Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-86926

SELinux prevents the rasdaemon from writing into /sys/devices/system/memory/soft_offline_page

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • No
    • Low
    • 2
    • rhel-security-selinux
    • ssg_security
    • 2
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 251008: 13, SELINUX 251029: 14
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • Automated
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • aarch64
    • None

      What were you trying to do that didn't work?

      found during selinux-policy tests results review. Here is the test output: https://artifacts.osci.redhat.com/testing-farm/b587b783-111b-4241-9efe-c9bdc97a152c/work-tier2-second-set9umsjd69/plans/tier2-second-set/execute/data/guest/default-0/Regression/rasdaemon-and-similar-18/output.txt

      What is the impact of this issue to you?

      no impact

      Please provide the package NVR for which the bug is seen:

      selinux-policy-40.13.26-1.el10.noarch
      selinux-policy-targeted-40.13.26-1.el10.noarch
      rasdaemon-0.8.0-8.el10.aarch64

      How reproducible is this bug?

      yes, on the same HW

      Steps to reproduce

      1. get a RHEL-10.1 aarch64 machine (targeted policy is active)
      2. run the following automated test: /CoreOS/selinux-policy/Regression/rasdaemon-and-similar
      3. search for SELinux denials

      Expected results

      no SELinux denials

      Actual results

      ----
type=PROCTITLE msg=audit(04/09/2025 09:25:36.104:3309) : proctitle=/usr/sbin/rasdaemon -f -r 
type=PATH msg=audit(04/09/2025 09:25:36.104:3309) : item=0 name=/sys/devices/system/memory/soft_offline_page inode=41 dev=00:19 mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/09/2025 09:25:36.104:3309) : cwd=/ 
type=SYSCALL msg=audit(04/09/2025 09:25:36.104:3309) : arch=aarch64 syscall=faccessat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xaaaacfbb7458 a2=W_OK a3=0x5 items=1 ppid=1 pid=195589 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rasdaemon exe=/usr/sbin/rasdaemon subj=system_u:system_r:rasdaemon_t:s0 key=(null) 
type=AVC msg=audit(04/09/2025 09:25:36.104:3309) : avc:  denied  { write } for  pid=195589 comm=rasdaemon name=soft_offline_page dev="sysfs" ino=41 scontext=system_u:system_r:rasdaemon_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----

              rhn-support-zpytela Zdenek Pytela
              mmalik@redhat.com Milos Malik
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: