Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-82781

SELinux is preventing chcon from using the mac_admin capability

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Normal Normal
    • rhel-10.1
    • rhel-10.0
    • selinux-policy
    • None
    • rhel-security-selinux
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • None
    • None
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      What were you trying to do that didn't work?

      While running insights-client automated tests on a rhel-bootc image, a selinux denial is logged against chcon. Due to it being automated test runs I am not yet sure which command exactly is causing this.

      What is the impact of this issue to you?

      Please provide the package NVR for which the bug is seen:

      [root@dhcp-8-30-77 insights-client]# bootc status
● Booted image: images.paas.redhat.com/rhsmqe/compose-bootc:RHEL-10.0-20250304.2
        Digest: sha256:017f1dc4ad31b9134d6981af0f577d1a8f62cdbb32ad63c868e9303f7cf0fddb
       Version: 10.20250304.0 (2025-03-04 18:17:30.888276230 UTC)  Rollback image: images.paas.redhat.com/rhsmqe/compose-bootc:RHEL-10.0-20250219.3
          Digest: sha256:c9974adff578793125ee0525e80bd3c987f1b897e11f3988a37e005119084ca9
         Version: 10.20250225.0 (2025-02-25 19:35:23.677581963 UTC)


[root@dhcp-8-30-77 insights-client]# rpm -q subscription-manager dnf selinux-policy
subscription-manager-1.30.5-1.el10.x86_64
dnf-4.20.0-11.el10.noarch
selinux-policy-40.13.26-1.el10.noarch

      How reproducible is this bug?:

      This occurs on a system running in image mode

      Steps to reproduce

      Not sure exactly what is causing it but will try to find out more

      [root@dhcp-8-30-77 insights-client]# cat /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1740620787.791:603): avc:  denied  { mac_admin } for  pid=6788 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740620787.817:604): avc:  denied  { mac_admin } for  pid=6789 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740706477.544:966): avc:  denied  { mac_admin } for  pid=14364 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740706477.564:967): avc:  denied  { mac_admin } for  pid=14365 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740795919.585:1114): avc:  denied  { mac_admin } for  pid=18625 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740795919.674:1115): avc:  denied  { mac_admin } for  pid=18626 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740886897.060:1266): avc:  denied  { mac_admin } for  pid=22783 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
....

      [root@dhcp-8-29-34 insights-client]# sealert -a /var/log/audit/audit.log | more found 1 alerts in
> /var/log/audit/audit.log 
::::::::::::::
found
::::::::::::::

found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/chcon from using the mac_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that chcon should have the mac_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chcon' --raw | audit2allow -M my-chcon
# semodule -X 300 -i my-chcon.pp


Additional Information:
Source Context                system_u:system_r:insights_client_t:s0
Target Context                system_u:system_r:insights_client_t:s0
Target Objects                Unknown [ capability2 ]
Source                        chcon
Source Path                   /usr/bin/chcon
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           coreutils-8.32-39.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.53-2.el9.noarch
Local Policy RPM              selinux-policy-targeted-38.1.53-2.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-8-29-34.lab.eng.rdu2.redhat.com

      Expected results

      Actual results

      A lot of AVC denials

        1. audit.log
          2.41 MB

              rhn-support-zpytela Zdenek Pytela
              zpetrace@redhat.com Zdenek Petracek
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: