Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-58897

[rhel-10] avc error with comm="setsebool" seen in ovs-dpdk tests

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-10.0.beta
    • container-selinux
    • None
    • No
    • None
    • rhel-sst-container-tools
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Seeing error messages during ovs-dpdk tests.

      What is the impact of this issue to you?

      Please provide the package NVR for which the bug is seen:

      6.11.0-0.rc5.22.el10.x86_64
      DISTRO=RHEL-10.0-20240901.1
      container-selinux-3:2.232.1-3.el10.noarch
      selinux-policy-40.13.9-1.el10.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. My test used DISTRO=RHEL-10.0-20240901.1
      2. yum install -y container-selinux

      Expected results

      No errors during container-selinux installation and no avc errors.

      Actual results

      yum install -y container-selinux
      (there are many error logs during the installation as below)

      Could not set context for /var/lib/selinux/targeted/tmp/modules/100/abrt/cil: Permission denied
      Could not set context for /var/lib/selinux/targeted/tmp/modules/100/abrt/hll: Permission denied
      Could not set context for /var/lib/selinux/targeted/tmp/modules/100/abrt/lang_ext: Permission denied
      Could not set context for /var/lib/selinux/targeted/tmp/modules/100/abrt: Permission denied
      Could not set context for /var/lib/selinux/targeted/tmp/modules/100/accountsd/cil: Permission denied
      Could not set context for /var/lib/selinux/targeted/tmp/modules/100/accountsd/hll: Permission denied
      Could not set context for /var/lib/selinux/targeted/tmp/modules/100/accountsd/lang_ext: Permission denied
      ...

      And also avc errors:
      head -100 avc.log
      SELinux status: enabled
      SELinuxfs mount: /sys/fs/selinux
      SELinux root directory: /etc/selinux
      Loaded policy name: targeted
      Current mode: enforcing
      Mode from config file: enforcing
      Policy MLS status: enabled
      Policy deny_unknown status: allowed
      Memory protection checking: actual (secure)
      Max kernel policy version: 33
      selinux-policy-40.13.9-1.el10.noarch


      time->Fri Sep 13 12:18:43 2024
      type=PROCTITLE msg=audit(1726244323.605:525): proctitle=2F7573722F7362696E2F7365747365626F6F6C002D50002D4E00766972745F7573655F6E66733D3100766972745F73616E64626F785F7573655F616C6C5F636170733D31
      type=SYSCALL msg=audit(1726244323.605:525): arch=c000003e syscall=189 success=no exit=-13 a0=55d6fbaa9b60 a1=7f77fd1f8197 a2=55d6fca41d30 a3=26 items=0 ppid=11821 pid=11822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="setsebool" exe="/usr/sbin/setsebool" subj=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 key=(null)
      type=AVC msg=audit(1726244323.605:525): avc: denied

      { relabelfrom } for pid=11822 comm="setsebool" name="cil" dev="dm-0" ino=251784190 scontext=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=0
      ----
      time->Fri Sep 13 12:18:43 2024
      type=PROCTITLE msg=audit(1726244323.606:526): proctitle=2F7573722F7362696E2F7365747365626F6F6C002D50002D4E00766972745F7573655F6E66733D3100766972745F73616E64626F785F7573655F616C6C5F636170733D31
      type=SYSCALL msg=audit(1726244323.606:526): arch=c000003e syscall=189 success=no exit=-13 a0=55d6fbaa9b60 a1=7f77fd1f8197 a2=55d6fca41d30 a3=26 items=0 ppid=11821 pid=11822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="setsebool" exe="/usr/sbin/setsebool" subj=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 key=(null)
      type=AVC msg=audit(1726244323.606:526): avc: denied { relabelfrom }

      for pid=11822 comm="setsebool" name="hll" dev="dm-0" ino=251784191 scontext=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=0


      time->Fri Sep 13 12:18:43 2024
      type=PROCTITLE msg=audit(1726244323.607:527): proctitle=2F7573722F7362696E2F7365747365626F6F6C002D50002D4E00766972745F7573655F6E66733D3100766972745F73616E64626F785F7573655F616C6C5F636170733D31
      type=SYSCALL msg=audit(1726244323.607:527): arch=c000003e syscall=189 success=no exit=-13 a0=55d6fbaa9b60 a1=7f77fd1f8197 a2=55d6fca41d30 a3=26 items=0 ppid=11821 pid=11822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="setsebool" exe="/usr/sbin/setsebool" subj=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 key=(null)
      type=AVC msg=audit(1726244323.607:527): avc: denied

      { relabelfrom } for pid=11822 comm="setsebool" name="lang_ext" dev="dm-0" ino=251819392 scontext=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=0
      ----
      time->Fri Sep 13 12:18:43 2024
      type=PROCTITLE msg=audit(1726244323.607:528): proctitle=2F7573722F7362696E2F7365747365626F6F6C002D50002D4E00766972745F7573655F6E66733D3100766972745F73616E64626F785F7573655F616C6C5F636170733D31
      type=SYSCALL msg=audit(1726244323.607:528): arch=c000003e syscall=189 success=no exit=-13 a0=55d6fbaa9b60 a1=7f77fd1f8197 a2=55d6fbaaa610 a3=26 items=0 ppid=11821 pid=11822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="setsebool" exe="/usr/sbin/setsebool" subj=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 key=(null)
      type=AVC msg=audit(1726244323.607:528): avc: denied { relabelfrom }

      for pid=11822 comm="setsebool" name="abrt" dev="dm-0" ino=251784167 scontext=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=dir permissive=0


      ....

              lmandvek Lokesh Mandvekar
              zfang@redhat.com Zhiqiang Fang
              Container Runtime Eng Bot Container Runtime Eng Bot
              Container Runtime Bugs Bot Container Runtime Bugs Bot
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: