Bug 1853776

Summary: avc: denied { nnp_transition } for pid=653 comm="(qbalance)" denial on boot of UEFI installed system
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, grepl.miroslav, lvrabec, mmalik, plautrba, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-07 08:29:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Williamson 2020-07-03 22:47:05 UTC 
openQA tests consistently show that on first boot of a fresh UEFI VM install of current Rawhide, this AVC appears:

time->Fri Jul  3 10:37:47 2020
type=AVC msg=audit(1593787067.404:108): avc:  denied  { nnp_transition } for  pid=653 comm="(qbalance)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=process2 permissive=0

all you need do is install Rawhide UEFI native to a VM and boot it, that seems to be enough to cause the AVC to show up.
Comment 1 Milos Malik 2020-07-04 07:39:25 UTC 
I believe this bug is a duplicate of BZ#1848658.
Comment 2 Zdenek Pytela 2020-07-07 08:29:32 UTC 
The requested permission is present in selinux-policy=3.14.6-17.

*** This bug has been marked as a duplicate of bug 1848658 ***
Comment 3 Adam Williamson 2020-07-07 15:14:21 UTC 
that's weird, I did a search for 'qbalance nnp_transition' before filing this bug and found nothing...
Comment 4 Adam Williamson 2020-07-07 15:23:46 UTC 
Seems we have a new one now this one is fixed, though:

time->Mon Jul  6 12:59:54 2020
type=AVC msg=audit(1594054794.319:110): avc:  denied  { create } for  pid=636 comm="irqbalance" name="irqbalance636.sock" scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
Comment 5 Zdenek Pytela 2020-07-07 16:18:37 UTC 
Adam,

this one is fixed, too: https://bugzilla.redhat.com/show_bug.cgi?id=1852486