SELinux sys_resource capability

Ask Fedora
, ,
1

After upgrading my servers to F38, I got many “AVC denied” about a sys_resource capability.

Many programs are hitting this kind of AVC: stunnel, mandb (during dnf update), postfix, plymouthd (only at boot), rndc.

type=AVC msg=audit(1686995355.371:13152): avc:  denied  { sys_resource } for  pid=64821 comm="mandb" capability=24  scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1686995361.551:13161): avc:  denied  { sys_resource } for  pid=64886 comm="postfix-script" capability=24  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1686995850.248:13287): avc:  denied  { sys_resource } for  pid=65178 comm="plymouthd" capability=24  scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1686995850.339:13288): avc:  denied  { sys_resource } for  pid=65169 comm="postfix-script" capability=24  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1686995850.856:13306): avc:  denied  { sys_resource } for  pid=65211 comm="rndc" capability=24  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1687039207.885:1771): avc:  denied  { sys_resource } for  pid=3498 comm="rndc" capability=24  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1687238473.245:4583): avc:  denied  { sys_resource } for  pid=10224 comm="rndc" capability=24  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1687239696.745:6427): avc:  denied  { sys_resource } for  pid=11966 comm="mandb" capability=24  scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1687240535.743:6704): avc:  denied  { sys_resource } for  pid=12141 comm="postfix-script" capability=24  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1687240536.154:6708): avc:  denied  { sys_resource } for  pid=12152 comm="plymouthd" capability=24  scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1687240537.448:6718): avc:  denied  { sys_resource } for  pid=12187 comm="rndc" capability=24  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1685772377.164:1847): avc:  denied  { sys_resource } for  pid=11331 comm="postfix-script" capability=24  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1685772377.397:1868): avc:  denied  { sys_resource } for  pid=11371 comm="plymouthd" capability=24  scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1685772377.974:1887): avc:  denied  { sys_resource } for  pid=11394 comm="rndc" capability=24  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1685829607.517:1507): avc:  denied  { sys_resource } for  pid=4901 comm="rndc" capability=24  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1686434405.920:7045): avc:  denied  { sys_resource } for  pid=23318 comm="rndc" capability=24  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability permissive=1

The program which is having the most occurences is stunnel:

type=SERVICE_START msg=audit(1687537011.855:4702): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=stunnel-redis@363-2001:bc8:3fec:d00:1eaf:::29399-2001:bc8:3fec:500:7ea:::34204 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=AVC msg=audit(1687537011.867:4703): avc:  denied  { sys_resource } for  pid=13208 comm="stunnel" capability=24  scontext=system_u:system_r:stunnel_t:s0 tcontext=system_u:system_r:stunnel_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1687537011.867:4703): arch=c000003e syscall=293 success=yes exit=0 a0=55c165893018 a1=80800 a2=55c166b1c020 a3=16 items=0 ppid=1 pid=13208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="stunnel" exe="/usr/bin/stunnel" subj=system_u:system_r:stunnel_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=pipe2 AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=FD_PAIR msg=audit(1687537011.867:4703): fd0=4 fd1=5
type=PROCTITLE msg=audit(1687537011.867:4703): proctitle=2F7573722F62696E2F7374756E6E656C002F6574632F7374756E6E656C2F72656469732E636F6E66
type=SERVICE_STOP msg=audit(1687537035.496:4704): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=stunnel-redis@363-2001:bc8:3fec:d00:1eaf:::29399-2001:bc8:3fec:500:7ea:::34204 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"

type=SERVICE_START msg=audit(1687540082.592:4714): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=stunnel-redis@366-2001:bc8:3fec:d00:1eaf:::29399-2001:bc8:3fec:500:7ea:::33644 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=AVC msg=audit(1687540082.612:4715): avc:  denied  { sys_resource } for  pid=13531 comm="stunnel" capability=24  scontext=system_u:system_r:stunnel_t:s0 tcontext=system_u:system_r:stunnel_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1687540082.612:4715): arch=c000003e syscall=293 success=yes exit=0 a0=562beda74018 a1=80800 a2=562bede35020 a3=16 items=0 ppid=1 pid=13531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="stunnel" exe="/usr/bin/stunnel" subj=system_u:system_r:stunnel_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=pipe2 AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=FD_PAIR msg=audit(1687540082.612:4715): fd0=4 fd1=5
type=PROCTITLE msg=audit(1687540082.612:4715): proctitle=2F7573722F62696E2F7374756E6E656C002F6574632F7374756E6E656C2F72656469732E636F6E66
type=SERVICE_STOP msg=audit(1687540084.471:4716): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=stunnel-redis@229-2001:bc8:3fec:d00:1eaf:::29399-2001:bc8:3fec:500:7ea:::45118 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"

stunnel is a service managed by systemd (custom unitfile configuration). It is listening for connections from another machine of my infra. Then, it forwards the datastream to a redis server via TCP socket. I don’t know exactly what kind of pipe is used between the systemd socket (listening on the network interface of the machine) and the stunnel process. I guess it is not a TCP socket.

I tried to launch a relabel of the filesystem but it changed nothing.

Thanks in advance for any clue…

# rpm -q selinux-policy
selinux-policy-38.17-1.fc38.noarch
# uname -r
6.3.8-200.fc38.x86_64