SELinux avc agetty checkpoint_restore denied

Question

SELinux avc agetty checkpoint_restore denied

mvelikikh opened this issue a year ago · 3 comments

After enabling SELinux on AWS OL9, we are getting the following messages in the audit log:

----
type=PROCTITLE msg=audit(07/29/2024 11:34:36.305:129) : proctitle=/sbin/agetty -o -p -- \u --keep-baud 115200,57600,38400,9600 - vt220
type=SYSCALL msg=audit(07/29/2024 11:34:36.305:129) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x0 a1=0x5457 a2=0x7fffdb635b80 a3=0x8 items=0 ppid=1 pid=795 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=unset comm=agetty exe=/usr/sbin/agetty subj=system_u:system_r:getty_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/29/2024 11:34:36.305:129) : avc:  denied  { checkpoint_restore } for  pid=795 comm=agetty capability=checkpoint_restore  scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
----
type=PROCTITLE msg=audit(07/29/2024 11:34:36.434:130) : proctitle=/sbin/agetty -o -p -- \u --noclear - linux
type=SYSCALL msg=audit(07/29/2024 11:34:36.434:130) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x0 a1=0x5457 a2=0x7ffc3aebe600 a3=0x8 items=0 ppid=1 pid=794 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=unset comm=agetty exe=/usr/sbin/agetty subj=system_u:system_r:getty_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/29/2024 11:34:36.434:130) : avc:  denied  { checkpoint_restore } for  pid=794 comm=agetty capability=checkpoint_restore  scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
----
...

There are no such messages for the same test on AWS RH9.
As I understand, here is the relevant Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2259622
The fix was to alter selinux-policy: fedora-selinux/selinux-policy@1e73385

Raising this issue to investigate and get a fix for Oracle Linux.

Answer 1 · 2024-07-29T19:23:29.000Z

Oracle Linux customers, please file your issue at https://support.oracle.com

Thanks for filing an issue with Oracle Linux.

GitHub Issues is not an official support channel and we don't offer
product support here. If you're not yet an Oracle Linux customer,
consider signing up at https://linux.oracle.com.

Even if you're not a customer, if we can confirm that an issue is a
bug we will do our best to fix it and to update this issue
once it has been fixed. We don't guarantee a fix or feedback and
for now, we will close this issue. If you have Oracle Linux support,
please use support.oracle.com to report issues.

Answer 2 · 2024-07-29T19:37:50.000Z

Duplicated the issue internally.

Answer 3 · 2024-09-11T12:59:36.000Z

This should be fixed in version SELINUX-POLICY-38.1.35-2.0.5.EL9_4.2.