-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.1, rhel-9.7
-
None
-
No
-
None
-
rhel-image-mode
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
x86_64
-
None
What were you trying to do that didn't work?
when booting a system raise avc deny
[ 28.152547] audit: type=1400 audit(1756110198.662:4): avc: denied { unlink } for pid=1570 comm="systemd-tmpfile" name=".rpm.lock" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0
[ 28.560841] audit: type=1400 audit(1756110199.070:5): avc: denied { unlink } for pid=1570 comm="systemd-tmpfile" name="shadow" dev="sda5" ino=1078102890 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
[ 28.562047] audit: type=1400 audit(1756110199.070:6): avc: denied { unlink } for pid=1570 comm="systemd-tmpfile" name=".pwd.lock" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0
[ 28.562050] audit: type=1400 audit(1756110199.070:7): avc: denied { unlink } for pid=1570 comm="systemd-tmpfile" name="gshadow-" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0
[ 28.562052] audit: type=1400 audit(1756110199.070:8): avc: denied { unlink } for pid=1570 comm="systemd-tmpfile" name="semanage.read.LOCK" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0
[ 28.562054] audit: type=1400 audit(1756110199.070:9): avc: denied { unlink } for pid=1570 comm="systemd-tmpfile" name="semanage.trans.LOCK" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0
[ 28.562056] audit: type=1400 audit(1756110199.070:10): avc: denied { unlink } for pid=1570 comm="systemd-tmpfile" name="passwd-" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0
[ 28.562057] audit: type=1400 audit(1756110199.070:11): avc: denied { unlink } for pid=1570 comm="systemd-tmpfile" name="group-" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0
[ 28.562059] audit: type=1400 audit(1756110199.070:12): avc: denied { unlink } for pid=1570 comm="systemd-tmpfile" name="shadow-" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0
[ 28.562060] audit: type=1400 audit(1756110199.070:13): avc: denied { unlink } for pid=1570 comm="systemd-tmpfile" name="#5b" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0
What is the impact of this issue to you?
raise avc deny
Please provide the package NVR for which the bug is seen:
ostree-2025.2-1.el9_6.x86_64
images.paas.redhat.com/mhou/rhel-9:rhel-9.6.0-updates-20250820.1-x86_64-stock-1755827916613
images.paas.redhat.com/mhou/rhel-9:rhel-9.6.0-updates-20250820.1-x86_64-rtk-1755828196025
How reproducible is this bug?: 100%
Steps to reproduce
- using ostreecontainer --url to deploy image mode system
- reboot system
Expected results
no avc deny
Actual results
https://beaker.engineering.redhat.com/recipes/19427639#task200433943
debug why raise these errors
[root@dell-per750-66 perf]# journalctl -b 0 --grep 'systemd-tmpfile' -o short-monotonic -l --no-page [ 16.780140] localhost systemd[1]: systemd-tmpfiles-setup.service: Deactivated successfully. [ 16.896068] localhost systemd[1]: systemd-tmpfiles-setup-dev.service: Deactivated successfully. [ 29.464353] localhost kernel: audit: type=1400 audit(1756114680.952:4): avc: denied { unlink } for pid=1625 comm="systemd-tmpfile" name=".rpm.lock" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0 [ 29.476234] localhost kernel: audit: type=1400 audit(1756114680.964:5): avc: denied { unlink } for pid=1625 comm="systemd-tmpfile" name="shadow" dev="sda5" ino=1078102890 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0 [ 29.476237] localhost kernel: audit: type=1400 audit(1756114680.964:6): avc: denied { unlink } for pid=1625 comm="systemd-tmpfile" name=".pwd.lock" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0 [ 29.476239] localhost kernel: audit: type=1400 audit(1756114680.964:7): avc: denied { unlink } for pid=1625 comm="systemd-tmpfile" name="gshadow-" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0 [ 29.503563] localhost kernel: audit: type=1400 audit(1756114680.991:8): avc: denied { unlink } for pid=1625 comm="systemd-tmpfile" name="semanage.read.LOCK" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0 [ 29.503566] localhost kernel: audit: type=1400 audit(1756114680.991:9): avc: denied { unlink } for pid=1625 comm="systemd-tmpfile" name="semanage.trans.LOCK" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0 [ 29.503568] localhost kernel: audit: type=1400 audit(1756114680.991:10): avc: denied { unlink } for pid=1625 comm="systemd-tmpfile" name="passwd-" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0 [ 29.503570] localhost kernel: audit: type=1400 audit(1756114680.991:11): avc: denied { unlink } for pid=1625 comm="systemd-tmpfile" name="group-" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0 [ 29.503572] localhost kernel: audit: type=1400 audit(1756114680.991:12): avc: denied { unlink } for pid=1625 comm="systemd-tmpfile" name="shadow-" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0 [ 29.506729] localhost kernel: audit: type=1400 audit(1756114680.994:13): avc: denied { unlink } for pid=1625 comm="systemd-tmpfile" name="#5b" dev="sda5" ino=1078102676 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=chr_file permissive=0 [ 903.983017] dell-per750-66.rhts.eng.pek2.redhat.com systemd[1]: systemd-tmpfiles-clean.service: Deactivated successfully.
check systemd-tmpfiles-setup
[root@dell-per750-66 perf]# journalctl -b 0 -u systemd-tmpfiles-setup.service -o short-monotonic [ 11.355331] localhost systemd[1]: Starting Create Volatile Files and Directories... [ 11.376514] localhost systemd[1]: Finished Create Volatile Files and Directories. [ 16.780140] localhost systemd[1]: systemd-tmpfiles-setup.service: Deactivated successfully. [ 16.780236] localhost systemd[1]: Stopped Create Volatile Files and Directories. [ 27.197059] localhost systemd[1]: Starting Create Volatile Files and Directories... [ 27.547915] localhost systemd-tmpfiles[1625]: rm_rf(/var/tmp/ostree-unlock-ovl.JWWTB3): Permission denied [ 27.741025] localhost systemd-tmpfiles[1625]: "/home" already exists and is not a directory. [ 27.741146] localhost systemd-tmpfiles[1625]: "/srv" already exists and is not a directory. [ 27.761049] localhost systemd-tmpfiles[1625]: Failed to create directory or subvolume "/usr/local/man": Read-only file system [ 27.856346] localhost systemd[1]: Finished Create Volatile Files and Directories.