Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.7
Affects Version/s: rhel-9.6
Component/s: selinux-policy
Labels:
- AutoVerified
- dependent-component

Fixed in Build:
selinux-policy-38.1.56-1.el9
Regression:
No
Severity:
Moderate
Epic Link:
SELINUX-3824
sprint_count:
1

AssignedTeam:
rhel-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
11
Story Points:
2
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 250514: 6

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/148008
Test Coverage:

Automated

Release Note Type:
Release Note Not Required
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Recently added feature to NetworkManager allowing ping address before it's set [1] causes the following AVCs denials:

----
type=PROCTITLE msg=audit(03/14/2025 09:39:48.688:4336) : proctitle=/usr/bin/ping -I testX4 -c 1 -w 20 192.168.99.1 
type=SYSCALL msg=audit(03/14/2025 09:39:48.688:4336) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_DGRAM a2=icmp a3=0x7ffe997db8c0 items=0 ppid=135899 pid=136211 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ping exe=/usr/bin/ping subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(03/14/2025 09:39:48.688:4336) : avc:  denied  { create } for  pid=136211 comm=ping scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=icmp_socket permissive=0 
----

[1] https://issues.redhat.com/browse/RHEL-21160

Found during execution of the following NetworkManager-ci tests:

connection_ping_ip6_addresses
connection_ping_ip_addresses_unreachable

Reproducible: always

NVRs:
NetworkManager-1.53.1-1.el9.x86_64
NetworkManager-libnm-1.53.1-1.el9.x86_64
NetworkManager-team-1.53.1-1.el9.x86_64
NetworkManager-tui-1.53.1-1.el9.x86_64
selinux-policy-38.1.53-2.el9.noarch
selinux-policy-targeted-38.1.53-2.el9.noarch

is cloned by

RHEL-86258 [rhel-10] SELinux denials appear when NetworkManager executes ping

Release Pending

links to

github pr

RHBA-2025:148008 selinux-policy bug fix and enhancement update

TCMS Test Case 105820

Assignee:: Zdenek Pytela

Reporter:: Filip Pokryvka

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2025/03/14 10:12 AM

Updated:: 2025/08/29 1:53 PM

Target end:: 2025/05/12

Next Planned Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide