Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-107555

[rhel-10] avc: denied { prog_run } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Yes
    • Moderate
    • rhel-container-tools
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      This new AVC denial appears to be caused by the recently gated build of crun-1.23-1.el10 and is being discussed upstream in github issue AVC failures with the latest crun package #389.

      Here is a reproducer on rhel-10.1...

      [root@kvm-03-guest11 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 10.1 Beta (Coughlan)

[root@kvm-03-guest11 ~]# rpm -q crun selinux-policy passt-selinux podman
crun-1.23-1.el10.x86_64
selinux-policy-42.1.4-1.el10.noarch
passt-selinux-0^20250415.g8ec1341-1.el10.noarch
podman-5.5.1-1.el10.x86_64

[root@kvm-03-guest11 ~]# tail -f /var/log/audit/audit.log  | grep -i denied &
[1] 7941

[root@kvm-03-guest11 ~]# podman run --quiet --rm registry.access.redhat.com/rhel7:latest echo "Hello World"
type=AVC msg=audit(1754346220.505:634): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=0
Hello World

      After downgrading to crun-1.22-1.el10, the denial disappears.

              lmandvek Lokesh Mandvekar
              jsefler John Sefler
              Container Runtime Eng Bot Container Runtime Eng Bot
              Container Runtime Bugs Bot Container Runtime Bugs Bot
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: