Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0
Component/s: selinux-policy
Labels:
- dependent-component
- systemd-selinux

Fixed in Build:
selinux-policy-40.13.19-1.el10
Regression:
No
Severity:
Moderate
Epic Link:
SELINUX-3594
sprint_count:
1

AssignedTeam:
rhel-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
20
Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 241127 - 241218

Acceptance Criteria:

Hide

systemd processes do no trigger any SELinux denials related to NSFS (namespace filesystem) after upgrading to the systemd version 257.

Show
systemd processes do no trigger any SELinux denials related to NSFS (namespace filesystem) after upgrading to the systemd version 257.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/140162
Test Coverage:

Manual

Release Note Type:
Release Note Not Required

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

# rpm -q systemd selinux-policy
systemd-257-1.el10.x86_64
selinux-policy-40.13.13-1.el10.noarch

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot
----
type=PROCTITLE msg=audit(12/18/2024 17:09:58.218:38) : proctitle=/usr/lib/systemd/systemd-logind
type=SYSCALL msg=audit(12/18/2024 17:09:58.218:38) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffc607ad840 a2=0x7ffc607ad870 a3=0x0 items=0 ppid=1 pid=671 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(12/18/2024 17:09:58.218:38) : avc: denied { getattr } for pid=671 comm=systemd-logind path=cgroup:[4026531835] dev="nsfs" ino=4026531835 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0

links to

RHBA-2024:140162 selinux-policy bug fix and enhancement update

Assignee:: Zdenek Pytela

Reporter:: Zdenek Pytela

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/12/18 10:17 PM

Updated:: 2025/05/13 10:42 AM

Resolved:: 2025/05/13 10:42 AM

Target end:: 2025/01/07

Next Planned Release Date:: 2025/05/13

Release Date:: 2025/05/13

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates