[RHEL-44680] [rhel-9] SELinux prevents sbd from using sys_ptrace in cap_userns - Red Hat Issue Tracker

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-9.5
Affects Version/s: rhel-9.5
Component/s: selinux-policy
Labels:
None

Fixed in Build:
selinux-policy-38.1.41-1.el9
Regression:
None
Severity:
None
Epic Link:
SELINUX-3400

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
20
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Acceptance Criteria:

Hide

SELinux policy allows the processes running under sbd_t to use sys_ptrace capability in user namespaces.

Show
SELinux policy allows the processes running under sbd_t to use sys_ptrace capability in user namespaces.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/133202
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:
Architecture:

x86_64

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Run regression tests for SBD component on RHEL9.5.

Please provide the package NVR for which bug is seen:

selinux-policy-38.1.38-1.el9.noarch

How reproducible:

always

Steps to reproduce

Set up and use SBD as a fencing method in the cluster - see for example test job https://beaker.cluster-qe.lab.eng.brq.redhat.com/bkr/jobs/157679.

Looks like the functionality itself is not endangered (test passed), however AVC denials are generated.

SBD package has the same version as in RHEL9.4 (sbd-1.5.2-1.el9.x86_64), where no AVCs were present.

Expected results

No AVC denials

Actual results

time->Tue Jun 4 14:19:23 2024 type=PROCTITLE msg=audit(1717503563.844:821): proctitle=2F7573722F7362696E2F7362640071756572792D7761746368646F67 type=SYSCALL msg=audit(1717503563.844:821): arch=c000003e syscall=89 success=no exit=-13 a0=7ffcb67f3b10 a1=7ffcb67f3900 a2=ff a3=7fb806bb13e0 items=0 ppid=55785 pid=55786 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sbd" exe="/usr/sbin/sbd" subj=system_u:system_r:sbd_t:s0 key=(null) type=AVC msg=audit(1717503563.844:821): avc: denied { sys_ptrace } for pid=55786 comm="sbd" capability=19 scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:system_r:sbd_t:s0 tclass=cap_userns permissive=0

full AVC log: http://beaker.cluster-qe.lab.eng.brq.redhat.com/logs/2024/06/1576/157679/499960/1323219/3566939/avc.log

clones

RHEL-39989 [rhel-10] SELinux prevents sbd from using sys_ptrace in cap_userns

Release Pending

links to

RHBA-2024:130707 selinux-policy bug fix and enhancement update

TCMS Test Case 533281

Assignee:: Zdenek Pytela

Reporter:: Michal Mazourek

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/06/24 1:14 PM

Updated:: 2024/11/12 9:39 AM

Resolved:: 2024/11/12 9:39 AM

Target end:: 2024/07/15

Release Date:: 2024/11/12

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide