Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-54591

[rhel-10] SELinux denies getattr and read on /run/modprobe.d/fips.conf

XMLWordPrintable

    • selinux-policy-40.13.10-1.el10
    • Yes
    • Moderate
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 9
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 241016 - 241106
    • Unspecified Release Note Type - Unknown
    • None

      The latest cockpit CI rhel-10 image refresh shows a regression with enabling FIPS policy.

      Reproducer:

      fips-mode-setup --enable
reboot

      After that this triggers two new rejections:

      audit: type=1400 audit(1723809312.521:4): avc:  denied  { getattr } for  pid=838 comm="systemd-modules" path="/run/modprobe.d/fips.conf" dev="tmpfs" ino=120 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0
audit: type=1400 audit(1723809312.522:5): avc:  denied  { read } for  pid=838 comm="systemd-modules" name="fips.conf" dev="tmpfs" ino=120 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0

      Relevant package updates:

      • crypto-policies (20240802-1.git8cb6f2d.el10 -> 20240807-1.git7ea320f.el10)
      • selinux-policy (40.13.6-1.el10 -> 40.13.7-1.el10)

              rhn-support-zpytela Zdenek Pytela
              rhn-engineering-mpitt Martin Pitt
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: