Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux alerts after upgrade #814

Open
brianjmurrell opened this issue Jan 20, 2022 · 1 comment
Open

SELinux alerts after upgrade #814

brianjmurrell opened this issue Jan 20, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@brianjmurrell
Copy link
Contributor

Actual behavior
After upgrade, selinux violations:

SELinux is preventing /usr/libexec/platform-python3.6 from create access on the file /var/log/leapp/leapp-report.json.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow create vbox modules during startup new kernel.
Then you must tell SELinux about this by enabling the 'use_virtualbox' boolean.
You can read 'init_selinux' man page for more details.
Do
setsebool -P use_virtualbox 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed create access on the leapp-report.json file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'leapp3' --raw | audit2allow -M my-leapp3
# semodule -X 300 -i my-leapp3.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/leapp/leapp-report.json [ file ]
Source                        leapp3
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           platform-python-3.6.8-39.el8_4.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-305.25.1.el8_4.x86_64 #1 SMP Tue Nov 2
                              10:34:25 EDT 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2022-01-20 13:05:13 EST
Last Seen                     2022-01-20 13:05:33 EST
Local ID                      406818bf-6241-4c02-b1f7-6ff9dec8a55a

Raw Audit Messages
type=AVC msg=audit(1642701933.879:300): avc:  denied  { create } for  pid=7687 comm="leapp3" name="leapp-report.json" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1642701933.879:300): arch=x86_64 syscall=openat success=yes exit=EIO a0=ffffff9c a1=7faa881f3710 a2=80241 a3=1b6 items=1 ppid=1 pid=7687 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=leapp3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:init_t:s0 key=(null)

type=CWD msg=audit(1642701933.879:300): cwd=/

type=PATH msg=audit(1642701933.879:300): item=0 name=/var/log/leapp/leapp-report.json inode=516317 dev=fd:07 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Hash: leapp3,init_t,var_log_t,file,create

and

SELinux is preventing /usr/libexec/platform-python3.6 from unlink access on the sock_file listener-nwd9v3_6.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed unlink access on the listener-nwd9v3_6 sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'leapp3' --raw | audit2allow -M my-leapp3
# semodule -X 300 -i my-leapp3.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                listener-nwd9v3_6 [ sock_file ]
Source                        leapp3
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           platform-python-3.6.8-39.el8_4.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-305.25.1.el8_4.x86_64 #1 SMP Tue Nov 2
                              10:34:25 EDT 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2022-01-20 13:05:32 EST
Last Seen                     2022-01-20 13:05:33 EST
Local ID                      df876ea7-6317-4c95-a849-9e87c45f4e03

Raw Audit Messages
type=AVC msg=audit(1642701933.760:299): avc:  denied  { unlink } for  pid=8280 comm="leapp3" name="listener-nwd9v3_6" dev="dm-4" ino=27741 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1


type=SYSCALL msg=audit(1642701933.760:299): arch=x86_64 syscall=unlink success=yes exit=0 a0=7faa881e3c20 a1=0 a2=0 a3=1 items=0 ppid=7687 pid=8280 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=leapp3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:init_t:s0 key=(null)

Hash: leapp3,init_t,tmp_t,sock_file,unlink

and:

SELinux is preventing /usr/libexec/platform-python3.6 from write access on the sock_file listener-nwd9v3_6.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed write access on the listener-nwd9v3_6 sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'leapp3' --raw | audit2allow -M my-leapp3
# semodule -X 300 -i my-leapp3.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                listener-nwd9v3_6 [ sock_file ]
Source                        leapp3
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           platform-python-3.6.8-39.el8_4.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-305.25.1.el8_4.x86_64 #1 SMP Tue Nov 2
                              10:34:25 EDT 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2022-01-20 13:05:32 EST
Last Seen                     2022-01-20 13:05:33 EST
Local ID                      3a8a12de-f190-4e90-99db-4c06205b2460

Raw Audit Messages
type=AVC msg=audit(1642701933.691:298): avc:  denied  { write } for  pid=8316 comm="leapp3" name="listener-nwd9v3_6" dev="dm-4" ino=27741 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1


type=SYSCALL msg=audit(1642701933.691:298): arch=x86_64 syscall=connect success=yes exit=0 a0=a a1=7fffe384bff0 a2=26 a3=8a0 items=0 ppid=7687 pid=8316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=leapp3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:init_t:s0 key=(null)

Hash: leapp3,init_t,tmp_t,sock_file,write

and:

SELinux is preventing /usr/libexec/platform-python3.6 from unlink access on the sock_file listener-nwd9v3_6.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed unlink access on the listener-nwd9v3_6 sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'leapp3' --raw | audit2allow -M my-leapp3
# semodule -X 300 -i my-leapp3.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                listener-nwd9v3_6 [ sock_file ]
Source                        leapp3
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           platform-python-3.6.8-39.el8_4.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-305.25.1.el8_4.x86_64 #1 SMP Tue Nov 2
                              10:34:25 EDT 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2022-01-20 13:05:32 EST
Last Seen                     2022-01-20 13:05:33 EST
Local ID                      df876ea7-6317-4c95-a849-9e87c45f4e03

Raw Audit Messages
type=AVC msg=audit(1642701933.760:299): avc:  denied  { unlink } for  pid=8280 comm="leapp3" name="listener-nwd9v3_6" dev="dm-4" ino=27741 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1


type=SYSCALL msg=audit(1642701933.760:299): arch=x86_64 syscall=unlink success=yes exit=0 a0=7faa881e3c20 a1=0 a2=0 a3=1 items=0 ppid=7687 pid=8280 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=leapp3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:init_t:s0 key=(null)

Hash: leapp3,init_t,tmp_t,sock_file,unlink

and:

SELinux is preventing /usr/libexec/platform-python3.6 from write access on the sock_file listener-nwd9v3_6.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed write access on the listener-nwd9v3_6 sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'leapp3' --raw | audit2allow -M my-leapp3
# semodule -X 300 -i my-leapp3.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                listener-nwd9v3_6 [ sock_file ]
Source                        leapp3
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           platform-python-3.6.8-39.el8_4.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-305.25.1.el8_4.x86_64 #1 SMP Tue Nov 2
                              10:34:25 EDT 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2022-01-20 13:05:32 EST
Last Seen                     2022-01-20 13:05:33 EST
Local ID                      3a8a12de-f190-4e90-99db-4c06205b2460

Raw Audit Messages
type=AVC msg=audit(1642701933.691:298): avc:  denied  { write } for  pid=8316 comm="leapp3" name="listener-nwd9v3_6" dev="dm-4" ino=27741 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1


type=SYSCALL msg=audit(1642701933.691:298): arch=x86_64 syscall=connect success=yes exit=0 a0=a a1=7fffe384bff0 a2=26 a3=8a0 items=0 ppid=7687 pid=8316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=leapp3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:init_t:s0 key=(null)

Hash: leapp3,init_t,tmp_t,sock_file,write

and:

SELinux is preventing /usr/libexec/platform-python3.6 from create access on the sock_file labeled tmp_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed create access on sock_file labeled tmp_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'leapp3' --raw | audit2allow -M my-leapp3
# semodule -X 300 -i my-leapp3.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                (null) [ sock_file ]
Source                        leapp3
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           platform-python-3.6.8-39.el8_4.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-305.25.1.el8_4.x86_64 #1 SMP Tue Nov 2
                              10:34:25 EDT 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2022-01-20 13:05:32 EST
Last Seen                     2022-01-20 13:05:32 EST
Local ID                      574de943-6e36-41d1-8284-28cfef987eb8

Raw Audit Messages
type=AVC msg=audit(1642701932.254:295): avc:  denied  { create } for  pid=8174 comm="leapp3" name="listener-kf1p7zlk" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1


type=SYSCALL msg=audit(1642701932.254:295): arch=x86_64 syscall=bind success=yes exit=0 a0=8 a1=7fffe384b6c0 a2=26 a3=870 items=2 ppid=7687 pid=8174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=leapp3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:init_t:s0 key=(null)

type=CWD msg=audit(1642701932.254:295): cwd=/

type=PATH msg=audit(1642701932.254:295): item=0 name=(null) inode=27734 dev=fd:04 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1642701932.254:295): item=1 name=(null) inode=27735 dev=fd:04 mode=0140755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Hash: leapp3,init_t,tmp_t,sock_file,create

and:

SELinux is preventing /usr/libexec/platform-python3.6 from ioctl access on the file /root/tmp_leapp_py3/leapp3.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed ioctl access on the leapp3 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'leapp3' --raw | audit2allow -M my-leapp3
# semodule -X 300 -i my-leapp3.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root/tmp_leapp_py3/leapp3 [ file ]
Source                        leapp3
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           platform-python-3.6.8-39.el8_4.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-305.25.1.el8_4.x86_64 #1 SMP Tue Nov 2
                              10:34:25 EDT 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2022-01-20 13:05:11 EST
Last Seen                     2022-01-20 13:05:11 EST
Local ID                      775025b5-d6ae-43ef-8371-f44572c4e6d6

Raw Audit Messages
type=AVC msg=audit(1642701911.816:290): avc:  denied  { ioctl } for  pid=7687 comm="leapp3" path="/root/tmp_leapp_py3/leapp3" dev="dm-4" ino=123372 ioctlcmd=0x5451 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1642701911.816:290): arch=x86_64 syscall=ioctl success=yes exit=0 a0=3 a1=5451 a2=0 a3=120 items=0 ppid=1 pid=7687 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=leapp3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:init_t:s0 key=(null)

Hash: leapp3,init_t,admin_home_t,file,ioctl

and:

SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file leapp3.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed read access on the leapp3 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'leapp3' --raw | audit2allow -M my-leapp3
# semodule -X 300 -i my-leapp3.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                leapp3 [ file ]
Source                        leapp3
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           platform-python-3.6.8-39.el8_4.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-305.25.1.el8_4.x86_64 #1 SMP Tue Nov 2
                              10:34:25 EDT 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2022-01-20 13:05:11 EST
Last Seen                     2022-01-20 13:05:11 EST
Local ID                      1327d21e-4c28-4c08-905a-91a8cc382ee6

Raw Audit Messages
type=AVC msg=audit(1642701911.816:289): avc:  denied  { read } for  pid=7687 comm="leapp3" name="leapp3" dev="dm-4" ino=123372 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1


type=AVC msg=audit(1642701911.816:289): avc:  denied  { open } for  pid=7687 comm="leapp3" path="/root/tmp_leapp_py3/leapp3" dev="dm-4" ino=123372 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1642701911.816:289): arch=x86_64 syscall=openat success=yes exit=ESRCH a0=ffffff9c a1=7faa9c046490 a2=0 a3=0 items=0 ppid=1 pid=7687 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=leapp3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:init_t:s0 key=(null)

Hash: leapp3,init_t,admin_home_t,file,read

and:

SELinux is preventing /usr/libexec/platform-python3.6 from execute access on the file /lib64/ld-linux-x86-64.so.2.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/lib64/ld-linux-x86-64.so.2 default label should be ld_so_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /lib64/ld-linux-x86-64.so.2

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed execute access on the ld-linux-x86-64.so.2 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'leapp3' --raw | audit2allow -M my-leapp3
# semodule -X 300 -i my-leapp3.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /lib64/ld-linux-x86-64.so.2 [ file ]
Source                        leapp3
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           platform-python-3.6.8-39.el8_4.x86_64
Target RPM Packages           glibc-2.28-151.el8.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-305.25.1.el8_4.x86_64 #1 SMP Tue Nov 2
                              10:34:25 EDT 2021 x86_64 x86_64
Alert Count                   3
First Seen                    2022-01-20 13:05:11 EST
Last Seen                     2022-01-20 13:05:11 EST
Local ID                      ca1deaa4-2d22-4672-b219-097ba11e4d12

Raw Audit Messages
type=AVC msg=audit(1642701911.755:285): avc:  denied  { execute } for  pid=7687 comm="(leapp3)" name="leapp3" dev="dm-4" ino=123372 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1


type=AVC msg=audit(1642701911.755:285): avc:  denied  { read open } for  pid=7687 comm="(leapp3)" path="/root/tmp_leapp_py3/leapp3" dev="dm-4" ino=123372 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1


type=AVC msg=audit(1642701911.755:285): avc:  denied  { execute_no_trans } for  pid=7687 comm="(leapp3)" path="/root/tmp_leapp_py3/leapp3" dev="dm-4" ino=123372 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1642701911.755:285): arch=x86_64 syscall=execve success=yes exit=0 a0=5589954179e0 a1=5589953ee610 a2=558995431ed0 a3=55899536b240 items=2 ppid=1 pid=7687 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=leapp3 exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:init_t:s0 key=(null)

type=CWD msg=audit(1642701911.755:285): cwd=/

type=PATH msg=audit(1642701911.755:285): item=0 name=/usr/bin/python3 inode=364050 dev=fd:05 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1642701911.755:285): item=1 name=/lib64/ld-linux-x86-64.so.2 inode=135813 dev=fd:05 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Hash: leapp3,init_t,admin_home_t,file,execute
@brianjmurrell brianjmurrell added the bug Something isn't working label Jan 20, 2022
@pirat89
Copy link
Member

pirat89 commented Jan 21, 2022
edited

This is minor issue as the executable itself is expected to be removed by user after the upgrade and this is just on-time issue during the upgrade. Including that SELinux is always set to Permissive mode (if no disabled at all) during the upgrade. Only possibility how people could make the enforcing mode enabled during the upgrade is to specify it on the kernel cmdline. But this is not expected use at all (the cmdline argument should be used only in rare cases for temporary setup for one boot) and people are informed that permissive mode is required during the upgrade by the generated report. So keeping it low priority to be honest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brianjmurrell @pirat89