1359789 – avc: denied { read } for pid=25872 comm="iptables" name="xtables.lock

Bug 1359789 - avc: denied { read } for pid=25872 comm="iptables" name="xtables.lock

Summary: avc: denied { read } for pid=25872 comm="iptables" name="xtables.lock

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-25 12:52 UTC by Petr Sklenar
Modified:	2017-08-01 15:12 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.13.1-130.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 15:12:40 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1401208	0	medium	CLOSED	[RHVH 4.0.6] avc denied errors (dev="tmpfs") in audit.log after upgrade	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Internal Links: 1401208

Description Petr Sklenar 2016-07-25 12:52:00 UTC

Description of problem:
avc denial only on ppc64le

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-89.el7.noarch

How reproducible:
always

Steps to Reproduce:
1.https://beaker.engineering.redhat.com/tasks/executed?recipe_task_id=43316647&recipe_task_id=43327563&recipe_task_id=43317166&recipe_task_id=43316903&recipe_task_id=43316389&new_pkg_tasks=43316647,43327563,43317166,43316903,43316389
2. start test /CoreOS/iptables/Sanity/bz590186-Contrary-to-expectations-IPv6-transparent-proxy on rhel73 ppc64le

Actual results:
time->Thu Jul 21 01:54:35 2016
type=SYSCALL msg=audit(1469062475.700:1961): arch=c0000015 syscall=5 success=no exit=-13 a0=10015d40 a1=40 a2=180 a3=0 items=0 ppid=25766 pid=25872 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(1469062475.700:1961): avc:  denied  { read } for  pid=25872 comm="iptables" name="xtables.lock" dev="tmpfs" ino=163018 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:sosreport_var_run_t:s0 tclass=file
----

Expected results:
no avc

Additional info:

Comment 7 Ryan Barry 2017-01-09 21:48:31 UTC

We also see this on x86_64 builds of RHV-H. It doesn't seem to be reproducible on RHEL installs on x86_64, but we share the same version of selinux-policy here

Comment 13 errata-xmlrpc 2017-08-01 15:12:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.