| Summary: | sys-process/audit-3.0.6-r1: On a SELinux+systemd host, audit fails to access the /proc filesystem | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | David Sardari <d> |
| Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
| Status: | UNCONFIRMED --- | ||
| Severity: | normal | CC: | gentoo |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
(Aside: we may want to add proc to https://wiki.gentoo.org/wiki/SELinux/Installation#Setting_file_system_contexts) |
audit fails to access the /proc filesystem, because /proc has SELinux type "unlabeled_t". Reproducible: Always Steps to Reproduce: 1. Setup Gentoo with systemd and SELinux 2. Boot Actual Results: You get the following denial: [ 19.902620] audit: type=1400 audit(1663630933.439:3): avc: denied { mounton } for pid=1062 comm="(auditd)" path="/run/systemd/unit-root/proc" dev="dm-3" ino=67581 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Expected Results: /proc should have SELinux type "proc_t". With help of user grift from IRC libera #selinux channel, I relabeled "/proc": # Credits: grift :) ❯ echo '(filecon "/proc" dir (system_u object_r proc_t ((s0)(s0)))) (allow proc_t fs_t (filesystem (associate))) (typeattributeset mountpoint proc_t)'> my_proc.cil ❯ semodule -i my_proc.cil ❯ export tmpdir="$(mktemp -d)" && mount --bind / "$tmpdir" && chcon system_u:object_r:proc_t:s0 "$tmpdir"/proc && umount "$tmpdir" && echo -e "\e[1;32mSUCCESS\e[0m"