freeipa

Clone
Source Code
GIT

#9386 Update SELinux policy
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by abbra.

Closed: fixed
Reopen Issue

On Fedora 38+ we get a lot of issues with SELinux policy when Python's platform detection code attempts to read /sys/devices/system/cpu/possible. 

test_integration/test_installation.py:992: XFailed
 ------------------------------Captured stdout call------------------------------ 
May 28 09:41:13 master.ipa.test audit[14264]: AVC avc:  denied  { read } for  pid=14264 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:41:13 master.ipa.test audit[14264]: AVC avc:  denied  { open } for  pid=14264 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:41:19 master.ipa.test audit[14391]: AVC avc:  denied  { read } for  pid=14391 comm="ipa-dnskeysyncd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:41:19 master.ipa.test audit[14391]: AVC avc:  denied  { open } for  pid=14391 comm="ipa-dnskeysyncd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:42:39 master.ipa.test audit[15246]: AVC avc:  denied  { read } for  pid=15246 comm="ipa-dnskeysyncd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:42:39 master.ipa.test audit[15246]: AVC avc:  denied  { open } for  pid=15246 comm="ipa-dnskeysyncd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:42:39 master.ipa.test audit[15322]: AVC avc:  denied  { read } for  pid=15322 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:42:39 master.ipa.test audit[15322]: AVC avc:  denied  { open } for  pid=15322 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:43:45 master.ipa.test audit[15969]: AVC avc:  denied  { read } for  pid=15969 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:43:45 master.ipa.test audit[15969]: AVC avc:  denied  { open } for  pid=15969 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:43:46 master.ipa.test audit[15983]: AVC avc:  denied  { read } for  pid=15983 comm="ipa-dnskeysyncd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:43:46 master.ipa.test audit[15983]: AVC avc:  denied  { open } for  pid=15983 comm="ipa-dnskeysyncd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:44:53 master.ipa.test audit[16638]: AVC avc:  denied  { read } for  pid=16638 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:44:53 master.ipa.test audit[16638]: AVC avc:  denied  { open } for  pid=16638 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:45:05 master.ipa.test audit[16789]: AVC avc:  denied  { read } for  pid=16789 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:45:05 master.ipa.test audit[16789]: AVC avc:  denied  { open } for  pid=16789 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:25 master.ipa.test audit[17702]: AVC avc:  denied  { read } for  pid=17702 comm="ipa-dnskeysyncd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:25 master.ipa.test audit[17702]: AVC avc:  denied  { open } for  pid=17702 comm="ipa-dnskeysyncd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:29 master.ipa.test audit[17791]: AVC avc:  denied  { read } for  pid=17791 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:29 master.ipa.test audit[17791]: AVC avc:  denied  { open } for  pid=17791 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:30 master.ipa.test audit[17806]: AVC avc:  denied  { read } for  pid=17806 comm="ipa-dnskeysyncd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:30 master.ipa.test audit[17806]: AVC avc:  denied  { open } for  pid=17806 comm="ipa-dnskeysyncd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:47:44 master.ipa.test audit[18045]: AVC avc:  denied  { read } for  pid=18045 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:47:44 master.ipa.test audit[18045]: AVC avc:  denied  { open } for  pid=18045 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

This is the same problem as firewalld encountered in 2022, a solution is to extend corresponding contexts to not just search sysfs but to allow reading values from it. See this SELinux policy pull request: https://github.com/fedora-selinux/selinux-policy/pull/1260 for details.

The fix is basically

-dev_search_sysfs(firewalld_t)
+dev_read_sysfs(firewalld_t)

where we should use our own contexts (in scontext field in the AVCs above).

Metadata Update from @ftrivino:
- Issue assigned to ftrivino
2 years ago

Metadata Update from @ftrivino:
- Assignee reset
2 years ago

Metadata Update from @ftrivino:
- Issue assigned to rjeffman
2 years ago

master:

  • a78c47b selinux: Update SELinux policy

ipa-4-10:

  • 7bd370e selinux: Update SELinux policy

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.