Systemd update causes SELinux to deny cockpit.socket when updating the MOTD

[jeepingben]

A recent systemd update (either systemd-239-74.0.5.el8_8.5.x86_64.rpm or systemd-239-74.0.6.el8_8.5.x86_64.rpm) results in SELinux denials when starting cockpit.

This prevents cockpit.socket's ExecStartPost script form getting the correct listening port when updating the MOTD.
This is a pretty tiny effect and I only noticed because of the new denials.

Steps to reproduce:
Clean install of OL8 that includes cockpit
sudo systemctl start cockpit
sudo ausearch -m avc

You can stop it from happening by downgrading to systemd-239-74.0.4.el8_8.3.x86_64.rpm and rebooting.

[jeepingben]

@AmedeeBulle - Our contact at Oracle recommended I ping you about this issue. Can you get someone to take a look at it?

Is this issues page the replacement for bugzilla.oracle.com?

[AmedeeBulle]

I'll report this internally

[scoter-oracle]

Cannot be reproduced with systemd-239-78.0.1.el8.x86_64 (actual latest).

[jeepingben]

I am still seeing this with
Name : systemd
Version : 239
Release : 78.0.3.el8

I just confirmed again by doing a fresh net install of OL8.9. After install, I ran systemctl enable --now cockpit.socket, logged out, logged back in, ran ausearch -m avc` and got the same denial.

[YoderExMachina]

I can't duplicate this with systemd-239-78.0.4.el8.x86_64. Can this issue be closed?

[jeepingben]

I am still seeing this on the system I checked with systemd-239-78.0.4, but I am doing a clean net-install of OL8.9 to make sure it isn't something about my system.

Are you on a system that displays the cockpit-motd (Web console: https://$host:port or https://$ip:port)?

[jeepingben]

On a fresh install with this software configuration:

This is what happens on first login:

My.Movie.1.mp4

[YoderExMachina]

Yes, I was testing on a fresh install of OL8.9 in OCI and I get the cockpit-motd no problem. When I do an ausearch I see the same 4 entries, but the cockpit-motd is working. I tried a bare metal system as well with a fresh install I still see the cockpit-motd. I tried from the console too and I am seeing the cockpit-motd. Also I verified I can access via the port listed. So is the issue that you are getting the avc records even though it's working?

[jeepingben]

Right, the denial is the main concern. I make some images which have an autotest that asserts no SELinux denials happened during the tests. I thought there was an issue with the systemctl command in update-motd failing to find alternate listening ports but I'm not seeing that right now

[jeepingben]

audit2allow says that what is missing is:

#============= cockpit_ws_t ==============
allow cockpit_ws_t cgroup_t:filesystem getattr;
allow cockpit_ws_t tmpfs_t:filesystem getattr;

Is it just a matter of adding that to the appropriate policy?