#9386 Update SELinux policy
Closed: fixed a year ago by frenaud. Opened a year ago by abbra.

On Fedora 38+ we get a lot of issues with SELinux policy when Python's platform detection code attempts to read /sys/devices/system/cpu/possible.

test_integration/test_installation.py:992: XFailed
 ------------------------------Captured stdout call------------------------------ 
May 28 09:41:13 master.ipa.test audit[14264]: AVC avc:  denied  { read } for  pid=14264 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:41:13 master.ipa.test audit[14264]: AVC avc:  denied  { open } for  pid=14264 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:41:19 master.ipa.test audit[14391]: AVC avc:  denied  { read } for  pid=14391 comm="ipa-dnskeysyncd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:41:19 master.ipa.test audit[14391]: AVC avc:  denied  { open } for  pid=14391 comm="ipa-dnskeysyncd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:42:39 master.ipa.test audit[15246]: AVC avc:  denied  { read } for  pid=15246 comm="ipa-dnskeysyncd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:42:39 master.ipa.test audit[15246]: AVC avc:  denied  { open } for  pid=15246 comm="ipa-dnskeysyncd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:42:39 master.ipa.test audit[15322]: AVC avc:  denied  { read } for  pid=15322 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:42:39 master.ipa.test audit[15322]: AVC avc:  denied  { open } for  pid=15322 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:43:45 master.ipa.test audit[15969]: AVC avc:  denied  { read } for  pid=15969 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:43:45 master.ipa.test audit[15969]: AVC avc:  denied  { open } for  pid=15969 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:43:46 master.ipa.test audit[15983]: AVC avc:  denied  { read } for  pid=15983 comm="ipa-dnskeysyncd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:43:46 master.ipa.test audit[15983]: AVC avc:  denied  { open } for  pid=15983 comm="ipa-dnskeysyncd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:44:53 master.ipa.test audit[16638]: AVC avc:  denied  { read } for  pid=16638 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:44:53 master.ipa.test audit[16638]: AVC avc:  denied  { open } for  pid=16638 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:45:05 master.ipa.test audit[16789]: AVC avc:  denied  { read } for  pid=16789 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:45:05 master.ipa.test audit[16789]: AVC avc:  denied  { open } for  pid=16789 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:25 master.ipa.test audit[17702]: AVC avc:  denied  { read } for  pid=17702 comm="ipa-dnskeysyncd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:25 master.ipa.test audit[17702]: AVC avc:  denied  { open } for  pid=17702 comm="ipa-dnskeysyncd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:29 master.ipa.test audit[17791]: AVC avc:  denied  { read } for  pid=17791 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:29 master.ipa.test audit[17791]: AVC avc:  denied  { open } for  pid=17791 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:30 master.ipa.test audit[17806]: AVC avc:  denied  { read } for  pid=17806 comm="ipa-dnskeysyncd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:46:30 master.ipa.test audit[17806]: AVC avc:  denied  { open } for  pid=17806 comm="ipa-dnskeysyncd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:47:44 master.ipa.test audit[18045]: AVC avc:  denied  { read } for  pid=18045 comm="ipa-ods-exporte" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
May 28 09:47:44 master.ipa.test audit[18045]: AVC avc:  denied  { open } for  pid=18045 comm="ipa-ods-exporte" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

This is the same problem as firewalld encountered in 2022, a solution is to extend corresponding contexts to not just search sysfs but to allow reading values from it. See this SELinux policy pull request: https://github.com/fedora-selinux/selinux-policy/pull/1260 for details.

The fix is basically

-dev_search_sysfs(firewalld_t)
+dev_read_sysfs(firewalld_t)

where we should use our own contexts (in scontext field in the AVCs above).


Metadata Update from @ftrivino:
- Issue assigned to ftrivino

a year ago

Metadata Update from @ftrivino:
- Assignee reset

a year ago

Metadata Update from @ftrivino:
- Issue assigned to rjeffman

a year ago

master:

  • a78c47b selinux: Update SELinux policy

ipa-4-10:

  • 7bd370e selinux: Update SELinux policy

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Log in to comment on this ticket.

Metadata