Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-36289

SELinux prevents the bootupd daemon from getattr+search on /sys/firmware/efi/efivars/

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-9.5
    • rhel-9.5
    • selinux-policy
    • None
    • sst_security_selinux
    • ssg_security
    • 14
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Hide

      The automated test does not trigger SELinux denials on aarch64 machines equipped by EFI partition.

      Show
      The automated test does not trigger SELinux denials on aarch64 machines equipped by EFI partition.
    • Yes
    • aarch64

      What were you trying to do that didn't work?

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.37-1.el9.noarch
      selinux-policy-targeted-38.1.37-1.el9.noarch
      bootupd-0.2.18-1.el9.aarch64

      How reproducible:

      sometimes on aarch64 machines which have EFI

      Steps to reproduce

      1. get a RHEL-9.5 machine (the targeted policy is active)
      2. run the following automated test: /CoreOS/selinux-policy/Regression/bootupd-and-similar
      3. search for SELinux denials

      Expected results

      no SELinux denials

      Actual results

      ----
type=PROCTITLE msg=audit(05/13/2024 20:55:09.250:499) : proctitle=/usr/libexec/bootupd daemon -v 
type=PATH msg=audit(05/13/2024 20:55:09.250:499) : item=0 name=/sys/firmware/efi/efivars inode=1336 dev=00:1d mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:efivarfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2024 20:55:09.250:499) : cwd=/usr 
type=SYSCALL msg=audit(05/13/2024 20:55:09.250:499) : arch=aarch64 syscall=statx success=yes exit=0 a0=0xffffffffffffff9c a1=0xffffd11a0668 a2=0x0 a3=0xfff items=1 ppid=1 pid=56333 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bootupd exe=/usr/libexec/bootupd subj=system_u:system_r:bootupd_t:s0 key=(null) 
type=AVC msg=audit(05/13/2024 20:55:09.250:499) : avc:  denied  { getattr } for  pid=56333 comm=bootupd path=/sys/firmware/efi/efivars dev="efivarfs" ino=1336 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(05/13/2024 20:55:09.250:500) : proctitle=/usr/libexec/bootupd daemon -v 
type=PATH msg=audit(05/13/2024 20:55:09.250:500) : item=0 name=/sys/firmware/efi/efivars/LoaderInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2024 20:55:09.250:500) : cwd=/usr 
type=SYSCALL msg=audit(05/13/2024 20:55:09.250:500) : arch=aarch64 syscall=statx success=no exit=ENOENT(No such file or directory) a0=0xffffffffffffff9c a1=0xffffd11a0668 a2=0x0 a3=0xfff items=1 ppid=1 pid=56333 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bootupd exe=/usr/libexec/bootupd subj=system_u:system_r:bootupd_t:s0 key=(null) 
type=AVC msg=audit(05/13/2024 20:55:09.250:500) : avc:  denied  { search } for  pid=56333 comm=bootupd name=/ dev="efivarfs" ino=1336 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1 
----

            rhn-support-zpytela Zdenek Pytela
            mmalik@redhat.com Milos Malik
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: