Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-45528

SELinux prevents systemd-pstore from writing to /dev/kmsg and systemd journal socket

    • selinux-policy-38.1.43-1.el9
    • None
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 23
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The automated test does not trigger SELinux denials when executed in RHIVOS environment.

      Show
      The automated test does not trigger SELinux denials when executed in RHIVOS environment.
    • Pass
    • None
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      selinux-policy/Regression/systemd-pstore test

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.35-2.el9_4.noarch
      selinux-policy-devel-38.1.35-2.el9_4.noarch
      selinux-policy-minimum-38.1.35-2.el9_4.noarch
      selinux-policy-mls-38.1.35-2.el9_4.noarch
      selinux-policy-targeted-38.1.35-2.el9_4.noarch

      How reproducible:

      every time

      Steps to reproduce

      1. Execute /regression/systemd-pstore test
      2. inspect logs

      Expected results

      no failures

      Actual results

      https://artifacts.osci.redhat.com/testing-farm/9c4774a6-2eb3-4889-9c0c-7b443c6e57aa/

      Test failureĀ  :: real scenario – standalone service

      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
      ::   Cleanup
      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
      
      :: [ 18:32:57 ] :: [   LOG    ] :: rlSEAVCCheck: Search for AVCs, USER_AVCs, SELINUX_ERRs, and USER_SELINUX_ERRs since timestamp 'TIMESTAMP' [06/24/2024 18:32:24]
      ----
      type=PROCTITLE msg=audit(06/24/2024 18:32:36.742:2420) : proctitle=/usr/lib/systemd/systemd-pstore 
      type=PATH msg=audit(06/24/2024 18:32:36.742:2420) : item=0 name=/run/systemd/journal/socket inode=35 dev=00:17 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(06/24/2024 18:32:36.742:2420) : cwd=/ 
      type=SOCKADDR msg=audit(06/24/2024 18:32:36.742:2420) : saddr=\{ saddr_fam=local path=/run/systemd/journal/socket } 
      type=SYSCALL msg=audit(06/24/2024 18:32:36.742:2420) : arch=aarch64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0xffffdeae4f18 a2=0x1e a3=0xffa5ef950020 items=1 ppid=1 pid=288863 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
      type=AVC msg=audit(06/24/2024 18:32:36.742:2420) : avc:  denied  \{ sendto } for  pid=288863 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
      ----
      type=PROCTITLE msg=audit(06/24/2024 18:32:36.742:2421) : proctitle=/usr/lib/systemd/systemd-pstore 
      type=PATH msg=audit(06/24/2024 18:32:36.742:2421) : item=0 name=/dev/kmsg inode=8 dev=00:05 mode=character,644 ouid=root ogid=root rdev=01:0b obj=system_u:object_r:kmsg_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(06/24/2024 18:32:36.742:2421) : cwd=/ 
      type=SYSCALL msg=audit(06/24/2024 18:32:36.742:2421) : arch=aarch64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xffa5f0a3d8e0 a2=O_WRONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=288863 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
      type=AVC msg=audit(06/24/2024 18:32:36.742:2421) : avc:  denied  \{ write } for  pid=288863 comm=systemd-pstore name=kmsg dev="devtmpfs" ino=8 scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 
      ----
      type=PROCTITLE msg=audit(06/24/2024 18:32:36.742:2422) : proctitle=/usr/lib/systemd/systemd-pstore 
      type=PATH msg=audit(06/24/2024 18:32:36.742:2422) : item=0 name=/run/systemd/journal/socket inode=35 dev=00:17 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(06/24/2024 18:32:36.742:2422) : cwd=/ 
      type=SOCKADDR msg=audit(06/24/2024 18:32:36.742:2422) : saddr=\{ saddr_fam=local path=/run/systemd/journal/socket } 
      type=SYSCALL msg=audit(06/24/2024 18:32:36.742:2422) : arch=aarch64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x3 a1=0xffffdeae4e40 a2=MSG_NOSIGNAL a3=0xffa5ef950020 items=1 ppid=1 pid=288863 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
      type=AVC msg=audit(06/24/2024 18:32:36.742:2422) : avc:  denied  \{ sendto } for  pid=288863 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
      ----
      type=PROCTITLE msg=audit(06/24/2024 18:32:44.102:2429) : proctitle=/usr/lib/systemd/systemd-pstore 
      type=PATH msg=audit(06/24/2024 18:32:44.102:2429) : item=0 name=/run/systemd/journal/socket inode=35 dev=00:17 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(06/24/2024 18:32:44.102:2429) : cwd=/ 
      type=SOCKADDR msg=audit(06/24/2024 18:32:44.102:2429) : saddr=\{ saddr_fam=local path=/run/systemd/journal/socket } 
      type=SYSCALL msg=audit(06/24/2024 18:32:44.102:2429) : arch=aarch64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0xffffe124aae8 a2=0x1e a3=0xffeea9e78020 items=1 ppid=1 pid=289466 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
      type=AVC msg=audit(06/24/2024 18:32:44.102:2429) : avc:  denied  \{ sendto } for  pid=289466 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
      ----
      type=PROCTITLE msg=audit(06/24/2024 18:32:44.102:2430) : proctitle=/usr/lib/systemd/systemd-pstore 
      type=PATH msg=audit(06/24/2024 18:32:44.102:2430) : item=0 name=/dev/kmsg inode=8 dev=00:05 mode=character,644 ouid=root ogid=root rdev=01:0b obj=system_u:object_r:kmsg_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(06/24/2024 18:32:44.102:2430) : cwd=/ 
      type=SYSCALL msg=audit(06/24/2024 18:32:44.102:2430) : arch=aarch64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xffeeaaf658e0 a2=O_WRONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=289466 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
      type=AVC msg=audit(06/24/2024 18:32:44.102:2430) : avc:  denied  \{ write } for  pid=289466 comm=systemd-pstore name=kmsg dev="devtmpfs" ino=8 scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 
      ----
      type=PROCTITLE msg=audit(06/24/2024 18:32:44.102:2431) : proctitle=/usr/lib/systemd/systemd-pstore 
      type=PATH msg=audit(06/24/2024 18:32:44.102:2431) : item=0 name=/run/systemd/journal/socket inode=35 dev=00:17 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:syslogd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(06/24/2024 18:32:44.102:2431) : cwd=/ 
      type=SOCKADDR msg=audit(06/24/2024 18:32:44.102:2431) : saddr=\{ saddr_fam=local path=/run/systemd/journal/socket } 
      type=SYSCALL msg=audit(06/24/2024 18:32:44.102:2431) : arch=aarch64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x3 a1=0xffffe124aa10 a2=MSG_NOSIGNAL a3=0xffeea9e78020 items=1 ppid=1 pid=289466 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-pstore exe=/usr/lib/systemd/systemd-pstore subj=system_u:system_r:systemd_pstore_t:s0 key=(null) 
      type=AVC msg=audit(06/24/2024 18:32:44.102:2431) : avc:  denied  \{ sendto } for  pid=289466 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
      :: [ 18:32:57 ] :: [   INFO   ] :: rlSEAVCCheck: ignoring patterns:
      :: [ 18:32:57 ] :: [   INFO   ] :: rlSEAVCCheck:     type=USER_AVC.*received (policyload|setenforce) notice
      ---==============---
      UNEXPECTED MESSAGES:
      type=AVC msg=audit(06/24/2024 18:32:36.742:2420) : avc:  denied  \{ sendto } for  pid=288863 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
      type=AVC msg=audit(06/24/2024 18:32:36.742:2421) : avc:  denied  \{ write } for  pid=288863 comm=systemd-pstore name=kmsg dev="devtmpfs" ino=8 scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 
      type=AVC msg=audit(06/24/2024 18:32:36.742:2422) : avc:  denied  \{ sendto } for  pid=288863 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
      type=AVC msg=audit(06/24/2024 18:32:44.102:2429) : avc:  denied  \{ sendto } for  pid=289466 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
      type=AVC msg=audit(06/24/2024 18:32:44.102:2430) : avc:  denied  \{ write } for  pid=289466 comm=systemd-pstore name=kmsg dev="devtmpfs" ino=8 scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 
      type=AVC msg=audit(06/24/2024 18:32:44.102:2431) : avc:  denied  \{ sendto } for  pid=289466 comm=systemd-pstore path=/run/systemd/journal/socket scontext=system_u:system_r:systemd_pstore_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 
      ---==============---
      :: [ 18:32:57 ] :: [   FAIL   ] :: Check there are no unexpected AVCs/ERRORs (Assert: expected 0, got 1)
      Redirecting to /bin/systemctl status systemd-pstore.service
      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
      ::   Duration: 2s
      ::   Assertions: 0 good, 1 bad
      ::   RESULT: WARN (Cleanup) 

              rhn-support-zpytela Zdenek Pytela
              rhn-support-bgrech Brian Grech
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: