Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Minor
Fix Version/s: rhel-9.5
Affects Version/s: rhel-9.4
Component/s: selinux-policy
Labels:
- known_issue_94

Fixed in Build:
selinux-policy-38.1.43-1.el9
Regression:
None
Severity:
Moderate
Epic Link:
SELINUX-3400
sprint_count:
1

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
23
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
CY24Q2

Acceptance Criteria:

Hide

The automated test does not trigger any SELinux denials.

Show
The automated test does not trigger any SELinux denials.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/130707
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:
Architecture:

x86_64

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Everything seems to work as expected, but SELinux denials appear.

Please provide the package NVR for which bug is seen:

kernel-5.14.0-425.el9.x86_64
kernel-core-5.14.0-425.el9.x86_64
kernel-modules-5.14.0-425.el9.x86_64
kernel-modules-core-5.14.0-425.el9.x86_64
kernel-tools-5.14.0-425.el9.x86_64
kernel-tools-libs-5.14.0-425.el9.x86_64
microcode_ctl-20230808-2.20231009.1.el9_3.noarch
selinux-policy-38.1.33-1.el9.noarch
selinux-policy-devel-38.1.33-1.el9.noarch
selinux-policy-targeted-38.1.33-1.el9.noarch

How reproducible:

always on bare metal machines

Steps to reproduce

get a RHEL-9.4 machine (targeted policy is active)
run the following automated test: /CoreOS/selinux-policy/Regression/microcode-and-similar
search for SELinux denials

Expected results

no SELinux denials

Actual results (enforcing mode)

----
type=PROCTITLE msg=audit(02/27/2024 07:10:25.660:597) : proctitle=/usr/bin/bash -efu /usr/libexec/microcode_ctl/reload_microcode 
type=PATH msg=audit(02/27/2024 07:10:25.660:597) : item=0 name=/sys/devices/system/cpu/microcode/ inode=112738 dev=00:15 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/27/2024 07:10:25.660:597) : cwd=/ 
type=SYSCALL msg=audit(02/27/2024 07:10:25.660:597) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x559659d372f0 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=1 ppid=1 pid=42698 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=reload_microcod exe=/usr/bin/bash subj=system_u:system_r:cpucontrol_t:s0 key=(null) 
type=AVC msg=audit(02/27/2024 07:10:25.660:597) : avc:  denied  { write } for  pid=42698 comm=reload_microcod name=microcode dev="sysfs" ino=112738 scontext=system_u:system_r:cpucontrol_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 
----

links to

github pr

RHBA-2024:130707 selinux-policy bug fix and enhancement update

TCMS Test Case 590686

Assignee:: Zdenek Pytela

Reporter:: Milos Malik

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/02/27 12:21 PM

Updated:: 2024/11/12 9:39 AM

Resolved:: 2024/11/12 9:39 AM

Target end:: 2024/08/05

Release Date:: 2024/11/12

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results (enforcing mode)

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates