted policy is active)
      2. systemctl daemon-reload
      3. search for SELinux denials

      Expected results

      no SELinux denials

      Actual results

      ----
      type=PROCTITLE msg=audit(05/21/24 16:04:01.207:217) : proctitle=/usr/lib/systemd/system-generators/nfs-server-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/generat 
      type=PATH msg=audit(05/21/24 16:04:01.207:217) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25166004 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=PATH msg=audit(05/21/24 16:04:01.207:217) : item=0 name=/usr/lib/systemd/system-generators/nfs-server-generator inode=17343971 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nfsd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(05/21/24 16:04:01.207:217) : cwd=/ 
      type=EXECVE msg=audit(05/21/24 16:04:01.207:217) : argc=4 a0=/usr/lib/systemd/system-generators/nfs-server-generator a1=/run/systemd/generator a2=/run/systemd/generator.early a3=/run/systemd/generator.late 
      type=SYSCALL msg=audit(05/21/24 16:04:01.207:217) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bf4a1b9ff0 a1=0x7ffdf4d31630 a2=0x55bf494a1200 a3=0xffffffff items=2 ppid=24320 pid=24322 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nfs-server-gene exe=/usr/lib/systemd/system-generators/nfs-server-generator subj=system_u:system_r:nfsd_t:s0 key=(null) 
      type=AVC msg=audit(05/21/24 16:04:01.207:217) : avc:  denied  { map_read map_write } for  pid=24322 comm=nfs-server-gene scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 
      ----
      type=PROCTITLE msg=audit(05/21/24 16:04:01.213:218) : proctitle=/usr/lib/systemd/system-generators/systemd-fstab-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/gene 
      type=PATH msg=audit(05/21/24 16:04:01.213:218) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25166004 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=PATH msg=audit(05/21/24 16:04:01.213:218) : item=0 name=/usr/lib/systemd/system-generators/systemd-fstab-generator inode=17042413 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_fstab_generator_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(05/21/24 16:04:01.213:218) : cwd=/ 
      type=EXECVE msg=audit(05/21/24 16:04:01.213:218) : argc=4 a0=/usr/lib/systemd/system-generators/systemd-fstab-generator a1=/run/systemd/generator a2=/run/systemd/generator.early a3=/run/systemd/generator.late 
      type=SYSCALL msg=audit(05/21/24 16:04:01.213:218) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bf49208220 a1=0x7ffdf4d31630 a2=0x55bf494a1200 a3=0xffffffff items=2 ppid=24320 pid=24333 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-fstab-g exe=/usr/lib/systemd/system-generators/systemd-fstab-generator subj=system_u:system_r:systemd_fstab_generator_t:s0 key=(null) 
      type=AVC msg=audit(05/21/24 16:04:01.213:218) : avc:  denied  { map_read map_write } for  pid=24333 comm=systemd-fstab-g scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 
      ----
      type=PROCTITLE msg=audit(05/21/24 16:04:01.222:219) : proctitle=/usr/lib/systemd/system-generators/systemd-gpt-auto-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/g 
      type=PATH msg=audit(05/21/24 16:04:01.222:219) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25166004 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=PATH msg=audit(05/21/24 16:04:01.222:219) : item=0 name=/usr/lib/systemd/system-generators/systemd-gpt-auto-generator inode=17044135 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_gpt_generator_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(05/21/24 16:04:01.222:219) : cwd=/ 
      type=EXECVE msg=audit(05/21/24 16:04:01.222:219) : argc=4 a0=/usr/lib/systemd/system-generators/systemd-gpt-auto-generator a1=/run/systemd/generator a2=/run/systemd/generator.early a3=/run/systemd/generator.late 
      type=SYSCALL msg=audit(05/21/24 16:04:01.222:219) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bf4926c080 a1=0x7ffdf4d31630 a2=0x55bf494a1200 a3=0xffffffff items=2 ppid=24320 pid=24338 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-gpt-aut exe=/usr/lib/systemd/system-generators/systemd-gpt-auto-generator subj=system_u:system_r:systemd_gpt_generator_t:s0 key=(null) 
      type=AVC msg=audit(05/21/24 16:04:01.222:219) : avc:  denied  { map_read map_write } for  pid=24338 comm=systemd-gpt-aut scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 
      ----
      type=PROCTITLE msg=audit(05/21/24 16:04:01.233:220) : proctitle=/usr/lib/systemd/system-generators/systemd-rc-local-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/g 
      type=PATH msg=audit(05/21/24 16:04:01.233:220) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25166004 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=PATH msg=audit(05/21/24 16:04:01.233:220) : item=0 name=/usr/lib/systemd/system-generators/systemd-rc-local-generator inode=17042415 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_rc_local_generator_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(05/21/24 16:04:01.233:220) : cwd=/ 
      type=EXECVE msg=audit(05/21/24 16:04:01.233:220) : argc=4 a0=/usr/lib/systemd/system-generators/systemd-rc-local-generator a1=/run/systemd/generator a2=/run/systemd/generator.early a3=/run/systemd/generator.late 
      type=SYSCALL msg=audit(05/21/24 16:04:01.233:220) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bf492296f0 a1=0x7ffdf4d31630 a2=0x55bf494a1200 a3=0xffffffff items=2 ppid=24320 pid=24343 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-rc-loca exe=/usr/lib/systemd/system-generators/systemd-rc-local-generator subj=system_u:system_r:systemd_rc_local_generator_t:s0 key=(null) 
      type=AVC msg=audit(05/21/24 16:04:01.233:220) : avc:  denied  { map_read map_write } for  pid=24343 comm=systemd-rc-loca scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 
      ----
      type=PROCTITLE msg=audit(05/21/24 16:04:01.237:221) : proctitle=/usr/lib/systemd/system-generators/systemd-sysv-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/gener 
      type=PATH msg=audit(05/21/24 16:04:01.237:221) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=25166004 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=PATH msg=audit(05/21/24 16:04:01.237:221) : item=0 name=/usr/lib/systemd/system-generators/systemd-sysv-generator inode=17042418 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_sysv_generator_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(05/21/24 16:04:01.237:221) : cwd=/ 
      type=EXECVE msg=audit(05/21/24 16:04:01.237:221) : argc=4 a0=/usr/lib/systemd/system-generators/systemd-sysv-generator a1=/run/systemd/generator a2=/run/systemd/generator.early a3=/run/systemd/generator.late 
      type=SYSCALL msg=audit(05/21/24 16:04:01.237:221) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bf499145a0 a1=0x7ffdf4d31630 a2=0x55bf494a1200 a3=0xffffffff items=2 ppid=24320 pid=24346 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-sysv-ge exe=/usr/lib/systemd/system-generators/systemd-sysv-generator subj=system_u:system_r:systemd_sysv_generator_t:s0 key=(null) 
      type=AVC msg=audit(05/21/24 16:04:01.237:221) : avc:  denied  { map_read map_write } for  pid=24346 comm=systemd-sysv-ge scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 
      ----
      

            vmalik@redhat.com Viktor Malík
            mmalik@redhat.com Milos Malik
            Viktor Malík Viktor Malík
            Ziqian (Zamir) SUN Ziqian (Zamir) SUN
            Votes:
            0 Vote for this issue
            Watchers:
            33 Start watching this issue

              Created:
              Updated: