-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-10.0.beta
-
None
-
No
-
None
-
rhel-sst-container-tools
-
3
-
False
-
-
None
-
None
-
None
-
None
-
-
x86_64
-
None
What were you trying to do that didn't work?
Seeing error messages during ovs-dpdk tests.
What is the impact of this issue to you?
Please provide the package NVR for which the bug is seen:
6.11.0-0.rc5.22.el10.x86_64
DISTRO=RHEL-10.0-20240901.1
container-selinux-3:2.232.1-3.el10.noarch
selinux-policy-40.13.9-1.el10.noarch
How reproducible is this bug?:
100%
Steps to reproduce
- My test used DISTRO=RHEL-10.0-20240901.1
- yum install -y container-selinux
Expected results
No errors during container-selinux installation and no avc errors.
Actual results
yum install -y container-selinux
(there are many error logs during the installation as below)
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/abrt/cil: Permission denied
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/abrt/hll: Permission denied
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/abrt/lang_ext: Permission denied
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/abrt: Permission denied
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/accountsd/cil: Permission denied
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/accountsd/hll: Permission denied
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/accountsd/lang_ext: Permission denied
...
And also avc errors:
head -100 avc.log
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
selinux-policy-40.13.9-1.el10.noarch
time->Fri Sep 13 12:18:43 2024
type=PROCTITLE msg=audit(1726244323.605:525): proctitle=2F7573722F7362696E2F7365747365626F6F6C002D50002D4E00766972745F7573655F6E66733D3100766972745F73616E64626F785F7573655F616C6C5F636170733D31
type=SYSCALL msg=audit(1726244323.605:525): arch=c000003e syscall=189 success=no exit=-13 a0=55d6fbaa9b60 a1=7f77fd1f8197 a2=55d6fca41d30 a3=26 items=0 ppid=11821 pid=11822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="setsebool" exe="/usr/sbin/setsebool" subj=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1726244323.605:525): avc: denied
----
time->Fri Sep 13 12:18:43 2024
type=PROCTITLE msg=audit(1726244323.606:526): proctitle=2F7573722F7362696E2F7365747365626F6F6C002D50002D4E00766972745F7573655F6E66733D3100766972745F73616E64626F785F7573655F616C6C5F636170733D31
type=SYSCALL msg=audit(1726244323.606:526): arch=c000003e syscall=189 success=no exit=-13 a0=55d6fbaa9b60 a1=7f77fd1f8197 a2=55d6fca41d30 a3=26 items=0 ppid=11821 pid=11822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="setsebool" exe="/usr/sbin/setsebool" subj=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1726244323.606:526): avc: denied { relabelfrom }
for pid=11822 comm="setsebool" name="hll" dev="dm-0" ino=251784191 scontext=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=0
time->Fri Sep 13 12:18:43 2024
type=PROCTITLE msg=audit(1726244323.607:527): proctitle=2F7573722F7362696E2F7365747365626F6F6C002D50002D4E00766972745F7573655F6E66733D3100766972745F73616E64626F785F7573655F616C6C5F636170733D31
type=SYSCALL msg=audit(1726244323.607:527): arch=c000003e syscall=189 success=no exit=-13 a0=55d6fbaa9b60 a1=7f77fd1f8197 a2=55d6fca41d30 a3=26 items=0 ppid=11821 pid=11822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="setsebool" exe="/usr/sbin/setsebool" subj=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1726244323.607:527): avc: denied
----
time->Fri Sep 13 12:18:43 2024
type=PROCTITLE msg=audit(1726244323.607:528): proctitle=2F7573722F7362696E2F7365747365626F6F6C002D50002D4E00766972745F7573655F6E66733D3100766972745F73616E64626F785F7573655F616C6C5F636170733D31
type=SYSCALL msg=audit(1726244323.607:528): arch=c000003e syscall=189 success=no exit=-13 a0=55d6fbaa9b60 a1=7f77fd1f8197 a2=55d6fbaaa610 a3=26 items=0 ppid=11821 pid=11822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="setsebool" exe="/usr/sbin/setsebool" subj=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1726244323.607:528): avc: denied { relabelfrom }
for pid=11822 comm="setsebool" name="abrt" dev="dm-0" ino=251784167 scontext=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=dir permissive=0
....