Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-147470

[rhel-9] SELinux prevents rpm from reading the /root/.rpmmacros file

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • rhel-security-selinux
    • 1
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The reproducer does not trigger additional SELinux denials.

      Show
      The reproducer does not trigger additional SELinux denials.
    • None
    • Automated
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      What is the impact of this issue to you?

      AVC denials

      Please provide the package NVR for which the bug is seen:

      selinux-policy-38.1.73-1.el9.noarch
      selinux-policy-targeted-38.1.73-1.el9.noarch
      setroubleshoot-plugins-3.3.14-4.el9.noarch
      setroubleshoot-server-3.3.35-2.el9.x86_64

      How reproducible is this bug?

      100%

      Steps to reproduce

      1. install the setroubleshoot-server package
      2. touch /root/.rpmmacros
      3. trigger any SELinux denial
      4. ausearch -m avc -i -ts recent

      Actual results:

      ----
      type=PROCTITLE msg=audit(02/09/2026 04:20:00.501:350) : proctitle=rpm -qf /var/lib/selinux/targeted/active/modules/100/usermanage 
      type=SYSCALL msg=audit(02/09/2026 04:20:00.501:350) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x558a17a07f70 a2=O_RDONLY a3=0x0 items=0 ppid=5655 pid=5658 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm exe=/usr/bin/rpm subj=system_u:system_r:setroubleshootd_t:s0 key=(null) 
      type=AVC msg=audit(02/09/2026 04:20:00.501:350) : avc:  denied  { read } for  pid=5658 comm=rpm name=.rpmmacros dev="vda1" ino=12586997 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
      ----
      

      Expected results:

      • no AVCs

              rhn-support-zpytela Zdenek Pytela
              rhn-support-hhan Han Han
              Zdenek Pytela Zdenek Pytela
              Veronika Syncakova Veronika Syncakova
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: