Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.0
Component/s: rhel-bootc-container
Labels:
- bootc-team

Regression:
No
Severity:
None

AssignedTeam:
rhel-image-mode

Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
None
Test Coverage:
None

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

When running on a rhel-bootc image and using dnf to install an entitled package using --transient, an selinux denial is logged against rhsm-package-profile-uploader for trying to write to

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

[root@dhcp-8-29-252 ~]# bootc status
● Booted image: images.paas.redhat.com/rhsmqe/compose-bootc:RHEL-10.0-20250219.3
        Digest: sha256:c9974adff578793125ee0525e80bd3c987f1b897e11f3988a37e005119084ca9
       Version: 10.20250225.0 (2025-02-25 19:35:23.677581963 UTC)

[root@dhcp-8-29-252 ~]# rpm -q subscription-manager dnf selinux-policy
subscription-manager-1.30.5-1.el10.x86_64
dnf-4.20.0-11.el10.noarch
selinux-policy-40.13.26-1.el10.noarch

How reproducible is this bug?:

This occurs on a system running in image mode when dnf installing content on the overlay.

Steps to reproduce

[root@dhcp-8-29-252 ~]# subscription-manager register --serverurl=subscription.rhsm.stage.redhat.com
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: stage_rhsmqe_testuser01
Password: 
The system has been registered with ID: ebf4de86-894c-4614-a437-2060f83b8bb8
The registered system name is: dhcp-8-29-252.lab.eng.rdu2.redhat.com
[root@dhcp-8-29-252 ~]# 
[root@dhcp-8-29-252 ~]# subscription-manager config --rhsm.package_profile_on_trans=1
[root@dhcp-8-29-252 ~]# 
[root@dhcp-8-29-252 ~]# tail -f /var/log/audit/audit.log | grep --color=auto "denied" &
[1] 2454
[root@dhcp-8-29-252 ~]# 
[root@dhcp-8-29-252 ~]# dnf install zsh -y --quiet --transient
Failed to set locale, defaulting to C.UTF-8

Installed:
  zsh-5.9-15.el10.x86_64                                                                                                 

[root@dhcp-8-29-252 ~]# type=AVC msg=audit(1740761413.489:150): avc:  denied  { write } for  pid=2499 comm="rhsm-package-pr" name="rpmdb.sqlite-wal" dev="overlay" ino=838671 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1740761413.489:151): avc:  denied  { write } for  pid=2499 comm="rhsm-package-pr" name="rpmdb.sqlite-shm" dev="overlay" ino=9470917 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1740761413.524:152): avc:  denied  { write } for  pid=2499 comm="rhsm-package-pr" name="rpmdb.sqlite-wal" dev="overlay" ino=838671 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1740761413.524:153): avc:  denied  { write } for  pid=2499 comm="rhsm-package-pr" name="rpmdb.sqlite-shm" dev="overlay" ino=9470917 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1740761413.543:154): avc:  denied  { write } for  pid=2499 comm="rhsm-package-pr" name="rpmdb.sqlite-wal" dev="overlay" ino=838671 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1740761413.543:155): avc:  denied  { write } for  pid=2499 comm="rhsm-package-pr" name="rpmdb.sqlite-shm" dev="overlay" ino=9470917 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1740761413.599:156): avc:  denied  { write } for  pid=2499 comm="rhsm-package-pr" name="rpmdb.sqlite-wal" dev="overlay" ino=838671 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1740761413.599:157): avc:  denied  { write } for  pid=2499 comm="rhsm-package-pr" name="rpmdb.sqlite-shm" dev="overlay" ino=9470917 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

Expected results

Not sure... /usr is a known Read-only filesystem on a rhel-bootc image, yet the install is being consciously done on an overlayfs. To get rid of the denials, is a policy change needed?, or should the rhsm-package-profile-uploader be aware of the Read-only filesystem?

Actual results

Many AVC denials as shown above.

is cloned by

RHEL-81912 [rhel-9] rhsm-package-profile-uploader triggers AVCs during a dnf --transient install

Planning

mentioned on

Commit - catch/ignore two more selinux denials related to RHEL 81753

Assignee:: Colin Walters

Reporter:: John Sefler

Developer:: Colin Walters

QA Contact:: Wei Shi

Doc Contact:: Gabriela Necasova

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2025/02/28 5:03 PM

Updated:: 2025/07/25 3:33 PM

Stale Date:: 2026/07/24

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates