Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-63060

RHCOS10 - Several selinux denials observed

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.20.z
    • RHCOS
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      There's an outstanding bug that requests some container-selinux updates are applied to RHEL10 which were recently applied to 9.6, I have built a newer version of container-selinux with those changes and I'm recording the selinux denials observed in a running system.

      It would be good for us to triage these and open appropriate bugs against selinux-policy or container-selinux.

      type=PROCTITLE msg=audit(10/14/25 13:00:32.266:117) : proctitle=/bin/bash /usr/lib/systemd/system-generators/bootloader-migrate-generator /run/systemd/generator /run/systemd/generator.early /r 
type=SYSCALL msg=audit(10/14/25 13:00:32.266:117) : arch=x86_64 syscall=access success=yes exit=0 a0=0x56046d62f1e0 a1=X_OK a2=0x7fffc215a520 a3=0x0 items=0 ppid=4748 pid=4750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bootloader-migr exe=/usr/bin/bash subj=system_u:system_r:systemd_generic_generator_t:s0 key=(null) 
type=AVC msg=audit(10/14/25 13:00:32.266:117) : avc:  denied  { execute } for  pid=4750 comm=bootloader-migr name=ostree dev="overlay" ino=2821 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(10/14/25 13:00:32.266:118) : proctitle=ostree config --repo=/sysroot/ostree/repo get sysroot.bootloader 
type=PATH msg=audit(10/14/25 13:00:32.266:118) : item=0 name=/lib64/ld-linux-x86-64.so.2 inode=6634 dev=00:21 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/14/25 13:00:32.266:118) : cwd=/ 
type=EXECVE msg=audit(10/14/25 13:00:32.266:118) : argc=5 a0=ostree a1=config a2=--repo=/sysroot/ostree/repo a3=get a4=sysroot.bootloader 
type=SYSCALL msg=audit(10/14/25 13:00:32.266:118) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x56046d62f1e0 a1=0x56046d62b3a0 a2=0x56046d62ac00 a3=0x56046d61a010 items=1 ppid=4750 pid=4754 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ostree exe=/usr/bin/ostree subj=system_u:system_r:systemd_generic_generator_t:s0 key=(null) 
type=AVC msg=audit(10/14/25 13:00:32.266:118) : avc:  denied  { execute_no_trans } for  pid=4754 comm=bootloader-migr path=/usr/bin/ostree dev="overlay" ino=2821 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(10/14/25 13:00:32.268:119) : proctitle=/bin/bash /usr/lib/systemd/system-generators/coreos-boot-mount-generator /run/systemd/generator /run/systemd/generator.early /ru 
type=SYSCALL msg=audit(10/14/25 13:00:32.268:119) : arch=x86_64 syscall=faccessat2 success=yes exit=0 a0=AT_FDCWD a1=0x5617a431a9b0 a2=W_OK a3=0x200 items=0 ppid=4748 pid=4751 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=coreos-boot-mou exe=/usr/bin/bash subj=system_u:system_r:coreos_boot_mount_generator_t:s0 key=(null) 
type=AVC msg=audit(10/14/25 13:00:32.268:119) : avc:  denied  { write } for  pid=4751 comm=coreos-boot-mou name=generator dev="tmpfs" ino=3217 scontext=system_u:system_r:coreos_boot_mount_generator_t:s0 tcontext=system_u:object_r:systemd_generator_unit_file_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(10/14/25 13:00:32.308:120) : proctitle=ostree config --repo=/sysroot/ostree/repo get sysroot.bootloader 
type=SYSCALL msg=audit(10/14/25 13:00:32.308:120) : arch=x86_64 syscall=faccessat2 success=no exit=EROFS(Read-only file system) a0=0x4 a1=0x7f1b320726e1 a2=W_OK a3=0x0 items=0 ppid=4750 pid=4754 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ostree exe=/usr/bin/ostree subj=system_u:system_r:systemd_generic_generator_t:s0 key=(null) 
type=AVC msg=audit(10/14/25 13:00:32.308:120) : avc:  denied  { write } for  pid=4754 comm=ostree name=objects dev="nvme0n1p4" ino=5257680 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(10/14/25 13:00:32.308:121) : proctitle=ostree config --repo=/sysroot/ostree/repo get sysroot.bootloader 
type=SYSCALL msg=audit(10/14/25 13:00:32.308:121) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x5564819e650a a1=0x5564819e650a a2=0x0 a3=MS_REMOUNT|MS_SILENT items=0 ppid=4750 pid=4754 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ostree exe=/usr/bin/ostree subj=system_u:system_r:systemd_generic_generator_t:s0 key=(null) 
type=AVC msg=audit(10/14/25 13:00:32.308:121) : avc:  denied  { remount } for  pid=4754 comm=ostree scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 
----
type=PROCTITLE msg=audit(10/14/25 13:00:32.309:122) : proctitle=/bin/bash /usr/lib/systemd/system-generators/coreos-boot-mount-generator /run/systemd/generator /run/systemd/generator.early /ru 
type=PATH msg=audit(10/14/25 13:00:32.309:122) : item=3 name=(null) inode=3237 dev=00:1a mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_generator_unit_file_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/14/25 13:00:32.309:122) : item=2 name=(null) inode=3217 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_generator_unit_file_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/14/25 13:00:32.309:122) : item=1 name=(null) nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/14/25 13:00:32.309:122) : item=0 name=(null) inode=3217 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_generator_unit_file_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/14/25 13:00:32.309:122) : cwd=/ 
type=SYSCALL msg=audit(10/14/25 13:00:32.309:122) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x5617a4320930 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=4 ppid=4751 pid=4800 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=coreos-boot-mou exe=/usr/bin/bash subj=system_u:system_r:coreos_boot_mount_generator_t:s0 key=(null) 
type=AVC msg=audit(10/14/25 13:00:32.309:122) : avc:  denied  { write open } for  pid=4800 comm=coreos-boot-mou path=/run/systemd/generator/boot.mount dev="tmpfs" ino=3237 scontext=system_u:system_r:coreos_boot_mount_generator_t:s0 tcontext=system_u:object_r:systemd_generator_unit_file_t:s0 tclass=file permissive=1 
type=AVC msg=audit(10/14/25 13:00:32.309:122) : avc:  denied  { create } for  pid=4800 comm=coreos-boot-mou name=boot.mount scontext=system_u:system_r:coreos_boot_mount_generator_t:s0 tcontext=system_u:object_r:systemd_generator_unit_file_t:s0 tclass=file permissive=1 
type=AVC msg=audit(10/14/25 13:00:32.309:122) : avc:  denied  { add_name } for  pid=4800 comm=coreos-boot-mou name=boot.mount scontext=system_u:system_r:coreos_boot_mount_generator_t:s0 tcontext=system_u:object_r:systemd_generator_unit_file_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(10/14/25 13:00:32.309:122) : avc:  denied  { write } for  pid=4800 comm=coreos-boot-mou name=generator dev="tmpfs" ino=3217 scontext=system_u:system_r:coreos_boot_mount_generator_t:s0 tcontext=system_u:object_r:systemd_generator_unit_file_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(10/14/25 13:00:32.310:123) : proctitle=/bin/bash /usr/lib/systemd/system-generators/coreos-boot-mount-generator /run/systemd/generator /run/systemd/generator.early /ru 
type=SYSCALL msg=audit(10/14/25 13:00:32.310:123) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x1 a1=0x7ffdee3123b0 a2=0x7fb5d2525580 a3=0x0 items=0 ppid=4751 pid=4800 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cat exe=/usr/bin/cat subj=system_u:system_r:coreos_boot_mount_generator_t:s0 key=(null) 
type=AVC msg=audit(10/14/25 13:00:32.310:123) : avc:  denied  { getattr } for  pid=4800 comm=cat path=/run/systemd/generator/boot.mount dev="tmpfs" ino=3237 scontext=system_u:system_r:coreos_boot_mount_generator_t:s0 tcontext=system_u:object_r:systemd_generator_unit_file_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(10/14/25 13:00:32.313:124) : proctitle=ln -sf ../boot.mount /run/systemd/generator/local-fs.target.wants/boot.mount 
type=PATH msg=audit(10/14/25 13:00:32.313:124) : item=1 name=(null) inode=3238 dev=00:1a mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_generator_unit_file_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/14/25 13:00:32.313:124) : item=0 name=(null) inode=3226 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_generator_unit_file_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/14/25 13:00:32.313:124) : cwd=/ 
type=SYSCALL msg=audit(10/14/25 13:00:32.313:124) : arch=x86_64 syscall=symlinkat success=yes exit=0 a0=0x7ffc0b464d64 a1=0xffffff9c a2=0x7ffc0b464d72 a3=0x0 items=2 ppid=4751 pid=4802 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ln exe=/usr/bin/ln subj=system_u:system_r:coreos_boot_mount_generator_t:s0 key=(null) 
type=AVC msg=audit(10/14/25 13:00:32.313:124) : avc:  denied  { create } for  pid=4802 comm=ln name=boot.mount scontext=system_u:system_r:coreos_boot_mount_generator_t:s0 tcontext=system_u:object_r:systemd_generator_unit_file_t:s0 tclass=lnk_file permissive=1 
----
type=PROCTITLE msg=audit(10/14/25 13:00:44.750:171) : proctitle=/usr/bin/python3 -Es /usr/sbin/tuned --no-dbus 
type=SYSCALL msg=audit(10/14/25 13:00:44.750:171) : arch=x86_64 syscall=write success=yes exit=4 a0=0xa a1=0x7f0aa8031d00 a2=0x4 a3=0x2 items=0 ppid=4200 pid=5260 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=tuned exe=/usr/bin/python3.9 subj=system_u:system_r:spc_t:s0 key=(null) 
type=AVC msg=audit(10/14/25 13:00:44.750:171) : avc:  granted  { setsecparam } for  pid=5260 comm=tuned scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security 

      Reproducer steps

      1) Install 4.20.0-rc.3 with osImage overrides for 4.20-10.1

      2) Update container-selinux with https://download-01.beak-001.prod.iad2.dc.redhat.com/brewroot/work/tasks/3816/69103816/container-selinux-2.242.0-2.el10_1.noarch.rpm to eliminate some known issues from https://issues.redhat.com/browse/RHEL-116097

      3) Reboot

      4) ausearch -m avc -ts boot -i

              Unassigned Unassigned
              rhn-support-sdodson Scott Dodson
              None
              None
              Michael Nguyen Michael Nguyen
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: