-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.4
-
selinux-policy-38.1.53-5.el9_6
-
No
-
Moderate
-
3
-
rhel-security-selinux
-
ssg_security
-
18
-
1
-
QE ack
-
False
-
False
-
-
No
-
SELINUX 241016 - 241106, SELINUX 241106 - 241127, SELINUX 241127 - 241218
-
-
Pass
-
Automated
-
Release Note Not Required
-
All
-
None
What were you trying to do that didn't work?
Use systemd-sysctl after adding a conf in /run/sysctl.d/
Please provide the package NVR for which bug is seen:
# rpm -q selinux-policy selinux-policy-38.1.35-2.el9_4.2.noarch
How reproducible:
100%
Steps to reproduce
I'm using a python script running under systemd to create the conf file so the type is actually var_run_t, smallest reproducer:
systemd-run /bin/bash -c 'mkdir -pZ /run/sysctl.d; echo "net.ipv4.conf.eno1.rp_filter=0" > /run/sysctl.d/51-rp_filter.conf; restorecon -v /run/sysctl.d/51-rp_filter.conf; /usr/lib/systemd/systemd-sysctl --prefix=net.ipv4.conf'
Expected results
It works
Actual results
# ls -laZ /run/sysctl.d/ total 4 drwxr-xr-x. 2 root root system_u:object_r:var_run_t:s0 60 Sep 3 12:48 . drwxr-xr-x. 41 root root system_u:object_r:var_run_t:s0 1040 Sep 3 12:48 .. -rw-r--r--. 1 root root system_u:object_r:var_run_t:s0 31 Sep 3 12:48 51-rp_filter.conf
# audit2allow -b -v #============= systemd_sysctl_t ============== # src="systemd_sysctl_t" tgt="var_run_t" class="file", perms="{ getattr ioctl open read }" # comm="systemd-sysctl" exe="" path="" allow systemd_sysctl_t var_run_t:file { getattr ioctl open read };
(this is the result when selinux is permissive)
- is cloned by
-
-
- Closed
-
- links to
-
RHBA-2024:139849
selinux-policy bug fix and enhancement update