search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
162 stars 162 forks source link

Various systemd denials on Fedora Rawhide #2222

Closed DaanDeMeyer closed 1 month ago

DaanDeMeyer commented 1 month ago 
Jul 09 10:01:51 fedora audit[413]: AVC avc:  denied  { setfscreate } for  pid=413 comm="systemd-debug-g" scontext=system_u:system_r:systemd_debug_generator_t:s0 tcontext=system_u:system_r:systemd_debug_generator_t:s0 tclass=process permissive=1
Jul 09 10:01:51 fedora audit[414]: AVC avc:  denied  { read } for  pid=414 comm="systemd-fstab-g" name="fstab.extra" dev="tmpfs" ino=7 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Jul 09 10:01:51 fedora audit[414]: AVC avc:  denied  { open } for  pid=414 comm="systemd-fstab-g" path="/run/credentials/@system/fstab.extra" dev="tmpfs" ino=7 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Jul 09 10:01:51 fedora audit[414]: AVC avc:  denied  { getattr } for  pid=414 comm="systemd-fstab-g" path="/run/credentials/@system/fstab.extra" dev="tmpfs" ino=7 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Jul 09 10:01:51 fedora audit[414]: AVC avc:  denied  { getattr } for  pid=414 comm="systemd-fstab-g" path="/work" dev="sdb3" ino=347814194 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jul 09 10:01:51 fedora audit[414]: AVC avc:  denied  { search } for  pid=414 comm="systemd-fstab-g" name="work" dev="sdb3" ino=347814194 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jul 09 10:01:51 fedora audit[416]: AVC avc:  denied  { setfscreate } for  pid=416 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Jul 09 10:01:51 fedora audit[440]: AVC avc:  denied  { write } for  pid=440 comm="systemd-pcrexte" name="tpm2-measure.log" dev="tmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
Jul 09 10:01:51 fedora audit[440]: AVC avc:  denied  { setattr } for  pid=440 comm="systemd-pcrexte" name="tpm2-measure.log" dev="tmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
Jul 09 10:01:51 fedora audit[463]: AVC avc:  denied  { write } for  pid=463 comm="systemd-pcrexte" name="tpm2-measure.log" dev="tmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
Jul 09 10:01:51 fedora audit[463]: AVC avc:  denied  { setattr } for  pid=463 comm="systemd-pcrexte" name="tpm2-measure.log" dev="tmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
Jul 09 10:01:52 fedora audit[474]: AVC avc:  denied  { write } for  pid=474 comm="systemd-nsresou" name="memory.pressure" dev="cgroup2" ino=2901 scontext=system_u:system_r:systemd_nsresourced_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
Jul 09 10:01:52 fedora audit[499]: AVC avc:  denied  { connectto } for  pid=499 comm="(networkd)" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_nsresourced_t:s0 tclass=unix_stream_socket permissive=1
Jul 09 10:01:52 fedora audit[521]: AVC avc:  denied  { connectto } for  pid=521 comm="(tworkctl)" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_nsresourced_t:s0 tclass=unix_stream_socket permissive=1
Jul 09 10:01:52 fedora audit[499]: AVC avc:  denied  { read } for  pid=499 comm="systemd-network" path="/var/lib/systemd/network" dev="sdb3" ino=347781811 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1
Jul 09 10:01:52 fedora audit[499]: AVC avc:  denied  { write } for  pid=499 comm="systemd-network" name="network" dev="sdb3" ino=347781811 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1
Jul 09 10:01:52 fedora audit[499]: AVC avc:  denied  { getattr } for  pid=499 comm="systemd-network" path="/var/lib/systemd/network" dev="sdb3" ino=347781811 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1
Jul 09 10:01:53 fedora audit[581]: AVC avc:  denied  { connectto } for  pid=581 comm="(emd-oomd)" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_nsresourced_t:s0 tclass=unix_stream_socket permissive=1

All of these are expected and triggered by using various features of systemd or util-linux and should be allowed by the policy.

To reproduce:

git clone https://github.com/systemd/mkosi
cd mkosi
sudo bin/mkosi -d fedora -r rawhide -p selinux-policy-targeted --selinux-relabel=auto -t disk -f qemu
journalctl -g AVC
zpytela commented 1 month ago

Please try the latest build: https://bodhi.fedoraproject.org/updates/FEDORA-2024-64134f8805 All except pcrextend, which needs confining, should be addressed.

DaanDeMeyer commented 1 month ago

These are fixed, thanks!