Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fapolicyd fails to start #7

Open
mskarbek opened this issue Mar 24, 2021 · 8 comments
Open

fapolicyd fails to start #7

mskarbek opened this issue Mar 24, 2021 · 8 comments

Comments

@mskarbek
Copy link 

Mar 24 13:39:44 localhost.localdomain systemd[1]: Starting File Access Policy Daemon...
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Initializing the database
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Database migration will be performed.
Mar 24 13:39:44 localhost.localdomain systemd[1]: Started File Access Policy Daemon.
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: fapolicyd integrity is 0
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Loading rpmdb backend
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Creating database
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Loading data from rpmdb backend
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Loading data from file backend
Mar 24 13:39:44 localhost.localdomain fapolicyd[227009]: Error (Permission denied) adding fanotify mark for /dev/shm
Mar 24 13:39:44 localhost.localdomain systemd[1]: fapolicyd.service: Main process exited, code=exited, status=1/FAILURE
Mar 24 13:39:44 localhost.localdomain systemd[1]: fapolicyd.service: Failed with result 'exit-code'.

type=AVC msg=audit(1616589584.786:1317): avc:  denied  { watch_mount watch_with_perm } for  pid=227009 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0

Fedora 34 Beta

fapolicyd-1.0.2-2.fc34.x86_64
fapolicyd-selinux-1.0.2-2.fc34.noarch
selinux-policy-targeted-3.14.7-26.fc34.noarch
@radosroka
Copy link
Member

Hello,

the fix was already merged in #5. I will fix this in fedora ASAP.

@radosroka
Copy link
Member

Still waiting for a new selinux-policy build because there is a bug and I'm not able to build fapolicyd-selinux with the fix.

@mskarbek
Copy link
Author

mskarbek commented Apr 2, 2021
edited
Loading

Updated to: https://koji.fedoraproject.org/koji/buildinfo?buildID=1731150

type=SERVICE_START msg=audit(1617382829.340:1299): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1617382831.052:1300): avc:  denied  { watch_mount watch_with_perm } for  pid=122839 comm="fapolicyd" path="/boot" dev="nvme0n1p2" ino=128 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=0
type=SERVICE_STOP msg=audit(1617382831.060:1301): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"

Same outcome for selinux-policy-targeted-3.14.7-29.fc34.noarch and selinux-policy-targeted-34-1.fc34.noarch.

@radosroka
Copy link
Member

It should be fixed with fapolicyd-1.0.3-2.fc34 and selinux-policy-34-2.fc34.

@mskarbek
Copy link
Author

mskarbek commented Apr 8, 2021 

type=SERVICE_START msg=audit(1617891990.645:2759): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1617891992.051:2760): avc:  denied  { watch_mount watch_with_perm } for  pid=192350 comm="fapolicyd" path="/var/lib/containers" dev="zfs" ino=34 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
type=SERVICE_STOP msg=audit(1617891992.061:2761): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"

[root@localhost ~]# rpm -q selinux-policy-targeted fapolicyd
selinux-policy-targeted-34.2-1.fc34.noarch
fapolicyd-1.0.3-2.fc34.x86_64

@mskarbek
Copy link
Author

mskarbek commented Apr 9, 2021

I'll setup VM with similar configuration and let it run for a while with permissive mode to collect more data because I see that this will take a while. I have forked faplocyd-selinux and will make a PR. Reporting each denial separately is unproductive.

@radosroka
Copy link
Member 

type=SERVICE_START msg=audit(1617891990.645:2759): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1617891992.051:2760): avc:  denied  { watch_mount watch_with_perm } for  pid=192350 comm="fapolicyd" path="/var/lib/containers" dev="zfs" ino=34 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
type=SERVICE_STOP msg=audit(1617891992.061:2761): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fapolicyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"

[root@localhost ~]# rpm -q selinux-policy-targeted fapolicyd
selinux-policy-targeted-34.2-1.fc34.noarch
fapolicyd-1.0.3-2.fc34.x86_64

Can you share how does your /proc/mounts look like?

@mskarbek
Copy link
Author 

proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
devtmpfs /dev devtmpfs rw,seclabel,nosuid,size=7767728k,nr_inodes=1941932,mode=755,inode64 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev,inode64 0 0
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,seclabel,nosuid,nodev,size=3129784k,nr_inodes=819200,mode=755,inode64 0 0
cgroup2 /sys/fs/cgroup cgroup2 rw,seclabel,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot 0 0
pstore /sys/fs/pstore pstore rw,seclabel,nosuid,nodev,noexec,relatime 0 0
efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec,relatime 0 0
none /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
/dev/nvme0n1p3 / xfs rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,nosuid,noexec,relatime 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=31,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=24749 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,seclabel,relatime,pagesize=2M 0 0
mqueue /dev/mqueue mqueue rw,seclabel,nosuid,nodev,noexec,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
tracefs /sys/kernel/tracing tracefs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,nosuid,nodev,noexec,relatime 0 0
configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev,size=7824456k,nr_inodes=409600,inode64 0 0
/dev/nvme0n1p2 /boot xfs rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 0
/dev/nvme0n1p1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/var/lib/flatpak /var/lib/flatpak zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/home/marcin/Downloads /home/marcin/Downloads zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/var/lib/containerd /var/lib/containerd zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/var/lib/harbor /var/lib/harbor zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/home/marcin/.var /home/marcin/.var zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
adcdf0c1-8055-4b3a-8f61-8688c9c29488/var/lib/containers /var/lib/containers zfs rw,seclabel,nosuid,relatime,xattr,posixacl 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
tmpfs /run/user/1000 tmpfs rw,seclabel,nosuid,nodev,relatime,size=1564888k,nr_inodes=391222,mode=700,uid=1000,gid=1000,inode64 0 0
gvfsd-fuse /run/user/1000/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mskarbek @radosroka