Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: rhel-9.5
Affects Version/s: CentOS Stream 9
Component/s: selinux-policy
Labels:
- dependent-component
- systemd-selinux

Fixed in Build:
selinux-policy-38.1.44-1.el9
Regression:
None
Severity:
None
Epic Link:
SELINUX-3400

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
25
Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Acceptance Criteria:

Hide

The systemd-network-generator service does not trigger SELinux denials when executed in Stream CoreOS environment.

Show
The systemd-network-generator service does not trigger SELinux denials when executed in Stream CoreOS environment.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/130707
Test Coverage:
None

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Use systemd-network-generator.service in a build of SCOS (Stream CoreOS).

Please provide the package NVR for which bug is seen:

selinux-policy-38.1.41-1.el9.noarch (c9s-baseos)

systemd-252-38.el9.x86_64 (c9s-baseos)

How reproducible:

Always

Steps to reproduce

Build SCOS (using `--variant c9s` (see step 4 in https://coreos.github.io/coreos-assembler/working/#im-a-contributor-investigating-a-coreos-bug-how-can-i-test-my-fixes)
Run e.g. `coreos-assembler kola run ext.config.shared.networking.nameserver`

Expected results

Test passes

Actual results

Jul 10 15:16:27.352220 kernel: audit: type=1400 audit(1720624587.157:4): avc: denied { create } for pid=1365 comm="systemd-network" name=".#networkLisqyO" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0

blocks

COS-2842 Stand up the c9s stream in the RHCOS pipeline

Closed

is duplicated by

RHEL-44638 SELinux is preventing systemd-networkd from accessing /var/run

Closed

links to

openshift/os#1514: c9s: coreos-installer-generator hitting SELinux denials, breaking ISO tests

openshift/os#1544: NO-JIRA: kola-denylist: add fips.* and ext.config.shared.networking.* on c9s

openshift/os#1556: OKD-223: Load custom SELinux rules in SCOS and workaround afterburn failures

RHBA-2024:130707 selinux-policy bug fix and enhancement update

(1 links to)

Assignee:: Zdenek Pytela

Reporter:: Jonathan Lebon

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/07/10 4:04 PM

Updated:: 2024/11/12 9:37 AM

Resolved:: 2024/11/12 9:37 AM

Target end:: 2024/08/19

Release Date:: 2024/11/12

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates