-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.5
-
No
-
Low
-
2
-
rhel-security-selinux
-
ssg_security
-
1
-
False
-
False
-
-
No
-
SELINUX 251119: 15, SELINUX 260107: 16
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Whenever a systemd unit file runs with the setting
NoNewPrivileges=yes
SELinux blocks the nnp_transition. While the application or command still runs, this makes the use of this setting completely uneffective.
For example:
# systemd-run -p NoNewPrivileges=yes --wait /bin/sh -c "dmesg" # ausearch -m avc,selinux_err -ts recent -i [...] type=PROCTITLE msg=audit(04/17/2025 09:48:25.501:689) : proctitle=dmesg type=PATH msg=audit(04/17/2025 09:48:25.501:689) : item=0 name=/lib64/ld-linux-x86-64.so.2 inode=33916544 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/17/2025 09:48:25.501:689) : cwd=/ type=EXECVE msg=audit(04/17/2025 09:48:25.501:689) : argc=1 a0=dmesg type=SYSCALL msg=audit(04/17/2025 09:48:25.501:689) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5556210a2ee0 a1=0x5556210a3810 a2=0x5556210a12c0 a3=0x8 items=1 ppid=1 pid=30561 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmesg exe=/usr/bin/dmesg subj=system_u:system_r:initrc_t:s0 key=(null) type=SELINUX_ERR msg=audit(04/17/2025 09:48:25.501:689) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:initrc_t:s0 newcontext=system_u:system_r:dmesg_t:s0 type=AVC msg=audit(04/17/2025 09:48:25.501:689) : avc: denied { nnp_transition } for pid=30561 comm=sh scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=process2 permissive=0
There is no boolean to control this, if a user wants to allow nnp_transition they must manually do so (with a custom SELinux module) for each domain that needs to use nnp.
