-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhel-10.0.z, rhel-10.1, rhel-9.7, rhel-10.1.z
-
None
-
No
-
None
-
rhel-image-mode
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
x86_64
-
None
What were you trying to do that didn't work?
deploy a system using ostreecontainer in kickstart file. Then reboot this system will raise avc error.
Here is upstream discussion: https://github.com/bootc-dev/bootc/pull/1529
What is the impact of this issue to you?
all of system which deploy from remote repository will hit avc error.
Please provide the package NVR for which the bug is seen:
images.paas.redhat.com/mhou/rhel-9:rhel-9.6.0-updates-20250811.3-x86_64-stock-1754992233147
images.paas.redhat.com/mhou/rhel-10:rhel-10.0-updates-20250811.2-amd64-rtk-1754991753791
How reproducible is this bug?: 100%
Steps to reproduce
- use ostreecontainer option in kickstart to deploy image mode
- reboot system
Expected results
no avc error after reboot
Actual results
https://beaker.engineering.redhat.com/jobs/11513918
[50111.446723] systemd-shutdown[1]: Could not detach DM /dev/dm-0: Device or resource busy
[50111.446725] systemd-shutdown[1]: Not all DM devices detached, 1 left.
[50111.446727] systemd-shutdown[1]: Cannot finalize remaining file systems, DM devices, continuing.
[50111.472573] audit: type=1400 audit(1754646026.614:4): avc: denied { search } for pid=8275 comm="mdadm" name="etc" dev="overlay" ino=529 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
[50111.472576] audit: type=1400 audit(1754646026.614:5): avc: denied { search } for pid=8275 comm="mdadm" name="etc" dev="overlay" ino=529 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
[50111.482945] audit: type=1400 audit(1754646026.624:6): avc: denied { search } for pid=8275 comm="mdadm" name="etc" dev="overlay" ino=529 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
[50111.482947] audit: type=1400 audit(1754646026.624:7): avc: denied { search } for pid=8275 comm="mdadm" name="etc" dev="overlay" ino=529 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
[50111.482952] audit: type=1400 audit(1754646026.624:8): avc: denied { search } for pid=8275 comm="mdadm" name="etc" dev="overlay" ino=529 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
[!p ]104
Here is disk status on test machine.
[root@dell-per750-66 ~]# smartctl --scan /dev/sda -d scsi # /dev/sda, SCSI device /dev/bus/0 -d megaraid,0 # /dev/bus/0 [megaraid_disk_00], SCSI device [root@dell-per750-66 ~]# smartctl -a /dev/sda -d megaraid,0 smartctl 7.2 2020-12-30 r5155 [x86_64-linux-5.14.0-570.35.1.el9_6.x86_64+rt] (local build) Copyright (C) 2002-20, Bruce Allen, Christian Franke, www.smartmontools.org=== START OF INFORMATION SECTION === Vendor: SEAGATE Product: ST600MM0069 Revision: ST38 Compliance: SPC-4 User Capacity: 600,127,266,816 bytes [600 GB] Logical block size: 512 bytes Formatted with type 2 protection 8 bytes of protection information per logical block LU is fully provisioned Rotation Rate: 10000 rpm Form Factor: 2.5 inches Logical Unit id: 0x5000c500efe082d3 Serial number: WFJ6HQ0V Device type: disk Transport protocol: SAS (SPL-3) Local Time is: Mon Aug 25 09:05:01 2025 UTC SMART support is: Available - device has SMART capability. SMART support is: Enabled Temperature Warning: Disabled or Not Supported=== START OF READ SMART DATA SECTION === SMART Health Status: OKGrown defects during certification <not available> Total blocks reassigned during format <not available> Total new blocks reassigned = 0 Power on minutes since format <not available> Current Drive Temperature: 31 C Drive Trip Temperature: 60 CAccumulated power on time, hours:minutes 19116:44 Manufactured in week 41 of year 2022 Specified cycle count over device lifetime: 10000 Accumulated start-stop cycles: 1511 Specified load-unload count over device lifetime: 300000 Accumulated load-unload cycles: 8764 Elements in grown defect list: 0Vendor (Seagate Cache) information Blocks sent to initiator = 2507561564 Blocks received from initiator = 347352980 Blocks read from cache and sent to initiator = 4076041104 Number of read and write commands whose size <= segment size = 154872676 Number of read and write commands whose size > segment size = 2Vendor (Seagate/Hitachi) factory information number of hours powered up = 19116.73 number of minutes until next internal SMART test = 39Error counter log: Errors Corrected by Total Correction Gigabytes Total ECC rereads/ errors algorithm processed uncorrected fast | delayed rewrites corrected invocations [10^9 bytes] errors read: 2138380740 5 0 2138380745 5 27999.288 0 write: 0 0 37 37 37 69484.145 0 verify: 92511550 0 0 92511550 0 87207.180 0Non-medium error count: 0SMART Self-test log Num Test Status segment LifeTime LBA_first_err [SK ASC ASQ] Description number (hours) # 1 Background long Completed 96 3 - [- - -] # 2 Background short Completed 96 2 - [- - -]Long (extended) Self-test duration: 3565 seconds [59.4 minutes]