Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.7
Affects Version/s: CentOS Stream 9
Component/s: selinux-policy
Labels:
None

Fixed in Build:
selinux-policy-38.1.58-1.el9
Regression:
No
Severity:
Moderate
Epic Link:
SELINUX-3824
sprint_count:
1

AssignedTeam:
rhel-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
17
Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 250625: 8

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/148008
Test Coverage:

Automated

Release Note Type:
Release Note Not Required
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Run `bootupctl adopt-and-update` on centos stream 9, get avc denied logs.

Versions:
selinux-policy-38.1.56-1.el9.noarch
bootupd-0.2.27-3.el9.x86_64

[root@cosa-devsh core]# mount -o remount,rw /boot
[root@cosa-devsh core]# rm -f /boot/bootupd-state.json 
[root@cosa-devsh core]# bootupctl adopt-and-update
Running as unit: bootupd.service
Adopted and updated: BIOS: grub2-tools-1:2.06-107.el9.x86_64
Adopted and updated: EFI: grub2-efi-x64-1:2.06-107.el9.x86_64,shim-x64-15-15.el8_2.x86_64
[root@cosa-devsh core]# ausearch -m avc
----
time->Fri May 30 02:37:46 2025
type=PROCTITLE msg=audit(1748572666.250:101): proctitle=2F62696E2F626F6F74757063746C00757064617465
type=PATH msg=audit(1748572666.250:101): item=0 name="/tmp" inode=19 dev=00:1f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1748572666.250:101): cwd="/"
type=SYSCALL msg=audit(1748572666.250:101): arch=c000003e syscall=257 success=yes exit=5 a0=ffffff9c a1=7ffe66a61730 a2=490002 a3=1b6 items=1 ppid=1 pid=2073 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bootupctl" exe="/usr/bin/bootupctl" subj=system_u:system_r:bootupd_t:s0 key=(null)
type=AVC msg=audit(1748572666.250:101): avc:  denied  { write open } for  pid=2073 comm="bootupctl" path=2F746D702F233139202864656C6574656429 dev="tmpfs" ino=19 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1748572666.250:101): avc:  denied  { write } for  pid=2073 comm="bootupctl" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
----
time->Fri May 30 02:37:46 2025
type=PROCTITLE msg=audit(1748572666.263:102): proctitle=73666469736B002D4A002F6465762F766461
type=PATH msg=audit(1748572666.263:102): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=6912 dev=00:22 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1748572666.263:102): item=0 name="/7e/4df395d734709ab17963fbcd730001bccbda5862edb4f814f692794c1506a8.file" inode=309 dev=fc:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:fsadm_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1748572666.263:102): cwd="/"
type=EXECVE msg=audit(1748572666.263:102): argc=3 a0="sfdisk" a1="-J" a2="/dev/vda"
type=SYSCALL msg=audit(1748572666.263:102): arch=c000003e syscall=59 success=yes exit=0 a0=7f31d982fdc0 a1=5639ec403060 a2=7ffe66a63440 a3=8 items=2 ppid=2073 pid=2076 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfdisk" exe="/usr/sbin/sfdisk" subj=system_u:system_r:bootupd_t:s0 key=(null)
type=AVC msg=audit(1748572666.263:102): avc:  denied  { map } for  pid=2076 comm="sfdisk" path="/usr/sbin/sfdisk" dev="overlay" ino=11856 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1748572666.263:102): avc:  denied  { execute_no_trans } for  pid=2076 comm="bootupctl" path="/usr/sbin/sfdisk" dev="overlay" ino=11856 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1748572666.263:102): avc:  denied  { read open } for  pid=2076 comm="bootupctl" path="/usr/sbin/sfdisk" dev="overlay" ino=11856 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1748572666.263:102): avc:  denied  { execute } for  pid=2076 comm="bootupctl" name="sfdisk" dev="overlay" ino=11856 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
----
time->Fri May 30 02:37:46 2025
type=PROCTITLE msg=audit(1748572666.267:103): proctitle=73666469736B002D4A002F6465762F766461
type=SYSCALL msg=audit(1748572666.267:103): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffc1c0c7f4a a2=80000 a3=0 items=0 ppid=2073 pid=2076 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfdisk" exe="/usr/sbin/sfdisk" subj=system_u:system_r:bootupd_t:s0 key=(null)
type=AVC msg=audit(1748572666.267:103): avc:  denied  { open } for  pid=2076 comm="sfdisk" path="/dev/vda" dev="devtmpfs" ino=292 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1748572666.267:103): avc:  denied  { read } for  pid=2076 comm="sfdisk" name="vda" dev="devtmpfs" ino=292 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Fri May 30 02:37:46 2025
type=PROCTITLE msg=audit(1748572666.268:104): proctitle=73666469736B002D4A002F6465762F766461
type=SYSCALL msg=audit(1748572666.268:104): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=80081272 a2=7ffc1c0c5b20 a3=1 items=0 ppid=2073 pid=2076 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfdisk" exe="/usr/sbin/sfdisk" subj=system_u:system_r:bootupd_t:s0 key=(null)
type=AVC msg=audit(1748572666.268:104): avc:  denied  { ioctl } for  pid=2076 comm="sfdisk" path="/dev/vda" dev="devtmpfs" ino=292 ioctlcmd=0x1272 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1

relates to

RHEL-86588 bootupctl adopt failed

Release Pending

links to

RHBA-2025:148008 selinux-policy bug fix and enhancement update

TCMS Test Case 614833

Assignee:: Zdenek Pytela

Reporter:: Huijing Hei

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2025/05/30 2:50 AM

Updated:: 2025/08/29 1:52 PM

Target end:: 2025/06/23

Next Planned Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide