Bug 1344505
| Summary: | avc: denied { create } for pid=757 comm="NetworkManager" name="resolv.conf.WY7ZIY | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | PaulB <pbunyan> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.3 | CC: | jbastian, jcm, jfeeney, lvrabec, mark.langsdorf, mgrepl, mmalik, mvadkert, pbunyan, plautrba, pvrabec, ssekidde |
| Target Milestone: | beta | Keywords: | Regression, TestBlocker |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-80.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 02:31:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1256920 | ||
All, Here is another example: cavium-thunderx-01.ml3.eng.bos.redhat.com https://beaker.engineering.redhat.com/recipes/2780382 https://beaker.engineering.redhat.com/recipes/2780382#task41834367 http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2016/06/13634/1363473/2780382/41834367/206253768/avc.log ---<-snip->--- ---- time->Wed Jun 8 15:39:26 2016 type=PROCTITLE msg=audit(1465414766.869:25): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E type=SYSCALL msg=audit(1465414766.869:25): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaab11b86860 a2=c2 a3=1b6 items=0 ppid=1 pid=1116 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1465414766.869:25): avc: denied { create } for pid=1116 comm="NetworkManager" name="resolv.conf.FYOMIY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ---- time->Wed Jun 8 15:39:26 2016 type=PROCTITLE msg=audit(1465414766.902:26): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E type=SYSCALL msg=audit(1465414766.902:26): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaab11bfb940 a2=c2 a3=1b6 items=0 ppid=1 pid=1116 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1465414766.902:26): avc: denied { create } for pid=1116 comm="NetworkManager" name="resolv.conf.N8DNIY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ---<-snip->--- Best, -pbunyan Lukas, There is no selinux-policy-3.13.1-79.el7 available at this time: http://download.eng.bos.redhat.com/brewroot/packages/selinux-policy/3.13.1/ selinux-policy-3.13.1-78.el7 is available. Do you have the correct version is "Fixed in Version" ? Best, -pbunyan All, This issue persists with selinux-policy-3.13.1-79.el7: https://beaker.engineering.redhat.com/recipes/2793747 https://beaker.engineering.redhat.com/recipes/2793747#task42009289 http://lab-02.rhts.eng.rdu.redhat.com/beaker/logs/results/207131+/207131542/avc.log ---<-snip->--- selinux-policy-3.13.1-79.el7.noarch ---- time->Tue Jun 14 16:41:00 2016 type=PROCTITLE msg=audit(1465936860.736:29): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E type=SYSCALL msg=audit(1465936860.736:29): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=2ab159eb770 a2=c2 a3=1b6 items=0 ppid=1 pid=705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1465936860.736:29): avc: denied { create } for pid=705 comm="NetworkManager" name="resolv.conf.0SHHJY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ---- time->Tue Jun 14 16:41:00 2016 type=PROCTITLE msg=audit(1465936860.772:30): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E type=SYSCALL msg=audit(1465936860.772:30): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=2ab1598bf10 a2=c2 a3=1b6 items=0 ppid=1 pid=705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1465936860.772:30): avc: denied { create } for pid=705 comm="NetworkManager" name="resolv.conf.O75HJY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ---<-snip->--- Best, -pbunyan Yes, you are right, it will be fixed in -80.el7 selinux-policy package version. All, Retesting with selinux-policy-3.13.1-80.el7, issue is resolved: distro: RHEL-7.3-20160613.n.0 Server aarch64 selinux-policy: 3.13.1-80.el7 kernel: 4.5.0-0.40.el7 https://beaker.engineering.redhat.com/recipes/2800663 - no selinux issue best, -pbunyan Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: Running automated testing with RHEL-7.3-20160602.n.0 (kernel-aarch64) the following avc is reported at install and during testing: avc: denied { create } for pid=757 comm="NetworkManager" name="resolv.conf.WY7ZIY Version-Release number of selected component (if applicable): distro: RHEL-7.3-20160602.n.0 kernel: 4.5.0-0.39.el7 selinux-policy: 3.13.1-75.el7.noarch How reproducible: consistently Steps to Reproduce: 1. Install aarch64 host with RHEL-7.3-20160602.n.0 2. Actual results: https://beaker.engineering.redhat.com/recipes/2780381 https://beaker.engineering.redhat.com/recipes/2780381#task41834341 http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2016/06/13634/1363473/2780381/41834341/206252995/avc.log ---<-snip->--- ---- time->Wed Jun 8 15:30:11 2016 type=PROCTITLE msg=audit(1465414211.435:32): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E type=SYSCALL msg=audit(1465414211.435:32): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaab0df4d8d0 a2=c2 a3=1b6 items=0 ppid=1 pid=757 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1465414211.435:32): avc: denied { create } for pid=757 comm="NetworkManager" name="resolv.conf.WY7ZIY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ---- time->Wed Jun 8 15:30:11 2016 type=PROCTITLE msg=audit(1465414211.446:33): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E type=SYSCALL msg=audit(1465414211.446:33): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaab0df5c3c0 a2=c2 a3=1b6 items=0 ppid=1 pid=757 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1465414211.446:33): avc: denied { create } for pid=757 comm="NetworkManager" name="resolv.conf.4PWZIY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ---<-snip->--- Expected results: no avc errors Additional info: