Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0.beta
Affects Version/s: rhel-10.0.beta
Component/s: selinux-policy
Labels:
- dependent-component

Fixed in Build:
selinux-policy-40.13.7-1.el10
Regression:
None
Severity:
None
Epic Link:
SELINUX-3400

Pool Team:

sst_security_selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
25
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Products:

.NET, AMQ Streams
Sprint:
None

Acceptance Criteria:

Hide

SELinux policy allows the boothd services to read the /run/systemd/userdb/ directory.

Show
SELinux policy allows the boothd services to read the /run/systemd/userdb/ directory.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/133202
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

I'm running automated booth tests in Beaker.

Beaker job: https://beaker.engineering.redhat.com/recipes/16473538#task179986342,task179986343,task179986344

This is new in RHEL10 and is not happening with RHEl9.

AVC report:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-40.13.2-1.el10.noarch
----
time->Tue Jul  2 09:31:59 2024
type=PROCTITLE msg=audit(1719927119.064:1036): proctitle=626F6F746864006461656D6F6E002D63002F6574632F626F6F74682F626F6F74682E636F6E66
type=SYSCALL msg=audit(1719927119.064:1036): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fe048ca39cf a2=90800 a3=0 items=0 ppid=13894 pid=13949 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="boothd" exe="/usr/sbin/boothd" subj=system_u:system_r:boothd_t:s0 key=(null)
type=AVC msg=audit(1719927119.064:1036): avc:  denied  { read } for  pid=13949 comm="boothd" name="userdb" dev="tmpfs" ino=47 scontext=system_u:system_r:boothd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
----
time->Tue Jul  2 09:31:59 2024
type=PROCTITLE msg=audit(1719927119.064:1037): proctitle=626F6F746864006461656D6F6E002D63002F6574632F626F6F74682F626F6F74682E636F6E66
type=SYSCALL msg=audit(1719927119.064:1037): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fe048ca39cf a2=90800 a3=0 items=0 ppid=13894 pid=13949 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="boothd" exe="/usr/sbin/boothd" subj=system_u:system_r:boothd_t:s0 key=(null)
type=AVC msg=audit(1719927119.064:1037): avc:  denied  { read } for  pid=13949 comm="boothd" name="userdb" dev="tmpfs" ino=47 scontext=system_u:system_r:boothd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
----
time->Tue Jul  2 09:32:00 2024
type=PROCTITLE msg=audit(1719927120.078:1039): proctitle=626F6F7468006C697374002D63002F6574632F626F6F74682F626F6F74682E636F6E66
type=SYSCALL msg=audit(1719927120.078:1039): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f37458709cf a2=90800 a3=0 items=0 ppid=13894 pid=13957 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="booth" exe="/usr/sbin/boothd" subj=system_u:system_r:boothd_t:s0 key=(null)
type=AVC msg=audit(1719927120.078:1039): avc:  denied  { read } for  pid=13957 comm="booth" name="userdb" dev="tmpfs" ino=47 scontext=system_u:system_r:boothd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
----
time->Tue Jul  2 09:32:00 2024
type=PROCTITLE msg=audit(1719927120.079:1040): proctitle=626F6F7468006C697374002D63002F6574632F626F6F74682F626F6F74682E636F6E66
type=SYSCALL msg=audit(1719927120.079:1040): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f37458709cf a2=90800 a3=0 items=0 ppid=13894 pid=13957 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="booth" exe="/usr/sbin/boothd" subj=system_u:system_r:boothd_t:s0 key=(null)
type=AVC msg=audit(1719927120.079:1040): avc:  denied  { read } for  pid=13957 comm="booth" name="userdb" dev="tmpfs" ino=47 scontext=system_u:system_r:boothd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0

blocks

RHEL-40410 Rebase booth to v1.2 (rhel-10.0)

Integration

is duplicated by

RHEL-45906 AVC when running booth tests

Closed

links to

RHBA-2024:133202 selinux-policy bug fix and enhancement update

TCMS Test Case 617767

Assignee:: Zdenek Pytela

Reporter:: Michal Nováček

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/07/02 2:16 PM

Updated:: 2024/08/30 11:44 AM

Target end:: 2024/08/19

Details

Description

What were you trying to do that didn't work?

This is new in RHEL10 and is not happening with RHEl9.

Attachments

Issue Links

Activity

People

Dates