Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-111946

SELinux is blocking NetworkManager dispatcher from starting the nvmf-connect-nbft.service

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Yes
    • None
    • rhel-security-selinux
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      What were you trying to do that didn't work?

      When attempting to provision a system that Boots from SAN over NVMe-TCP, we are hitting the following in the AVC log:

      SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-42.1.7-1.el10.noarch
----
time->Thu Aug 28 18:32:16 2025
type=USER_AVC msg=audit(1756420336.221:48): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/nvmf-connect-nbft.service" cmdline="" function="bus_unit_method_start_generic" scontext=system_u:system_r:NetworkManager_dispatcher_nvme_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Aug 28 18:32:16 2025
type=USER_AVC msg=audit(1756420336.308:52): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/nvmf-connect-nbft.service" cmdline="" function="bus_unit_method_start_generic" scontext=system_u:system_r:NetworkManager_dispatcher_nvme_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

      Below are the jobs where the issue is observed:

      https://beaker.engineering.redhat.com/jobs/11596932

      https://beaker.engineering.redhat.com/jobs/11597271

      What is the impact of this issue to you?

      May break the multipath reconnect functionality

      Please provide the package NVR for which the bug is seen:

      RHEL-10.1-20250826.2

      1. rpm -qa selinux-policy
        selinux-policy-42.1.7-1.el10.noarch

        How reproducible is this bug?:

      Often

      Steps to reproduce

      1. See above

              rhn-support-zpytela Zdenek Pytela
              mpatalan Marco Patalano
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: