Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-45245

[RHEL-9.5] SELinux denials appear when sd-parse-elf is executed by systemd-coredump

    • selinux-policy-38.1.42-1.el9
    • None
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 21
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The automated TC does not trigger any SELinux denials. There are no errors produced by the systemd-coredump processes in the systemd journal.

      Show
      The automated TC does not trigger any SELinux denials. There are no errors produced by the systemd-coredump processes in the systemd journal.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • x86_64
    • None

      What were you trying to do that didn't work?

      run beaker job on rhel-9.5, and some avc denies showing up on the job result page.
      Job: https://beaker.engineering.redhat.com/recipes/16420849#task179637881 

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.40-1.el9.noarch

      How reproducible:

      always

      Steps to reproduce

      1.  install the host with rhel-9.5
      2.  
      3.  

      Expected results

      No avc check failures

      Actual results

      SELinux status:                 enabled
      SELinuxfs mount:                /sys/fs/selinux
      SELinux root directory:         /etc/selinux
      Loaded policy name:             targeted
      Current mode:                   enforcing
      Mode from config file:          enforcing
      Policy MLS status:              enabled
      Policy deny_unknown status:     allowed
      Memory protection checking:     actual (secure)
      Max kernel policy version:      33
      selinux-policy-38.1.40-1.el9.noarch
      ----
      time->Tue Jun 25 19:49:26 2024
      type=PROCTITLE msg=audit(1719359366.119:205): proctitle="(sd-parse-elf)"
      type=SYSCALL msg=audit(1719359366.119:205): arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7ff9f3689000 a3=0 items=0 ppid=4168 pid=4188 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-parse-elf)" exe="/usr/lib/systemd/systemd-coredump" subj=system_u:system_r:systemd_coredump_t:s0 key=(null)
      type=AVC msg=audit(1719359366.119:205): avc:  denied  { sys_resource } for  pid=4188 comm="(sd-parse-elf)" capability=24  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=capability permissive=0
      ----
      time->Tue Jun 25 19:49:26 2024
      type=PROCTITLE msg=audit(1719359366.124:206): proctitle="(sd-parse-elf)"
      type=SYSCALL msg=audit(1719359366.124:206): arch=c000003e syscall=308 success=no exit=-1 a0=7 a1=20000 a2=fffffff7 a3=7ffd8cf96730 items=0 ppid=4168 pid=4188 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-parse-elf)" exe="/usr/lib/systemd/systemd-coredump" subj=system_u:system_r:systemd_coredump_t:s0 key=(null)
      type=AVC msg=audit(1719359366.124:206): avc:  denied  { sys_admin } for  pid=4188 comm="(sd-parse-elf)" capability=21  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=capability permissive=0 

              rhn-support-zpytela Zdenek Pytela
              yinchang0124 Chang Yin
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: