Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-44638

SELinux is preventing systemd-networkd from accessing /var/run

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Minor Minor
    • None
    • rhel-9.5
    • selinux-policy
    • sst_security_selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Running the Cockpit test suite generates a systemd-networkd selinux violation. This is a new access error which happens after:

      selinux-policy (38.1.39-1.el9 -> 38.1.40-1.el9)
      selinux-policy-targeted (38.1.39-1.el9 -> 38.1.40-1.el9)
      systemd (252-35.el9 -> 252-37.el9)
      systemd-container (252-35.el9 -> 252-37.el9)
      systemd-libs (252-35.el9 -> 252-37.el9)
      systemd-pam (252-35.el9 -> 252-37.el9)
      systemd-resolved (252-35.el9 -> 252-37.el9)
      systemd-rpm-macros (252-35.el9 -> 252-37.el9)
      systemd-udev (252-35.el9 -> 252-37.el9)

      Please provide the package NVR for which bug is seen:

      selinux-policy 38.1.40-1.el9

      How reproducible:

      Steps to reproduce

      Expected results

      No SELinux issue

      Actual results

      Jun 24 06:09:21 rhel-9-5-127-0-0-2-2201 kernel: audit: type=1404 audit(1719223760.939:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1
      Jun 24 06:09:21 rhel-9-5-127-0-0-2-2201 kernel: audit: type=1403 audit(1719223760.990:3): auid=4294967295 ses=4294967295 lsm=selinux res=1
      Jun 24 06:09:21 rhel-9-5-127-0-0-2-2201 kernel: audit: type=1400 audit(1719223761.459:4): avc: denied

      { create }

      for pid=929 comm="systemd-network" name=".#networkayixSB" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0

      [root@rhel-9-5-127-0-0-2-2201 ~]# systemctl --failed
      UNIT LOAD ACTIVE SUB DESCRIPTION
      ● kdump.service loaded failed failed Crash recovery kernel arming
      ● systemd-network-generator.service loaded failed failed Generate network units from Kernel command line

      https://cockpit-logs.us-east-1.linodeobjects.com/pull-6541-9e3b054a-20240623-225412-rhel-9-5-storage-cockpit-project-cockpit/log.html#36

            rhn-support-zpytela Zdenek Pytela
            jvanderw@redhat.com Jelle van der Waa
            Zdenek Pytela Zdenek Pytela
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: