Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Normal
Fix Version/s: rhel-9.7
Affects Version/s: rhel-9.6
Component/s: selinux-policy
Labels:
None

Regression:
No
Severity:
None
Epic Link:
SELINUX-3824

AssignedTeam:
rhel-security-selinux
Sub-System Group:

ssg_security

Story Points:
None
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Release Note Not Required
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:
Architecture:

x86_64

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

While running insights-client automated tests on a rhel-bootc image, a selinux denial is logged against chcon. Due to it being automated test runs I am not yet sure which command exactly is causing this.

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

[root@dhcp-8-29-34 ~]# bootc status
● Booted image: images.paas.redhat.com/rhsmqe/compose-bootc:RHEL-9.6.0-20250222.8
        Digest: sha256:d7d970f9ab83f449eb6312c146d3af777021d28b5c253f0ea33ae7d159216279
       Version: 9.20250224.0 (2025-02-25 15:44:58.625561435 UTC)  Rollback image: images.paas.redhat.com/rhsmqe/compose-bootc:RHEL-9.6.0-20250222.8
          Digest: sha256:88fa6c1f5f0cf16f5edc69b00417102f6aca7ce164ea7d2368f1a311c503212e
         Version: 9.20250224.0 (2025-02-25 15:55:30.520319565 UTC)


[root@dhcp-8-29-34 ~]# rpm -q subscription-manager dnf selinux-policy
subscription-manager-1.29.45-1.el9.x86_64
dnf-4.14.0-25.el9.noarch
selinux-policy-38.1.53-2.el9.noarch

How reproducible is this bug?:

Steps to reproduce:

Not sure exactly what is causing it but will try to find out more

[root@dhcp-8-29-34 ~]# cat /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1740626363.780:62): avc:  denied  { mac_admin } for  pid=2114 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740626363.807:63): avc:  denied  { mac_admin } for  pid=2116 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740703523.892:155): avc:  denied  { mac_admin } for  pid=4637 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740703523.987:156): avc:  denied  { mac_admin } for  pid=4639 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740796642.679:199): avc:  denied  { mac_admin } for  pid=7142 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740796642.700:200): avc:  denied  { mac_admin } for  pid=7143 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740885442.104:245): avc:  denied  { mac_admin } for  pid=9800 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=AVC msg=audit(1740885442.194:246): avc:  denied  { mac_admin } for  pid=9802 comm="chcon" capability=33  scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0

[root@dhcp-8-29-34 ~]# sealert -a /var/log/audit/audit.log | more found 1 alerts in
::::::::::::::
found
::::::::::::::found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------SELinux is preventing /usr/bin/chcon from using the mac_admin capability.*****  Plugin catchall (100. confidence) suggests   **************************If you believe that chcon should have the mac_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chcon' --raw | audit2allow -M my-chcon
# semodule -X 300 -i my-chcon.pp
Additional Information:
Source Context                system_u:system_r:insights_client_t:s0
Target Context                system_u:system_r:insights_client_t:s0
Target Objects                Unknown [ capability2 ]
Source                        chcon
Source Path                   /usr/bin/chcon
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           coreutils-8.32-39.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.53-2.el9.noarch
Local Policy RPM              selinux-policy-targeted-38.1.53-2.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-8-29-34.lab.eng.rdu2.redhat.com
Platform                      Linux dhcp-8-29-34.lab.eng.rdu2.redhat.com
                              5.14.0-570.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon
                              Feb 17 16:15:43 EST 2025 x86_64 x86_64
Alert Count                   24
First Seen                    2025-02-27 03:19:23 UTC
Last Seen                     2025-03-07 18:06:49 UTC
Local ID                      add5b13f-1a29-46a0-8cf0-9f5fdadab04cRaw Audit Messages
type=AVC msg=audit(1741370809.824:1391): avc:  denied  { mac_admin } for  pid=39901 comm="chcon" capability=33  scontext=system_u:system_r:insights_
client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability2 permissive=0
type=SYSCALL msg=audit(1741370809.824:1391): arch=x86_64 syscall=setxattr success=no exit=EINVAL a0=55d41b5fa3a0 a1=7f0b0405e1c5 a2=55d41b5fbab0 a3=
36 items=0 ppid=39898 pid=39901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=chcon exe=/us
r/bin/chcon subj=system_u:system_r:insights_client_t:s0 key=(null)ARCH=x86_64 SYSCALL=setxattr AUID=unset UID=root GID=root EUID=root SUID=root FSUI
D=root EGID=root SGID=root FSGID=rootHash: chcon,insights_client_t,insights_client_t,capability2,mac_admin

Expected results

Actual results

A lot of AVC denials

is cloned by

RHEL-82781 SELinux is preventing chcon from using the mac_admin capability

Closed

Assignee:: Zdenek Pytela

Reporter:: Zdenek Petracek

Developer:: Zdenek Pytela

QA Contact:: SSG Security QE

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/03/08 12:26 PM

Updated:: 2025/07/04 8:56 AM

Resolved:: 2025/07/04 8:54 AM

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce:

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide