-
Bug
-
Resolution: Unresolved
-
Minor
-
rhel-10.2
-
No
-
Moderate
-
rhel-security-selinux
-
1
-
QE ack
-
False
-
False
-
-
No
-
None
-
-
None
-
Automated
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
What is the impact of this issue to you?
AVC denials
Please provide the package NVR for which the bug is seen:
selinux-policy-42.1.14-1.el10.noarch
selinux-policy-targeted-42.1.14-1.el10.noarch
setroubleshoot-plugins-3.3.14-11.el10.noarch
setroubleshoot-server-3.3.35-4.el10.x86_64
How reproducible is this bug?
100%
Steps to reproduce
- install the setroubleshoot-server package
- touch /root/.rpmmacros
- trigger any SELinux denial
- ausearch -m avc -i -ts recent
Actual results:
---- type=PROCTITLE msg=audit(01/23/2026 10:27:37.607:496) : proctitle=rpm -qf /var/lib/selinux/targeted/active/modules/100/usermanage type=PATH msg=audit(01/23/2026 10:27:37.607:496) : item=0 name=/root/.rpmmacros inode=12583246 dev=fc:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/23/2026 10:27:37.607:496) : cwd=/ type=SYSCALL msg=audit(01/23/2026 10:27:37.607:496) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x561645fad520 a2=O_RDONLY a3=0x0 items=1 ppid=76404 pid=76408 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm exe=/usr/bin/rpm subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(01/23/2026 10:27:37.607:496) : avc: denied { read } for pid=76408 comm=rpm name=.rpmmacros dev="vda2" ino=12583246 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0 ----
Expected results:
- no AVCs
- is cloned by
-
RHEL-147470 [rhel-9] SELinux prevents rpm from reading the /root/.rpmmacros file
-
- Planning
-