Bug 1978562

Summary: [RHEL8.2] avc: denied { add_name } for pid=1416 comm="fcoemon" name="enabled"
Product: Red Hat Enterprise Linux 8 Reporter: guazhang <guazhang>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.2CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: betaKeywords: AutoVerified, Triaged
Target Release: 8.5   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-75.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2076682 (view as bug list) Environment:
Last Closed: 2021-11-09 19:43:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2076682    

Description guazhang@redhat.com 2021-07-02 07:54:48 UTC 
Description of problem:
FCoE regression testing found the AVC failed, please check.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-72.el8.noarch
4.18.0-193.60.1.el8_2.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-72.el8.noarch
----
time->Thu Jul  1 07:42:53 2021
type=AVC msg=audit(1625139773.597:33): avc:  denied  { add_name } for  pid=1416 comm="fcoemon" name="enabled" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
----
time->Thu Jul  1 07:43:01 2021
type=AVC msg=audit(1625139781.045:35): avc:  denied  { add_name } for  pid=1416 comm="fcoemon" name="enabled" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0


https://beaker.engineering.redhat.com/recipes/10226745#task128247930,task128247937,task128247938,task128247940


same issue in RHEL9  https://bugzilla.redhat.com/show_bug.cgi?id=1952292
Comment 1 Zdenek Pytela 2021-07-02 09:13:25 UTC 
Commit to backport:
commit f89885fd6f076ef1c3d83c1d1cc981b784e2ea5e (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed May 12 10:19:04 2021 +0200

    Allow fcoemon create sysfs files
Comment 12 Zdenek Pytela 2021-07-28 20:11:33 UTC 
I've submitted a Fedora PR to address the latest issue:
https://github.com/fedora-selinux/selinux-policy/pull/813
Comment 21 errata-xmlrpc 2021-11-09 19:43:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420