-
Bug
-
Resolution: Duplicate
-
Undefined
-
None
-
rhel-10.0.beta
-
None
-
None
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
See below avc denied log during cloud-init test.
# dmesg | grep -i denied
[ 3.912579] audit: type=1400 audit(1717573836.383:4): avc: denied
[ 3.922753] audit: type=1400 audit(1717573836.393:5): avc: denied { map_read map_write }
for pid=544 comm="systemd-fstab-g" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
[ 3.927225] audit: type=1400 audit(1717573836.397:6): avc: denied
[ 3.941720] audit: type=1400 audit(1717573836.412:7): avc: denied { map_read map_write }
for pid=552 comm="systemd-sysv-ge" scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
[ 3.945445] audit: type=1400 audit(1717573836.416:8): avc: denied
Please provide the package NVR for which bug is seen:
selinux-policy-40.13.1-1.el10.noarch
selinux-policy-targeted-40.13.1-1.el10.noarch
cloud-init-24.1.4-6.el10.noarch
How reproducible:
100%
Steps to reproduce
1. Deploy VM with cloud-init pre-installed on OpenStack
2. Login VM and check
Expected results
No avc denied log
Actual results
There are some avc denied info:
# dmesg | grep -i denied
[ 3.912579] audit: type=1400 audit(1717573836.383:4): avc: denied { map_read map_write }
for pid=538 comm="nfs-server-gene" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
[ 3.922753] audit: type=1400 audit(1717573836.393:5): avc: denied
[ 3.927225] audit: type=1400 audit(1717573836.397:6): avc: denied { map_read map_write }
for pid=546 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
[ 3.941720] audit: type=1400 audit(1717573836.412:7): avc: denied
[ 3.945445] audit: type=1400 audit(1717573836.416:8): avc: denied { map_read map_write }
for pid=549 comm="systemd-rc-loca" scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
- duplicates
-
RHEL-37631 various systemd generators trigger { map_read map_write } denials
- Release Pending