-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhel-10.0.z, rhel-10.1.z
-
None
-
No
-
Important
-
rhel-container-tools
-
3
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
x86_64
-
None
What were you trying to do that didn't work?
run userspace package test raise avc issue. PLEASE NOTE: RHEL-10.2-20251025.0 didn't hit this issue.
[root@dell-per740-10 ~]# sealert -a /var/log/audit/audit.log 100% done found 2 alerts in /var/log/audit/audit.log --------------------------------------------------------------------------------SELinux is preventing systemd from prog_run access on the bpf labeled container_runtime_t.***** Plugin catchall (100. confidence) suggests **************************If you believe that systemd should be allowed prog_run access on bpf labeled container_runtime_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:unconfined_r:container_runtime_t:s0- s0:c0.c1023 Target Objects Unknown [ bpf ] Source systemd Source Path systemd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.1.9-1.el10.noarch Local Policy RPM selinux-policy-targeted-42.1.9-1.el10.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dell-per740-10.rhts.eng.pek2.redhat.com Platform Linux dell-per740-10.rhts.eng.pek2.redhat.com 6.12.0-55.41.1.el10_0.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 20 04:28:03 EDT 2025 x86_64 Alert Count 20 First Seen 2025-10-26 23:27:31 EDT Last Seen 2025-10-27 03:00:32 EDT Local ID 09cab413-b1a7-4623-8148-7e0cc4062e61Raw Audit Messages type=AVC msg=audit(1761548432.476:1219): avc: denied { prog_run } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=bpf permissive=0 Hash: systemd,init_t,container_runtime_t,bpf,prog_run--------------------------------------------------------------------------------SELinux is preventing systemd from prog_run access on the bpf labeled container_runtime_t.***** Plugin catchall (100. confidence) suggests **************************If you believe that systemd should be allowed prog_run access on bpf labeled container_runtime_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:unconfined_r:container_runtime_t:s0 Target Objects Unknown [ bpf ] Source systemd Source Path systemd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.1.9-1.el10.noarch Local Policy RPM selinux-policy-targeted-42.1.9-1.el10.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dell-per740-10.rhts.eng.pek2.redhat.com Platform Linux dell-per740-10.rhts.eng.pek2.redhat.com 6.12.0-55.41.1.el10_0.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 20 04:28:03 EDT 2025 x86_64 Alert Count 8 First Seen 2025-10-26 23:27:46 EDT Last Seen 2025-10-27 03:00:54 EDT Local ID beac912b-f8d2-497d-b93e-07558d6e99e9Raw Audit Messages type=AVC msg=audit(1761548454.838:1237): avc: denied { prog_run } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=0 Hash: systemd,init_t,container_runtime_t,bpf,prog_run
What is the impact of this issue to you?
run any of container test will hit avc error
Please provide the package NVR for which the bug is seen:
RHEL-10.1-updates-20251024.1
RHEL-10.0-updates-20251026.0
How reproducible is this bug?: 100%
Steps to reproduce
- run below script
#!/bin/bash
set -x
container_setup()
{
container_name=$1
yum install -y wget
yum install -y podman
yum install nfs-utils
local podman_version=$(podman --version | awk '{print $NF}' | awk -F '.' '{print $1}')
local image_id=$(podman image list --format '{{.ID}}')
. /etc/os-release
local rhel_major_version=$(echo $VERSION_ID | awk -F "." '{print $1}')
pushd /home &>/dev/null
local arch=$(uname -m)
local image_file=rhel"$VERSION_ID"_$(uname -m)
local tmp_image_file="$image_file"_tmp
local appstream_baseurl=$(grep baseurl /etc/yum.repos.d/beaker-AppStream.repo | awk -F "=" '{print $2}')
local baseos_baseurl=$(grep baseurl /etc/yum.repos.d/beaker-BaseOS.repo | awk -F "=" '{print $2}')
if [[ $use_nfv_rt_repos != "no" ]]; then
local nfv_baseurl=$(grep baseurl /etc/yum.repos.d/beaker-NFV.repo | awk -F "=" '{print $2}')
local rt_baseurl=$(grep baseurl /etc/yum.repos.d/beaker-RT.repo | awk -F "=" '{print $2}')
fi
rm -f ContainerFile
podman system prune -a -f
if [[ $rhel_major_version -eq 8 ]]; then
if [[ $use_nfv_rt_repos != "no" ]]; then
cat > ContainerFile <<-EOF
FROM registry.access.redhat.com/ubi8/ubi:latest
RUN printf '[beaker-AppStream]\nname=beaker-AppStream\nbaseurl=$appstream_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-AppStream.repo
RUN printf '[beaker-BaseOS]\nname=beaker-BaseOS\nbaseurl=$baseos_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-BaseOS.repo
RUN printf '[beaker-NFV]\nname=beaker-NFV\nbaseurl=$nfv_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-NFV.repo
RUN printf '[beaker-RT]\nname=beaker-RT\nbaseurl=$rt_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-RT.repo
RUN dnf -y install iproute iputils procps-ng automake $driverctl $RPM_DPDK $RPM_DPDK_TOOLS
CMD ["sleep", "infinity"]
EOF
else
cat > ContainerFile <<-EOF
FROM registry.access.redhat.com/ubi8/ubi:latest
RUN printf '[beaker-AppStream]\nname=beaker-AppStream\nbaseurl=$appstream_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-AppStream.repo
RUN printf '[beaker-BaseOS]\nname=beaker-BaseOS\nbaseurl=$baseos_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-BaseOS.repo
RUN dnf -y install iproute iputils procps-ng automake $driverctl $RPM_DPDK $RPM_DPDK_TOOLS
CMD ["sleep", "infinity"]
EOF
fi
elif [[ $rhel_major_version -eq 9 ]]; then
if [[ $use_nfv_rt_repos != "no" ]]; then
cat > ContainerFile <<-EOF
FROM registry.access.redhat.com/ubi9/ubi:latest
RUN printf '[beaker-AppStream]\nname=beaker-AppStream\nbaseurl=$appstream_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-AppStream.repo
RUN printf '[beaker-BaseOS]\nname=beaker-BaseOS\nbaseurl=$baseos_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-BaseOS.repo
RUN printf '[beaker-NFV]\nname=beaker-NFV\nbaseurl=$nfv_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-NFV.repo
RUN printf '[beaker-RT]\nname=beaker-RT\nbaseurl=$rt_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-RT.repo
RUN dnf -y install iproute iputils procps-ng automake $driverctl $RPM_DPDK $RPM_DPDK_TOOLS
CMD ["sleep", "infinity"]
EOF
else
cat > ContainerFile <<-EOF
FROM registry.access.redhat.com/ubi9/ubi:latest
RUN printf '[beaker-AppStream]\nname=beaker-AppStream\nbaseurl=$appstream_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-AppStream.repo
RUN printf '[beaker-BaseOS]\nname=beaker-BaseOS\nbaseurl=$baseos_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-BaseOS.repo
RUN dnf -y install iproute iputils procps-ng automake $driverctl $RPM_DPDK $RPM_DPDK_TOOLS
CMD ["sleep", "infinity"]
EOF
fi
elif [[ $rhel_major_version -eq 10 ]]; then
if [[ $use_nfv_rt_repos != "no" ]]; then
cat > ContainerFile <<-EOF
FROM registry.access.redhat.com/ubi10/ubi:latest
RUN printf '[beaker-AppStream]\nname=beaker-AppStream\nbaseurl=$appstream_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-AppStream.repo
RUN printf '[beaker-BaseOS]\nname=beaker-BaseOS\nbaseurl=$baseos_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-BaseOS.repo
RUN printf '[beaker-NFV]\nname=beaker-NFV\nbaseurl=$nfv_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-NFV.repo
RUN printf '[beaker-RT]\nname=beaker-RT\nbaseurl=$rt_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-RT.repo
RUN dnf -y install wget iproute iputils procps-ng automake $driverctl $RPM_DPDK $RPM_DPDK_TOOLS
CMD ["sleep", "infinity"]
EOF
else
cat > ContainerFile <<-EOF
FROM registry.access.redhat.com/ubi10/ubi:latest
RUN printf '[beaker-AppStream]\nname=beaker-AppStream\nbaseurl=$appstream_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-AppStream.repo
RUN printf '[beaker-BaseOS]\nname=beaker-BaseOS\nbaseurl=$baseos_baseurl\nenabled=1\ngpgcheck=0' > /etc/yum.repos.d/beaker-BaseOS.repo
RUN dnf -y install wget iproute iputils procps-ng automake $driverctl $RPM_DPDK $RPM_DPDK_TOOLS
CMD ["sleep", "infinity"]
EOF
fi
fi
podman build \
--tls-verify=false \
-f ContainerFile .
# need a wait to file write to image
wait
# current should have two image.
#podman image list
#REPOSITORY TAG IMAGE ID CREATED SIZE
#<none> <none> 519444edf027 About a minute ago 328 MB
#registry.access.redhat.com/ubi9/ubi latest 6695f43cc689 7 days ago 235 M
local image_id=$(podman image list --format '{{.ID}}'| head -n1)
podman run -dt --privileged --systemd=true --name=$container_name $image_id
podman exec $container_name dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$rhel_major_version.noarch.rpm
podman exec $container_name dnf -y install iperf3 firewalld gcc-c++ make gcc bzip2
if ! podman exec $container_name netperf -V &>/dev/null; then
podman exec $container_name wget -O /root/netperf_install.sh http://netqe-infra01.knqe.eng.rdu2.dc.redhat.com/share/scripts/netperf_install.sh
podman exec $container_name chmod +x /root/netperf_install.sh
if [[ $(hostname | grep "pek2.redhat.com") ]]; then
echo "Host system is in PEK2. Updating /root/netperf_install.sh on $container_name accordingly..."
podman exec $container_name sed -i 's/pek2=no/pek2=yes/g' /root/netperf_install.sh
fi
podman exec $container_name bash /root/netperf_install.sh
fi
local rhel_minor_version=$(grep VERSION_ID /etc/os-release | awk -F '"' '{print $2}' | tr -d . | bc)
local container_rhel_minor_version=$(podman exec $container_name grep VERSION_ID /etc/os-release | awk -F '"' '{print $2}' | tr -d . | bc)
if [[ $rhel_minor_version -gt $container_rhel_minor_version ]]; then
podman exec $container_name dnf -y upgrade
wait
podman exec $container_name reboot
sleep 10s
fi
# Error: docker-archive doesn't support modifying existing images
podman commit $container_name
wait && sleep 5
local image_id=$(podman image list --format '{{.ID}}'| head -n1)
podman save $image_id -o $tmp_image_file
podman pod ps --format '{{.ID}}' | xargs -I {} podman pod kill {}
podman pod ps --format '{{.ID}}' | xargs -I {} podman pod rm {}
podman ps --all --format '{{.ID}}' | xargs -I {} podman kill {}
podman ps --all --format '{{.ID}}' | xargs -I {} podman rm {}
podman image list --format '{{.ID}}' | xargs -I {} podman image rm {}
# post creation tasks
podman load --input $tmp_image_file
local image_id=$(podman image list --format '{{.ID}}'| head -n1)
rm -rf ContainerFile $tmp_image_file
popd
podman run -dt --privileged --systemd=true --name=$container_name $image_id
podman exec $container_name iptables -F
podman exec $container_name ip6tables -F
}
container_setup container2
Expected results
no avc error
Actual results
for rhel10.1
[root@012-r760-ee58u24 ~]# sealert -a /var/log/audit/audit.log 100% done found 2 alerts in /var/log/audit/audit.log --------------------------------------------------------------------------------SELinux is preventing systemd from prog_run access on the bpf labeled container_runtime_t.***** Plugin catchall (100. confidence) suggests **************************If you believe that systemd should be allowed prog_run access on bpf labeled container_runtime_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:unconfined_r:container_runtime_t:s0- s0:c0.c1023 Target Objects Unknown [ bpf ] Source systemd Source Path systemd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Local Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name 012-r760-ee58u24.anl.eng.rdu2.dc.redhat.com Platform Linux 012-r760-ee58u24.anl.eng.rdu2.dc.redhat.com 6.12.0-124.8.1.el10_1.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Oct 17 13:03:58 EDT 2025 x86_64 Alert Count 5 First Seen 2025-10-26 23:09:58 EDT Last Seen 2025-10-26 23:10:03 EDT Local ID 27dc47d0-8dc4-4321-b082-2e4a5402601dRaw Audit Messages type=AVC msg=audit(1761534603.181:805): avc: denied { prog_run } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=bpf permissive=0 Hash: systemd,init_t,container_runtime_t,bpf,prog_run--------------------------------------------------------------------------------SELinux is preventing systemd from prog_run access on the bpf labeled container_runtime_t.***** Plugin catchall (100. confidence) suggests **************************If you believe that systemd should be allowed prog_run access on bpf labeled container_runtime_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:unconfined_r:container_runtime_t:s0 Target Objects Unknown [ bpf ] Source systemd Source Path systemd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Local Policy RPM selinux-policy-targeted-42.1.7-1.el10.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name 012-r760-ee58u24.anl.eng.rdu2.dc.redhat.com Platform Linux 012-r760-ee58u24.anl.eng.rdu2.dc.redhat.com 6.12.0-124.8.1.el10_1.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Oct 17 13:03:58 EDT 2025 x86_64 Alert Count 2 First Seen 2025-10-26 23:10:08 EDT Last Seen 2025-10-26 23:10:17 EDT Local ID 79207ac6-46cc-417b-a465-87f453cb097bRaw Audit Messages type=AVC msg=audit(1761534617.436:821): avc: denied { prog_run } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=0 Hash: systemd,init_t,container_runtime_t,bpf,prog_run
for rhel10.0
[root@dell-per740-10 ~]# sealert -a /var/log/audit/audit.log 100% done found 2 alerts in /var/log/audit/audit.log --------------------------------------------------------------------------------SELinux is preventing systemd from prog_run access on the bpf labeled container_runtime_t.***** Plugin catchall (100. confidence) suggests **************************If you believe that systemd should be allowed prog_run access on bpf labeled container_runtime_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:unconfined_r:container_runtime_t:s0- s0:c0.c1023 Target Objects Unknown [ bpf ] Source systemd Source Path systemd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.1.9-1.el10.noarch Local Policy RPM selinux-policy-targeted-42.1.9-1.el10.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dell-per740-10.rhts.eng.pek2.redhat.com Platform Linux dell-per740-10.rhts.eng.pek2.redhat.com 6.12.0-55.41.1.el10_0.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 20 04:28:03 EDT 2025 x86_64 Alert Count 20 First Seen 2025-10-26 23:27:31 EDT Last Seen 2025-10-27 03:00:32 EDT Local ID 09cab413-b1a7-4623-8148-7e0cc4062e61Raw Audit Messages type=AVC msg=audit(1761548432.476:1219): avc: denied { prog_run } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=bpf permissive=0 Hash: systemd,init_t,container_runtime_t,bpf,prog_run--------------------------------------------------------------------------------SELinux is preventing systemd from prog_run access on the bpf labeled container_runtime_t.***** Plugin catchall (100. confidence) suggests **************************If you believe that systemd should be allowed prog_run access on bpf labeled container_runtime_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:unconfined_r:container_runtime_t:s0 Target Objects Unknown [ bpf ] Source systemd Source Path systemd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.1.9-1.el10.noarch Local Policy RPM selinux-policy-targeted-42.1.9-1.el10.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dell-per740-10.rhts.eng.pek2.redhat.com Platform Linux dell-per740-10.rhts.eng.pek2.redhat.com 6.12.0-55.41.1.el10_0.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 20 04:28:03 EDT 2025 x86_64 Alert Count 8 First Seen 2025-10-26 23:27:46 EDT Last Seen 2025-10-27 03:00:54 EDT Local ID beac912b-f8d2-497d-b93e-07558d6e99e9Raw Audit Messages type=AVC msg=audit(1761548454.838:1237): avc: denied { prog_run } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=0 Hash: systemd,init_t,container_runtime_t,bpf,prog_run