Loading...

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.5
Affects Version/s: rhel-9.4
Component/s: selinux-policy
Labels:
- dependent-component
- systemd-selinux

Fixed in Build:
selinux-policy-38.1.43-1.el9
Regression:
None
Severity:
None
Epic Link:
SELINUX-3400

Pool Team:

sst_security_selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
23
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Acceptance Criteria:

Hide

The automated test does not trigger SELinux denials when executed in RHIVOS environment.

Show
The automated test does not trigger SELinux denials when executed in RHIVOS environment.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/130707
Test Coverage:
None

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

selinux-policy/Regression/systemd-pstore test

Please provide the package NVR for which bug is seen:

selinux-policy-38.1.35-2.el9_4.noarch
selinux-policy-devel-38.1.35-2.el9_4.noarch
selinux-policy-minimum-38.1.35-2.el9_4.noarch
selinux-policy-mls-38.1.35-2.el9_4.noarch
selinux-policy-targeted-38.1.35-2.el9_4.noarch

How reproducible:

every time

Steps to reproduce

Execute /regression/systemd-pstore test
inspect logs

Expected results

no failures

Actual results

https://artifacts.osci.redhat.com/testing-farm/9c4774a6-2eb3-4889-9c0c-7b443c6e57aa/

Test failure :: real scenario – standalone service

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Cleanup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 18:32:57 ] :: [   LOG    ] :: rlSEAVCCheck: Search for AVCs, USER_AVCs, SELINUX_ERRs, and USER_SELINUX_ERRs since timestamp 'TIMESTAMP' [06/24/2024 18:32:24]
----
type=PROCTITLE msg=audit(06/24/2024 18:32:36.742:2420) : proctitle=/usr/lib/systemd/systemd-pstore 
type=PATH msg=audit(06/24/2024 18:32:36.742:2420) : item=0 name=/run/systemd/journal/socket inode=35 dev=00:17 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/24/2024 18:32:36.742:2420) : cwd=/ 
type=SOCKADDR msg=audit(06/24/2024 18:32:36.742:2420) : saddr=\{ saddr_fam=local path=/run/systemd/journal/socket } 
type=SYSCALL msg=audit(06/24/2024 18:32:36.742:2420) : arch=aarch64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0xffffdeae4f18 a2=0x1e a3=0xffa5ef950020 items=1 ppid=1 pid=288863 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
type=AVC msg=audit(06/24/2024 18:32:36.742:2420) : avc:  denied  \{ sendto } for  pid=288863 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(06/24/2024 18:32:36.742:2421) : proctitle=/usr/lib/systemd/systemd-pstore 
type=PATH msg=audit(06/24/2024 18:32:36.742:2421) : item=0 name=/dev/kmsg inode=8 dev=00:05 mode=character,644 ouid=root ogid=root rdev=01:0b obj=system_u:object_r:kmsg_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/24/2024 18:32:36.742:2421) : cwd=/ 
type=SYSCALL msg=audit(06/24/2024 18:32:36.742:2421) : arch=aarch64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xffa5f0a3d8e0 a2=O_WRONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=288863 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
type=AVC msg=audit(06/24/2024 18:32:36.742:2421) : avc:  denied  \{ write } for  pid=288863 comm=systemd-pstore name=kmsg dev="devtmpfs" ino=8 scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(06/24/2024 18:32:36.742:2422) : proctitle=/usr/lib/systemd/systemd-pstore 
type=PATH msg=audit(06/24/2024 18:32:36.742:2422) : item=0 name=/run/systemd/journal/socket inode=35 dev=00:17 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/24/2024 18:32:36.742:2422) : cwd=/ 
type=SOCKADDR msg=audit(06/24/2024 18:32:36.742:2422) : saddr=\{ saddr_fam=local path=/run/systemd/journal/socket } 
type=SYSCALL msg=audit(06/24/2024 18:32:36.742:2422) : arch=aarch64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x3 a1=0xffffdeae4e40 a2=MSG_NOSIGNAL a3=0xffa5ef950020 items=1 ppid=1 pid=288863 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
type=AVC msg=audit(06/24/2024 18:32:36.742:2422) : avc:  denied  \{ sendto } for  pid=288863 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(06/24/2024 18:32:44.102:2429) : proctitle=/usr/lib/systemd/systemd-pstore 
type=PATH msg=audit(06/24/2024 18:32:44.102:2429) : item=0 name=/run/systemd/journal/socket inode=35 dev=00:17 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/24/2024 18:32:44.102:2429) : cwd=/ 
type=SOCKADDR msg=audit(06/24/2024 18:32:44.102:2429) : saddr=\{ saddr_fam=local path=/run/systemd/journal/socket } 
type=SYSCALL msg=audit(06/24/2024 18:32:44.102:2429) : arch=aarch64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0xffffe124aae8 a2=0x1e a3=0xffeea9e78020 items=1 ppid=1 pid=289466 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
type=AVC msg=audit(06/24/2024 18:32:44.102:2429) : avc:  denied  \{ sendto } for  pid=289466 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(06/24/2024 18:32:44.102:2430) : proctitle=/usr/lib/systemd/systemd-pstore 
type=PATH msg=audit(06/24/2024 18:32:44.102:2430) : item=0 name=/dev/kmsg inode=8 dev=00:05 mode=character,644 ouid=root ogid=root rdev=01:0b obj=system_u:object_r:kmsg_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/24/2024 18:32:44.102:2430) : cwd=/ 
type=SYSCALL msg=audit(06/24/2024 18:32:44.102:2430) : arch=aarch64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xffeeaaf658e0 a2=O_WRONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=289466 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
type=AVC msg=audit(06/24/2024 18:32:44.102:2430) : avc:  denied  \{ write } for  pid=289466 comm=systemd-pstore name=kmsg dev="devtmpfs" ino=8 scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(06/24/2024 18:32:44.102:2431) : proctitle=/usr/lib/systemd/systemd-pstore 
type=PATH msg=audit(06/24/2024 18:32:44.102:2431) : item=0 name=/run/systemd/journal/socket inode=35 dev=00:17 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/24/2024 18:32:44.102:2431) : cwd=/ 
type=SOCKADDR msg=audit(06/24/2024 18:32:44.102:2431) : saddr=\{ saddr_fam=local path=/run/systemd/journal/socket } 
type=SYSCALL msg=audit(06/24/2024 18:32:44.102:2431) : arch=aarch64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x3 a1=0xffffe124aa10 a2=MSG_NOSIGNAL a3=0xffeea9e78020 items=1 ppid=1 pid=289466 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
type=AVC msg=audit(06/24/2024 18:32:44.102:2431) : avc:  denied  \{ sendto } for  pid=289466 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
:: [ 18:32:57 ] :: [   INFO   ] :: rlSEAVCCheck: ignoring patterns:
:: [ 18:32:57 ] :: [   INFO   ] :: rlSEAVCCheck:     type=USER_AVC.*received (policyload|setenforce) notice
---==============---
UNEXPECTED MESSAGES:
type=AVC msg=audit(06/24/2024 18:32:36.742:2420) : avc:  denied  \{ sendto } for  pid=288863 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
type=AVC msg=audit(06/24/2024 18:32:36.742:2421) : avc:  denied  \{ write } for  pid=288863 comm=systemd-pstore name=kmsg dev="devtmpfs" ino=8 scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 
type=AVC msg=audit(06/24/2024 18:32:36.742:2422) : avc:  denied  \{ sendto } for  pid=288863 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
type=AVC msg=audit(06/24/2024 18:32:44.102:2429) : avc:  denied  \{ sendto } for  pid=289466 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
type=AVC msg=audit(06/24/2024 18:32:44.102:2430) : avc:  denied  \{ write } for  pid=289466 comm=systemd-pstore name=kmsg dev="devtmpfs" ino=8 scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 
type=AVC msg=audit(06/24/2024 18:32:44.102:2431) : avc:  denied  \{ sendto } for  pid=289466 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
---==============---
:: [ 18:32:57 ] :: [   FAIL   ] :: Check there are no unexpected AVCs/ERRORs (Assert: expected 0, got 1)
Redirecting to /bin/systemctl status systemd-pstore.service
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 2s
::   Assertions: 0 good, 1 bad
::   RESULT: WARN (Cleanup)

links to

github pr

RHBA-2024:130707 selinux-policy bug fix and enhancement update

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Activity

People

Dates