Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.7
Affects Version/s: rhel-9.7
Component/s: selinux-policy
Labels:
- AutoVerified

Fixed in Build:
selinux-policy-38.1.57-1.el9
Regression:
No
Severity:
Low
Epic Link:
SELINUX-3824
sprint_count:
1

AssignedTeam:
rhel-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
15
Story Points:
0.5
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 250604: 7

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/148008
Test Coverage:

Automated

Release Note Type:
Release Note Not Required
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

selinux-policy-38.1.55-1.el9.noarch
selinux-policy-targeted-38.1.55-1.el9.noarch

After rebase of haproxy to haproxy-2.8.14-1.el9 for RHEL9 just launching haproxy regardless of config file causes denials like this:

----
time->Tue Apr 15 10:42:44 2025
type=PROCTITLE msg=audit(1744706564.038:1099): proctitle=2F7573722F7362696E2F686170726F7879002D66002F6574632F686170726F78792F686170726F78792E636667002D66002F6574632F686170726F78792F636F6E662E64002D63002D71
type=SYSCALL msg=audit(1744706564.038:1099): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10000 a2=3 a3=1 items=0 ppid=1 pid=96752 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="haproxy" exe="/usr/sbin/haproxy" subj=system_u:system_r:haproxy_t:s0 key=(null)
type=AVC msg=audit(1744706564.038:1099): avc:  denied  { map } for  pid=96752 comm="haproxy" path=2F6465762F73686D2F686170726F78795F737461727475705F6C6F67735F3936373532202864656C6574656429 dev="tmpfs" ino=2 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:haproxy_tmpfs_t:s0 tclass=file permissive=0

I checked and the `map` permission for haproxy_tmpfs_t:file is already present in RHEL10.

links to

RHBA-2025:148008 selinux-policy bug fix and enhancement update

TCMS Test Case 202184

Assignee:: Zdenek Pytela

Reporter:: Juraj Hrdlica

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/04/22 9:25 AM

Updated:: 2025/08/29 2:00 PM

Target end:: 2025/06/09

Next Planned Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide