Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

RHELPRIO AssignedTeam ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0
Component/s: selinux-policy
Labels:
- dependent-component

Fixed in Build:
selinux-policy-40.13.21-1.el10
Regression:
No
Severity:
Moderate
Epic Link:
SELINUX-3783
sprint_count:
2

AssignedTeam:
rhel-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
21
Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 241127 - 241218, SELINUX 250129: 1

Acceptance Criteria:

Hide

The reproducer works as expected and it does not trigger any SELinux denials.

Show
The reproducer works as expected and it does not trigger any SELinux denials.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/140162
Test Coverage:

Automated

Release Note Type:
Release Note Not Required

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

CI tests for keyutils, which are simply the tests present in the upstream package, are failing in RHEL10. This is a regression/change from RHEL9, where they passed.

Putting selinux in permissive mode allows the tests to pass.

This is the result of ausearch after running the "piped" test, for example:

----
time->Mon Dec 16 17:46:20 2024
type=PROCTITLE msg=audit(1734389180.080:118): proctitle=2F7573722F62696E2F7368002F7573722F73686172652F6B65797574696C732F726571756573742D6B65792D64656275672E7368003139393731353431300064656275673A6C697A6172640067697A7A61726400363438333538383433
type=SYSCALL msg=audit(1734389180.080:118): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fbddb16f1f4 a2=80000 a3=0 items=0 ppid=11 pid=2263 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="request-key-deb" exe="/usr/bin/bash" subj=system_u:system_r:keyutils_request_t:s0 key=(null)
type=AVC msg=audit(1734389180.080:118): avc:  denied  { read } for  pid=2263 comm="request-key-deb" name="passwd" dev="dm-0" ino=101631562 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
----
time->Mon Dec 16 17:46:20 2024
type=PROCTITLE msg=audit(1734389180.082:119): proctitle=6B657963746C00696E7374616E7469617465003139393731353431300044656275672067697A7A61726400363438333538383433
type=SYSCALL msg=audit(1734389180.082:119): arch=c000003e syscall=250 success=no exit=-13 a0=c a1=be76a52 a2=7ffe2ce30f8e a3=d items=0 ppid=2263 pid=2264 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keyctl" exe="/usr/bin/keyctl" subj=system_u:system_r:keyutils_request_t:s0 key=(null)
type=AVC msg=audit(1734389180.082:119): avc:  denied  { write } for  pid=2264 comm="keyctl" scontext=system_u:system_r:keyutils_request_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key permissive=0

It seems that the policy gained a module for keyutils at some point in the recent past, and this may be causing the new failures.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

test-output.txt
2025/01/08 7:39 AM
23 kB
Milos Malik

links to

RHBA-2024:140162 selinux-policy bug fix and enhancement update

TCMS Test Case 618013

Upstream GitHub PR

Assignee:: Ondrej Mosnacek

Reporter:: Eric Sandeen

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2024/12/16 10:47 PM

Updated:: 2025/05/13 10:43 AM

Resolved:: 2025/05/13 10:43 AM

Target end:: 2025/01/07

Next Planned Release Date:: 2025/05/13

Release Date:: 2025/05/13

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide