fapolicyd fails to start

[mskarbek]

Mar 24 13:39:44 localhost.localdomain systemd[1]: Starting File Access Policy Daemon...
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Initializing the database
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Database migration will be performed.
Mar 24 13:39:44 localhost.localdomain systemd[1]: Started File Access Policy Daemon.
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: fapolicyd integrity is 0
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Loading rpmdb backend
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Creating database
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Loading data from rpmdb backend
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Loading data from file backend
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Error (Permission denied) adding fanotify mark for /dev/shm
Mar 24 13:39:44 localhost.localdomain systemd[1]: fapolicyd.service: Main process exited, code=exited, status=1/FAILURE
Mar 24 13:39:44 localhost.localdomain systemd[1]: fapolicyd.service: Failed with result 'exit-code'.

type=AVC msg=audit(1616589584.786:1317): avc:  denied  { watch_mount watch_with_perm } for  pid=227009 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0

Fedora 34 Beta

fapolicyd-1.0.2-2.fc34.x86_64 fapolicyd-selinux-1.0.2-2.fc34.noarch selinux-policy-targeted-3.14.7-26.fc34.noarch

[radosroka]

Hello,

the fix was already merged in https://github.com/linux-application-whitelisting/fapolicyd-selinux/pull/5. I will fix this in fedora ASAP.

[radosroka]

Still waiting for a new selinux-policy build because there is a bug and I'm not able to build fapolicyd-selinux with the fix.

[mskarbek]

Updated to: https://koji.fedoraproject.org/koji/buildinfo?buildID=1731150

type=SERVICE_START msg=audit(1617382829.340:1299): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1617382831.052:1300): avc:  denied  { watch_mount watch_with_perm } for  pid=122839 comm="fapolicyd" path="/boot" dev="nvme0n1p2" ino=128 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=0
type=SERVICE_STOP msg=audit(1617382831.060:1301): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"

Same outcome for selinux-policy-targeted-3.14.7-29.fc34.noarch and selinux-policy-targeted-34-1.fc34.noarch.

[radosroka]

It should be fixed with fapolicyd-1.0.3-2.fc34 and selinux-policy-34-2.fc34.

[mskarbek]

type=SERVICE_START msg=audit(1617891990.645:2759): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1617891992.051:2760): avc:  denied  { watch_mount watch_with_perm } for  pid=192350 comm="fapolicyd" path="/var/lib/containers" dev="zfs" ino=34 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
type=SERVICE_STOP msg=audit(1617891992.061:2761): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"

[root@localhost ~]# rpm -q selinux-policy-targeted fapolicyd
selinux-policy-targeted-34.2-1.fc34.noarch
fapolicyd-1.0.3-2.fc34.x86_64

[mskarbek]

I'll setup VM with similar configuration and let it run for a while with permissive mode to collect more data because I see that this will take a while. I have forked faplocyd-selinux and will make a PR. Reporting each denial separately is unproductive.

[radosroka]

type=SERVICE_START msg=audit(1617891990.645:2759): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1617891992.051:2760): avc:  denied  { watch_mount watch_with_perm } for  pid=192350 comm="fapolicyd" path="/var/lib/containers" dev="zfs" ino=34 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
type=SERVICE_STOP msg=audit(1617891992.061:2761): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"

[root@localhost ~]# rpm -q selinux-policy-targeted fapolicyd
selinux-policy-targeted-34.2-1.fc34.noarch
fapolicyd-1.0.3-2.fc34.x86_64

Can you share how does your /proc/mounts look like?

[mskarbek]

proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
devtmpfs /dev devtmpfs rw,seclabel,nosuid,size=7767728k,nr_inodes=1941932,mode=755,inode64 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev,inode64 0 0
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,seclabel,nosuid,nodev,size=3129784k,nr_inodes=819200,mode=755,inode64 0 0
cgroup2 /sys/fs/cgroup cgroup2 rw,seclabel,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot 0 0
pstore /sys/fs/pstore pstore rw,seclabel,nosuid,nodev,noexec,relatime 0 0
efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec,relatime 0 0
none /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
/dev/nvme0n1p3 / xfs rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,nosuid,noexec,relatime 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=31,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=24749 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,seclabel,relatime,pagesize=2M 0 0
mqueue /dev/mqueue mqueue rw,seclabel,nosuid,nodev,noexec,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
tracefs /sys/kernel/tracing tracefs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,nosuid,nodev,noexec,relatime 0 0
configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev,size=7824456k,nr_inodes=409600,inode64 0 0
/dev/nvme0n1p2 /boot xfs rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 0
/dev/nvme0n1p1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/var/lib/flatpak /var/lib/flatpak zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/home/marcin/Downloads /home/marcin/Downloads zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/var/lib/containerd /var/lib/containerd zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/var/lib/harbor /var/lib/harbor zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/home/marcin/.var /home/marcin/.var zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/var/lib/containers /var/lib/containers zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
tmpfs /run/user/1000 tmpfs rw,seclabel,nosuid,nodev,relatime,size=1564888k,nr_inodes=391222,mode=700,uid=1000,gid=1000,inode64 0 0
gvfsd-fuse /run/user/1000/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0