Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-126978

[9.6.z] selinux reports avc denied during installation of coreos-installer-bootinfra

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • No
    • Important
    • rhel-security-selinux
    • ssg_security
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • RegressionOnly
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      Install the coreos-installer-bootinfra package

      What is the impact of this issue to you?

      It is causing a failure during the coreos-installer CI in the osci.installability, see log https://artifacts.osci.redhat.com/testing-farm/80e2e76d-975d-4a5f-83c6-c19145bce051/

      type=PROCTITLE msg=audit(11/07/2025 01:42:41.841:675) : proctitle=/usr/bin/bash /usr/lib/systemd/system-generators/coreos-installer-generator /run/systemd/generator /run/systemd/generator.early 

type=SYSCALL msg=audit(11/07/2025 01:42:41.841:675) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x55896369bc70 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=4655 pid=4657 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=coreos-installe exe=/usr/bin/bash subj=system_u:system_r:coreos_installer_t:s0 key=(null) 

type=AVC msg=audit(11/07/2025 01:42:41.841:675) : avc: denied { search } for pid=4657 comm=coreos-installe name=sss dev="xvda4" ino=16908422 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1

      Please provide the package NVR for which the bug is seen:

      selinux-policy-38.1.53-5.el9_6.noarch

      How reproducible is this bug?:

      Install coreos-installer-bootinfra package on a rhel which contains selinux-policy-targeted version 38.1.53-5.el9_6

      Steps to reproduce

      1. execute:  
        dnf install coreos-installer-bootinfra
      1. execute:   
        ausearch -m avc --raw | audit2why

        You should see:

      type=AVC msg=audit(11/07/2025 01:42:41.841:675) : avc:  denied  { search } for  pid=4657 comm=coreos-installe name=sss dev="xvda4" ino=16908422 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1

      Expected results

      Do not see an avc denied in the audit logs.

      Actual results

      type=AVC msg=audit(11/07/2025 01:42:41.841:675) : avc: denied { search } for pid=4657 comm=coreos-installe name=sss dev="xvda4" ino=16908422 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1

              rhn-support-zpytela Zdenek Pytela
              tbueno@redhat.com Tiago Bueno
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: