BUG: cgroupfs_label test noise

[pcmoore]

When running the test suite I see the following noise from the "cgroupfs_label" test:

Running as user root with context unconfined_u:unconfined_r:unconfined_t

domain_trans/test ........... ok
 ...
glblub/test ................. ok
chcon: failed to change context of 'memory.pressure' to ‘unconfined_u:object_r:test_cgroup_t:s0’: Permission denied
cgroupfs_label/test ......... ok
 ...
All tests successful.
Files=78, Tests=1404, 256 wallclock secs ( 0.48 usr  0.11 sys + 11.72 cusr 26.63 csys = 38.94 CPU)
Result: PASS

I see the following related AVCs in the audit log:

type=AVC msg=audit(1721245560.941:1116): avc:  denied  { relabelfrom } for  pid=12204 comm="chcon" name="memory.pressure" dev="cgroup2" ino=5295 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cgroup_memory_pressure_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1721245560.941:1116): arch=c000003e syscall=189 success=no exit=-13 a0=7ffd42265070 a1=7f2ba932b197 a2=55fd3241db60 a3=27 items=0 ppid=11876 pid=12204 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=lsetxattr AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

This is on a current Fedora Rawhide system with the following:

% uname -a
Linux dev-rawhide-1.lan 6.10.0+ #29 SMP PREEMPT_DYNAMIC Wed Jul 17 13:15:34 EDT 2024 x86_64 GNU/Linux
% rpm -q selinux-policy
selinux-policy-41.8-4.fc41.noarch

[stephensmalley]

It appears that Fedora is now labeling the memory.pressure pseudo file with its own type, and not allowing even unconfined domains to relabel that type. While we could allow this in the test policy, I'm not sure there is a precedent for this since this is NOT between any test domain or any test type. Historically there was an assumption that commands run from the test scripts can do anything since they are in unconfined_t.

[stephensmalley]

sesearch -A -t memory_pressure_t only shows this rule in the Fedora policy: allow init_t memory_pressure_t:file { create getattr open }; So unconfined_t has no permissions to it.

[stephensmalley]

The only current references to unconfined_t in the test policy are in policy/test_global.te, and those are just to allow unconfined_t to transition into all of the testsuite domains and allow the testsuite domains to inherit and use a pipe from the caller. Nothing that would allow interactions between unconfined_t and some other type in the base policy like this.

[stephensmalley]

Easiest fix would be just to suppress the error output from the chcon command in the cgroupfs_label/test script ala 2>/dev/null or similar. We do this in other places in other test scripts.

[pcmoore]

It appears that Fedora is now labeling the memory.pressure pseudo file with its own type, and not allowing even unconfined domains to relabel that type. While we could allow this in the test policy, I'm not sure there is a precedent for this since this is NOT between any test domain or any test type. Historically there was an assumption that commands run from the test scripts can do anything since they are in unconfined_t.

That was my takeaway based on the AVC record. As this wasn't actually preventing a successful run of the test suite I wanted to simply document it here in hopes someone else would have the time to chase it down and get it fixed, either in the Fedora policy or in the test suite.

[pcmoore]

@zpytela is this something that you can fix in the Fedora SELinux policy?

[zpytela]

In Fedora, we don't use memory_pressure_t but rather cgroup_memory_pressure_t. Still, the permission seems to be missing.

# sesearch -A -s unconfined_t -t cgroup_memory_pressure_t -c file 
allow crontab_domain cgroup_type:file { append create link rename setattr unlink watch watch_reads write };
allow login_userdomain cgroup_type:file { create getattr open watch };
allow nsswitch_domain cgroup_type:file { getattr ioctl lock open read };
allow unconfined_domain_type cgroup_type:file { getattr ioctl lock open read };

# sesearch -A -t memory_pressure_t
memory_pressure_t is not a valid type attribute

[pcmoore]

Perhaps the problem is that upstream refpolicy does define memory_pressure_t so upstream has this type hard coded somewhere?

[zpytela]

Yes, refpolicy uses a different type (and I suppose it does not completely work as expected either), anyway it is now fixed in rawhide, thanks for reporting.

[pcmoore]

Thanks @zpytela, what policy package version has the fix?

[stephensmalley]

Ok, apologies for confusing the matter - I had an old local policy module installed which defined a memory_pressure_t type and assigned it to those files back when I was trying to reproduce a problem with labeling those files identified in an earlier thread on the selinux list.

[zpytela]

what policy package version has the fix?

selinux-policy-41.11-1.fc41 https://bodhi.fedoraproject.org/updates/FEDORA-2024-fa03406b81 it will probably need a few more hours to get to all mirrors

[pcmoore]

I can confirm that selinux-policy-41.11-1.fc41 fixes the problem on my test system, closing this as resolved. Thanks for the help everyone!