Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.1
Component/s: selinux-policy
Labels:
- cki-datawarehouse

Fixed in Build:
selinux-policy-40.13.33-1.el10
Regression:
No
Severity:
Low
Epic Link:
SELINUX-3824
sprint_count:
1

AssignedTeam:
rhel-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
16
Story Points:
0.5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 250625: 8

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/147963
Test Coverage:

Automated

Release Note Type:
Release Note Not Required
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:
Architecture:

s390x

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

running CIFS connecthaton test on rhel-10.1 on s390x fails due to avc denial:

type=PROCTITLE msg=audit(05/15/25 09:47:26.396:1392) : proctitle=key.dns_resolver 834385846 
type=SYSCALL msg=audit(05/15/25 09:47:26.396:1392) : arch=s390x syscall=keyctl success=yes exit=0 a0=0xf a1=0x31bbb7b6 a2=0x5 a3=0x1 items=0 ppid=253 pid=12313 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=key.dns_resolve exe=/usr/sbin/key.dns_resolver subj=system_u:system_r:keyutils_dns_resolver_t:s0 key=(null) 
type=AVC msg=audit(05/15/25 09:47:26.396:1392) : avc:  denied  { setattr } for  pid=12313 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0

test source: https://gitlab.com/redhat/centos-stream/tests/kernel/kernel-tests/-/tree/main/filesystems/cifs/connectathon

Please provide the package NVR for which the bug is seen:

audit-4.0.3-4.el10.s390x

selinux-policy-40.13.30-1.el10.noarch

How reproducible is this bug?:

it seems easily reproducible on s390x.

Steps to reproduce

using testing-farm:

testing-farm request --no-wait --arch s390x --git-url https://gitlab.com/redhat/centos-stream/tests/kernel/test-plans.git --plan '.*kernel-tier1/no-hw' --test 'filesystems/cifs/connectathon' --timeout 720 --context component=kernel --context distro=rhel-10.1 --context package-name=kernel --context stream=ystream --compose "RHEL-10.1-Nightly"

Expected results

no avc denial

Actual results

avc check (after-test) fails:

https://artifacts.osci.redhat.com/testing-farm/5a5e87e9-be5e-45b2-9838-53e5a91d25ef/

links to

CKI DataWareHouse Issue #3798

RHBA-2025:147963 selinux-policy bug fix and enhancement update

TCMS Test Case 618013

Assignee:: Zdenek Pytela

Reporter:: Bruno Goncalves

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/05/15 9:58 AM

Updated:: 2025/11/11 8:21 AM

Resolved:: 2025/11/11 8:21 AM

Target end:: 2025/06/16

Next Planned Release Date:: 2025/11/11

Release Date:: 2025/11/11

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates