Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-123737

avc: denied { write } for comm=tlshd name=source dev="dm-0"

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • rhel-security-selinux
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • None
    • None
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      After the tlshd (ktls-utils) is improved to support the post-quantum ML-DSA certificates, there is a new AVC denied warning reported when mounting nfs with the mldsa.

      What is the impact of this issue to you?

      Please provide the package NVR for which the bug is seen:

      selinux-policy-42.1.7-1.el10

      ktls-utils-1.2.1-2.el10

      How reproducible is this bug?:

      always

      Steps to reproduce

      1.  
      2.  
      3.  

      Expected results

      Actual results

      [root@dell-per660-21 ~]# exportfs -v
/export_test    <world>(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,no_root_squash,no_all_squash,xprtsec=tls:mtls)
[root@dell-per660-21 ~]# grep ^[^#] /etc/tlshd.conf
[debug]
loglevel=1
tls=1
nl=1
[authenticate]
[authenticate.client]
x509.certificate=/etc/nfs-server-rsa.crt
x509.private_key=/etc/nfs-server-rsa.key
x509.pq.certificate=/etc/nfs-server-mldsa.crt
x509.pq.private_key=/etc/nfs-server-mldsa.key
[authenticate.server]
x509.certificate=/etc/nfs-server-rsa.crt
x509.private_key=/etc/nfs-server-rsa.key
x509.pq.certificate=/etc/nfs-server-mldsa.crt
x509.pq.private_key=/etc/nfs-server-mldsa.key
[root@dell-per660-21 ~]# systemctl restart tlshd
[root@dell-per660-21 ~]# grep denied /var/log/audit/audit.log
[root@dell-per660-21 ~]# mount.nfs4 $HOSTNAME:/export_test/ /mnt_test/ -o xprtsec=mtls
[root@dell-per660-21 ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1761275393.108:359): avc:  denied  { write } for  pid=28727 comm="tlshd" name="source" dev="dm-0" ino=150996217 scontext=system_u:system_r:ktlshd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1761275393.108:360): avc:  denied  { map } for  pid=28727 comm="tlshd" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=150996218 scontext=system_u:system_r:ktlshd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1761275393.109:361): avc:  denied  { map } for  pid=28727 comm="tlshd" path="/etc/pki/ca-trust/source/dell-per660-21.rhts.eng.pek2.redhat.com.1.p11-kit" dev="dm-0" ino=151105883 scontext=system_u:system_r:ktlshd_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1761275393.169:362): avc:  denied  { write } for  pid=28727 comm="tlshd" scontext=system_u:system_r:ktlshd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1
[root@dell-per660-21 ~]#
[root@dell-per660-21 ~]# rpm -q selinux-policy ktls-utils
selinux-policy-42.1.7-1.el10.noarch
ktls-utils-1.2.1-2.el10.x86_64
[root@dell-per660-21 ~]#

        1. sealert.log
          11 kB

              rhn-support-zpytela Zdenek Pytela
              rhn-support-yoyang Yongcheng Yang
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: