[Bug 1228380] New: [SELinux] extreme grub error flood, grub2-mkrelpath and grub2-script-check
https://bugzilla.suse.com/show_bug.cgi?id=1228380 Bug ID: 1228380 Summary: [SELinux] extreme grub error flood, grub2-mkrelpath and grub2-script-check Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: pallaswept@proton.me QA Contact: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- This one is hammering my logs quite badly. Any assistance would be greatly appreciated. SELinux status, mode and policy name: enabled, targeted, enforcing SELinux policy version and repository: repo-oss selinux-policy The software (incl. version) that is affected by the SELinux issue and the error message: grub SELinux Audit log: The log is impossibly large due to the density of these messages. These are the two messages: Hundreds per second, in bursts ---- time->Sun Jul 28 08:00:13 2024 type=AVC msg=audit(1722117613.981:2165): avc: denied { execute } for pid=51597 comm="grub" name="grub2-mkrelpath" dev="nvme0n1p2" ino=4261726 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=0 Once per minute, every minute ---- time->Sun Jul 28 08:00:13 2024 type=AVC msg=audit(1722117613.985:2166): avc: denied { execute } for pid=51600 comm="grub" name="grub2-script-check" dev="nvme0n1p2" ino=4261732 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=0 ---- Any other important details: Installed SElinux on existing TW system using this doc https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbl... Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228380 https://bugzilla.suse.com/show_bug.cgi?id=1228380#c1 --- Comment #1 from pallas wept <pallaswept@proton.me> --- Since this was effectively denying access to logs I have blindly applied the advice given by the tool. ausearch -c 'grub' --raw | audit2allow -M my-grub Adding this new rule has apparently exposed a new flood of errors as follows: type=AVC msg=audit(1722125351.618:425): avc: denied { execute_no_trans } for pid=18478 comm="grub" path="/usr/bin/grub2-script-check" dev="nvme0n1p2" ino=4261732 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=0 I have 10 minutes uptime and just over 300 errors so that one is relatively tame at once every 2 seconds on average, in bursts... Still, very not good. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228380 https://bugzilla.suse.com/show_bug.cgi?id=1228380#c5 --- Comment #5 from pallas wept <pallaswept@proton.me> --- (In reply to Cathy Hu from comment #4)
thanks, yes it would be really helpful if you open bugs even for small things, please feel encouraged to do so :)
Hi Cathy, I saw the 0726 policy package in my zypper dup today. After installing it I removed my "panic policy" from before, but the errors came back again. I put the "panic policy" back on. I know it's not a good thing but my systemd journal couldn't hack it. This is what the panic policy module looks like:
cat my-grub_2.cil (typeattributeset cil_gen_require bootloader_exec_t) (typeattributeset cil_gen_require snapperd_t) (allow snapperd_t bootloader_exec_t (file (execute))) (allow snapperd_t bootloader_exec_t (file (execute_no_trans)))
Is this helpful? It is alien language to me, I am reading the docs now. When I look at the changes for the selinux-policy package, it seems like maybe I have a different bug. If I export my snapper module, I see (allow snapper_grub_plugin_t bootloader_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) So I think I have the new changes from the policy in effect there, but mine is something else (because of the different source type). Am I understanding this correctly? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228380 https://bugzilla.suse.com/show_bug.cgi?id=1228380#c10 --- Comment #10 from pallas wept <pallaswept@proton.me> --- Hi Cathy, Thanks for taking care of creating the other bug for me. I attached a super verbose log file, I hope it's not too much bother. It's just from today to keep it shorter, but I'm pretty sure that covers all the scenarios I ran in the past few days, so everything in the logs prior to today. It seems like it's just 4 messages repeated - the first one runs rarely, maybe once per day. There are those two that go crazy before the relabel, and then the new one. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com