Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.1
Component/s: selinux-policy
Labels:
- known_issue_101

Fixed in Build:
selinux-policy-42.1.5-1.el10
Regression:
Yes
Severity:
Important
Epic Link:
SELINUX-3824
sprint_count:
1

AssignedTeam:
rhel-security-selinux

Internal Target Milestone:
25
Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 250827: 11

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/147963
Test Coverage:

Automated

Release Note Type:
Release Note Not Required
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Recently hit a new avc warning

[root@rhel-10-upk ~]# setenforce 0
[root@rhel-10-upk ~]#
[root@rhel-10-upk ~]# cat /etc/exports
/export_test *(rw,no_root_squash)
[root@rhel-10-upk ~]# systemctl daemon-reload
[root@rhel-10-upk ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1753755310.006:325): avc:  denied  { add_name } for  pid=6490 comm="nfs-server-gene" name="nfs-server.service.d" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:systemd_generator_unit_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1753755310.006:325): avc:  denied  { create } for  pid=6490 comm="nfs-server-gene" name="nfs-server.service.d" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:systemd_generator_unit_file_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1753755310.007:326): avc:  denied  { create } for  pid=6490 comm="nfs-server-gene" name="order-with-mounts.conf" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:systemd_generator_unit_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1753755310.007:326): avc:  denied  { write } for  pid=6490 comm="nfs-server-gene" path="/run/systemd/generator/nfs-server.service.d/order-with-mounts.conf" dev="tmpfs" ino=2314 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:systemd_generator_unit_file_t:s0 tclass=file permissive=1
[root@rhel-10-upk ~]# rpm -qa selinux-policy\*
selinux-policy-42.1.3-1.el10.noarch
selinux-policy-targeted-42.1.3-1.el10.noarch
selinux-policy-targeted-extra-42.1.3-1.el10.noarch
selinux-policy-extra-42.1.3-1.el10.noarch
[root@rhel-10-upk ~]#

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

mkdir -p /export_test
echo '/export_test *(rw)' > /etc/exports
systemctl daemon-reload

Expected results

Actual results

links to

RHBA-2025:147963 selinux-policy bug fix and enhancement update

Assignee:: Zdenek Pytela

Reporter:: Yongcheng Yang

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2025/07/29 2:19 AM

Updated:: 2025/09/26 3:59 PM

Target end:: 2025/08/18

Next Planned Release Date:: 2025/11/11

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide