Bug 1612456
| Summary: | [ALT-7.6][selinux-policy] avc: denied { search } for pid=3409 comm="rngd" name="pki" dev="dm-0" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | PaulB <pbunyan> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.6-Alt | CC: | ernunes, jbastian, jfeeney, jshortt, lkocman, lmiksik, lslebodn, lvrabec, mgrepl, mmalik, pbunyan, peterm, plautrba, rvr, ssekidde, vmojzis, vruizrui |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-212.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 10:08:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1615433 | ||
All, This issue is seen while testing all arches: distro: RHEL-ALT-7.6-20180802.1 [Beta-1.2] kernel-alt: kernel-4.14.0-101.el7a selinux-policy: selinux-policy-3.13.1-210.el7 -------- aarch64 ------- https://beaker.engineering.redhat.com/recipes/5467636#task76692698 https://beaker.engineering.redhat.com/recipes/5467636/tasks/76692698/results/367292653/logs/avc.log ------- ppc64le ------- https://beaker.engineering.redhat.com/recipes/5467631#task76692587 http://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2018/08/26610/2661077/5467631/76692587/367290614/avc.log ------- s390x ------- https://beaker.engineering.redhat.com/recipes/5467641#task76692809 http://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2018/08/26610/2661077/5467641/76692809/367288900/avc.log ------- x86_64 ------- https://beaker.engineering.redhat.com/recipes/5467622#task76692396 http://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2018/08/26610/2661077/5467622/76692396/367293494/avc.log Best, -pbunyan All, Issue was not seen testing: distro: RHEL-ALT-7.6-20180723.0][Alpha-1.2] kernel-alt:4.14.0-92.el7a selinux-policy: 3.13.1-207.el7 Issue is seen testing: distro: RHEL-ALT-7.6-20180802.1 [Beta-1.2] kernel-alt: kernel-4.14.0-101.el7a selinux-policy: selinux-policy-3.13.1-210.el7 This is a regression. Best, -pbunyan I believe this bug is a duplicate of BZ#1609466. *** Bug 1609466 has been marked as a duplicate of this bug. *** Ths is still happening in RHEL-ALT-7.6-20180815.1
type=PROCTITLE msg=audit(1534444733.835:18): proctitle=2F7362696E2F726E6764002D66
type=SYSCALL msg=audit(1534444733.835:18): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=ffffa21be8c8 a2=0 a3=0 items=0 ppid=1 pid=3198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rngd" exe="/usr/sbin/rngd" subj=system_u:system_r:rngd_t:s0 key=(null)
type=AVC msg=audit(1534444733.835:18): avc: denied { search } for pid=3198 comm="rngd" name="pki" dev="dm-0" ino=100685154 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0
http://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2018/08/27002/2700293/5539400/77677287/370865341/test_log--distribution-install-Sysinfo-avc.log
https://beaker.engineering.redhat.com/recipes/5539400#task77677287
All, http://download-node-02.eng.bos.redhat.com/rel-eng/RHEL-ALT-7.6-Beta-1.7/compose/Server/aarch64/os/Packages/ ---<-snip->--- selinux-policy-3.13.1-210.el7.noarch.rpm ---<-snip->--- We need selinux-policy-3.13.1-212.el7 added to a distro. Best, -pbunyan (In reply to PaulB from comment #13) > All, > > http://download-node-02.eng.bos.redhat.com/rel-eng/RHEL-ALT-7.6-Beta-1.7/ > compose/Server/aarch64/os/Packages/ > ---<-snip->--- > selinux-policy-3.13.1-210.el7.noarch.rpm > ---<-snip->--- > > We need selinux-policy-3.13.1-212.el7 added to a distro. > > Best, > -pbunyan lkocman, Can you assist in getting selinux-policy-3.13.1-212.el7 added to a distro, please. Thank you. Best, -pbunyan (In reply to PaulB from comment #14) > (In reply to PaulB from comment #13) > > All, > > > > http://download-node-02.eng.bos.redhat.com/rel-eng/RHEL-ALT-7.6-Beta-1.7/ > > compose/Server/aarch64/os/Packages/ > > ---<-snip->--- > > selinux-policy-3.13.1-210.el7.noarch.rpm > > ---<-snip->--- > > > > We need selinux-policy-3.13.1-212.el7 added to a distro. > > > > Best, > > -pbunyan > > lkocman, > Can you assist in getting selinux-policy-3.13.1-212.el7 added to a distro, > please. > > Thank you. > Best, > -pbunyan All, Seems jdisnard has taken over for lkocman. jdisnard - Can you assist in getting selinux-policy-3.13.1-212.el7 added to a distro. Thank you. -pbunyan The latest nightly already has a newer package, -215.el7: http://download.devel.redhat.com/nightly/RHEL-ALT-7.6-20180820.n.0/compose/Server/aarch64/os/Packages/selinux-policy-3.13.1-215.el7.noarch.rpm Can you test with this version and check if the SELinux AVCs are fixed? I re-ran Victor's job from comment 12 using RHEL-ALT-7.6-20180820.n.0 and the /distribution/install task passed with no SELinux AVCs https://beaker.engineering.redhat.com/jobs/2708504 All, This issue is no longer seen. distro: RHEL-ALT-7.6-20180919.0 kernel-alt: 4.14.0-113.el7a selinux-policy-3.13.1-227.el7.noarch.rpm https://beaker.engineering.redhat.com/matrix/?whiteboard_filter=&job_ids=2781525 So this is not a blocker. Best, -pbunyan Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |
Description of problem: The following issue is seen while testing all arches: avc: denied { search } for pid=3409 comm="rngd" name="pki" dev="dm-0" Version-Release number of selected component (if applicable): distro: RHEL-ALT-7.6-20180802.1 [Beta-1.2] kernel-alt: kernel-4.14.0-101.el7a selinux-policy: selinux-policy-3.13.1-210.el7 How reproducible: consistently on all arches Steps to Reproduce: 1. Install system with RHEL-ALT-7.6-20180802.1 [Beta-1.2] 2. see avc.log messages Actual results: https://beaker.engineering.redhat.com/recipes/5467636#task76692698 http://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2018/08/26610/2661077/5467636/76692698/367292653/avc.log ---<-snip->--- type=PROCTITLE msg=audit(1533248645.046:15): proctitle=2F7362696E2F726E6764002D66 type=SYSCALL msg=audit(1533248645.046:15): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=ffffacbae8c8 a2=0 a3=0 items=0 ppid=1 pid=3409 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rngd" exe="/usr/sbin/rngd" subj=system_u:system_r:rngd_t:s0 key=(null) type=AVC msg=audit(1533248645.046:15): avc: denied { search } for pid=3409 comm="rngd" name="pki" dev="dm-0" ino=100685166 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 ---<-snip->--- Expected results: No AVC messages are expected Additional info: