Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-39937

[rhel-9] SELinux prevents systemd-coredump from reading the /proc/PID/ns/mnt file

XMLWordPrintable

    • selinux-policy-38.1.40-1.el9
    • None
    • Moderate
    • ZStream
    • rhel-sst-security-selinux
    • ssg_security
    • 21
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Approved Blocker
    • Hide

      The systemd-coredump process does not trigger SELinux denials when a segfault appears.

      Show
      The systemd-coredump process does not trigger SELinux denials when a segfault appears.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • x86_64
    • None

      What were you trying to do that didn't work?

      run beaker job on rhel-9.5, and some acv denies messages messy the job result page.

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.38-1.el9.noarch

      How reproducible:

      once

      Steps to reproduce

      https://beaker.engineering.redhat.com/recipes/16261445#task178509628,task178509629,task178509638,task178509648

      Expected results

      no avc splat.

      Actual results

      SELinux status: enabled
      SELinuxfs mount: /sys/fs/selinux
      SELinux root directory: /etc/selinux
      Loaded policy name: targeted
      Current mode: enforcing
      Mode from config file: enforcing
      Policy MLS status: enabled
      Policy deny_unknown status: allowed
      Memory protection checking: actual (secure)
      Max kernel policy version: 33
      selinux-policy-38.1.38-1.el9.noarch

      time->Mon Jun 3 13:52:48 2024
      type=PROCTITLE msg=audit(1717437168.120:131): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D636F726564756D700031303232390030003000313100313731373433373136380031383434363734343037333730393535313631350064656C6C2D7065723732302D30312E726874732E656E672E70656B322E7265646861742E636F6D
      type=SYSCALL msg=audit(1717437168.120:131): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fff8c15f250 a2=80100 a3=0 items=0 ppid=2 pid=10241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-coredum" exe="/usr/lib/systemd/systemd-coredump" subj=system_u:system_r:systemd_coredump_t:s0 key=(null)
      type=AVC msg=audit(1717437168.120:131): avc: denied

      { read } for pid=10241 comm="systemd-coredum" dev="nsfs" ino=4026531841 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
      ----
      time->Mon Jun 3 13:52:48 2024
      type=PROCTITLE msg=audit(1717437168.130:132): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D636F726564756D700031303233320030003000313100313731373433373136380031383434363734343037333730393535313631350064656C6C2D7065723732302D30312E726874732E656E672E70656B322E7265646861742E636F6D
      type=SYSCALL msg=audit(1717437168.130:132): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffcba55ac40 a2=80100 a3=0 items=0 ppid=2 pid=10246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-coredum" exe="/usr/lib/systemd/systemd-coredump" subj=system_u:system_r:systemd_coredump_t:s0 key=(null)
      type=AVC msg=audit(1717437168.130:132): avc: denied { read }

      for pid=10246 comm="systemd-coredum" dev="nsfs" ino=4026531841 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0

              rhn-support-zpytela Zdenek Pytela
              chuhu@redhat.com Hu Chunyu
              Michal Sekletar
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: