Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-77779

[rhel-10] the varnish service triggers SELinux denials

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-10.1
    • rhel-10.0
    • selinux-policy
    • None
    • selinux-policy-40.13.30-1.el10
    • No
    • Moderate
    • 1
    • rhel-security-selinux
    • ssg_security
    • 10
    • 2
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 250514: 6
    • Release Note Not Required
    • All
    • None

      What were you trying to do that didn't work?

      Find out why so many varnish tests fail with the latest varnish build.

      What is the impact of this issue to you?

      The varnish service runs OK, but 2 SELinux denials are triggered during each start of the service.

      Please provide the package NVR for which the bug is seen:

      selinux-policy-40.13.24-1.el10.noarch
      selinux-policy-targeted-40.13.24-1.el10.noarch
      varnish-7.6.1-2.el10.aarch64

      How reproducible is this bug?

      always, on all architectures

      Steps to reproduce:

      1. get a RHEL-10.0 machine
      2. start the varnish service
      3. search for SELinux denials

      Expected results:

      • no SELinux denials

      Actual results (enforcing mode):

      ----
type=PROCTITLE msg=audit(02/04/2025 04:20:16.633:577) : proctitle=/usr/sbin/varnishd -a :6081 -a localhost:8443,PROXY -f /etc/varnish/default.vcl -P /run/varnish/varnishd.pid -p feature=+http2 - 
type=SYSCALL msg=audit(02/04/2025 04:20:16.633:577) : arch=aarch64 syscall=prlimit64 success=no exit=EPERM(Operation not permitted) a0=0x0 a1=0x8 a2=0xffffd857cdc0 a3=0x0 items=0 ppid=11572 pid=11574 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=varnishd exe=/usr/sbin/varnishd subj=system_u:system_r:varnishd_t:s0 key=(null) 
type=AVC msg=audit(02/04/2025 04:20:16.633:577) : avc:  denied  { sys_resource } for  pid=11574 comm=varnishd capability=sys_resource  scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(02/04/2025 04:20:17.093:578) : proctitle=make -f /tmp/cc56lajN.mk -j3 all 
type=PATH msg=audit(02/04/2025 04:20:17.093:578) : item=1 name=/tmp/GMfifo11586 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/04/2025 04:20:17.093:578) : item=0 name=/tmp/ inode=134348929 dev=fd:00 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/04/2025 04:20:17.093:578) : cwd=/var/lib/varnish/varnishd/vcl_boot.1738660816.648971 
type=SYSCALL msg=audit(02/04/2025 04:20:17.093:578) : arch=aarch64 syscall=mknodat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xaaaaf3680190 a2=0600 a3=0x0 items=2 ppid=11582 pid=11586 auid=unset uid=varnish gid=varnish euid=varnish suid=varnish fsuid=varnish egid=varnish sgid=varnish fsgid=varnish tty=(none) ses=unset comm=make exe=/usr/bin/make subj=system_u:system_r:varnishd_t:s0 key=(null) 
type=AVC msg=audit(02/04/2025 04:20:17.093:578) : avc:  denied  { create } for  pid=11586 comm=make name=GMfifo11586 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=fifo_file permissive=0 
----

        1. test-output.txt
          44 kB

              rhn-support-zpytela Zdenek Pytela
              mmalik@redhat.com Milos Malik
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: