Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0.beta
Component/s: selinux-policy
Labels:
- cki-datawarehouse
- cki-priority:low

Regression:
No
Severity:
None

Pool Team:

sst_security_selinux
Sub-System Group:

ssg_security

Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:

Automated

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

when running stress-ng we hit the following avc denial

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-40.13.9-1.el10.noarch
----
time->Mon Sep 23 12:34:15 2024
type=PROCTITLE msg=audit(1727094855.411:726): proctitle=2F6F70742F7374726573732D6E672F7374726573732D6E67002D2D7265736F7572636573003634002D2D74696D656F75740035002D2D6C6F672D66696C65007265736F75726365732E6C6F67
type=SYSCALL msg=audit(1727094855.411:726): arch=c00000b7 syscall=447 success=no exit=-13 a0=0 a1=3 a2=1 a3=9 items=0 ppid=1965063 pid=1965072 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="stress-ng" exe="/opt/stress-ng/stress-ng" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1727094855.411:726): avc:  denied  { create } for  pid=1965072 comm="stress-ng" anonclass=[secretmem] scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode permissive=0

This seems similar to a failure when testing on Fedora (https://gitlab.com/redhat/centos-stream/tests/kernel/kernel-tests/-/issues/1752) that got fixed by https://github.com/fedora-selinux/selinux-policy/pull/2107

Please provide the package NVR for which the bug is seen:

selinux-policy-40.13.9-1.el10.noarch

How reproducible is this bug?:

not sure yet

Steps to reproduce

Run stress-ng test

test logs: https://datawarehouse.cki-project.org/kcidb/tests/redhat:brew-64425990-aarch64-kernel_upt_16

CKI issue tracker: https://datawarehouse.cki-project.org/issue/3130

links to

TCMS Test Case 612643

Assignee:: Zdenek Pytela

Reporter:: Bruno Goncalves

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/09/30 7:15 AM

Updated:: 2024/10/04 8:10 AM

Details

Description

What were you trying to do that didn't work?

This seems similar to a failure when testing on Fedora (https://gitlab.com/redhat/centos-stream/tests/kernel/kernel-tests/-/issues/1752) that got fixed by https://github.com/fedora-selinux/selinux-policy/pull/2107

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

test logs: https://datawarehouse.cki-project.org/kcidb/tests/redhat:brew-64425990-aarch64-kernel_upt_16

CKI issue tracker: https://datawarehouse.cki-project.org/issue/3130

Attachments

Issue Links

Activity

People

Dates