RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1743930 - avc: denied for comm="reload_microcod" and comm="find"
Summary: avc: denied for comm="reload_microcod" and comm="find"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: 8.1
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1744033 1744605 1747554 (view as bug list)
Depends On:
Blocks: 1738779
TreeView+ depends on / blocked
 
Reported: 2019-08-21 03:16 UTC by Zhang Yi
Modified: 2020-11-14 05:43 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 22:12:10 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3547 0 None None None 2019-11-05 22:12:19 UTC

Description Zhang Yi 2019-08-21 03:16:53 UTC 
Description of problem:
avc: denied for comm="reload_microcod" and comm="find"

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-18.el8.noarch
RHEL-8.1.0-20190820.3

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
beaker job:https://beaker.engineering.redhat.com/jobs/3739666

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-18.el8.noarch
----
time->Tue Aug 20 16:37:06 2019
type=PROCTITLE msg=audit(1566333426.263:14): proctitle=66696E64002F7573722F73686172652F6D6963726F636F64655F63746C2F75636F64655F776974685F636176656174732F696E74656C002D70617468002F7573722F73686172652F6D6963726F636F64655F63746C2F75636F64655F776974685F636176656174732F696E74656C2F696E74656C2D75636F64652F2A002D7072
type=SYSCALL msg=audit(1566333426.263:14): arch=c000003e syscall=138 success=no exit=-13 a0=6 a1=7ffecae05160 a2=f a3=55b0c4701010 items=0 ppid=1846 pid=1873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="find" exe="/usr/bin/find" subj=system_u:system_r:cpucontrol_t:s0 key=(null)
type=AVC msg=audit(1566333426.263:14): avc:  denied  { getattr } for  pid=1873 comm="find" name="/" dev="dm-0" ino=128 scontext=system_u:system_r:cpucontrol_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
----
time->Tue Aug 20 16:37:06 2019
type=PROCTITLE msg=audit(1566333426.267:15): proctitle=2F62696E2F62617368002D656675002F7573722F6C6962657865632F6D6963726F636F64655F63746C2F72656C6F61645F6D6963726F636F6465
type=SYSCALL msg=audit(1566333426.267:15): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55fb949a3b50 a2=241 a3=1b6 items=0 ppid=1 pid=1844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="reload_microcod" exe="/usr/bin/bash" subj=system_u:system_r:cpucontrol_t:s0 key=(null)
type=AVC msg=audit(1566333426.267:15): avc:  denied  { write } for  pid=1844 comm="reload_microcod" name="reload" dev="sysfs" ino=27940 scontext=system_u:system_r:cpucontrol_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
----
time->Tue Aug 20 16:37:06 2019
type=PROCTITLE msg=audit(1566333426.267:16): proctitle=2F62696E2F62617368002D656675002F7573722F6C6962657865632F6D6963726F636F64655F63746C2F72656C6F61645F6D6963726F636F6465
type=SYSCALL msg=audit(1566333426.267:16): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55fb949a3b50 a2=201 a3=0 items=0 ppid=1 pid=1844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="reload_microcod" exe="/usr/bin/bash" subj=system_u:system_r:cpucontrol_t:s0 key=(null)
type=AVC msg=audit(1566333426.267:16): avc:  denied  { write } for  pid=1844 comm="reload_microcod" name="reload" dev="sysfs" ino=27940 scontext=system_u:system_r:cpucontrol_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
Comment 2 Milos Malik 2019-08-21 08:23:30 UTC 
Could you re-run the beaker job in permissive mode? For example, kernel parameter "enforcing=0" would make it happen.

It is very likely that additional SELinux denials will appear as a result of running the microcode service.

Thank you.
Comment 3 Zhang Yi 2019-08-21 08:33:31 UTC 
(In reply to Milos Malik from comment #2)
> Could you re-run the beaker job in permissive mode? For example, kernel
> parameter "enforcing=0" would make it happen.
> 
> It is very likely that additional SELinux denials will appear as a result of
> running the microcode service.
> 
> Thank you.

OK, will update it later.

Thanks
Yi
Comment 4 zguo 2019-08-22 00:02:26 UTC 
*** Bug 1744033 has been marked as a duplicate of this bug. ***
Comment 6 Zhang Yi 2019-08-22 04:26:48 UTC 
(In reply to Milos Malik from comment #2)
> Could you re-run the beaker job in permissive mode? For example, kernel
> parameter "enforcing=0" would make it happen.
> 
> It is very likely that additional SELinux denials will appear as a result of
> running the microcode service.
> 
> Thank you.

Hi Milos
Cannot reproduce the issue with enforcing=0

#cat /proc/cmdline'
BOOT_IMAGE=(hd0,gpt2)/vmlinuz-4.18.0-135.el8.x86_64 root=/dev/mapper/rhel_storageqe--62-root ro loglevel=5 efi_no_storage_paranoia enforcing=0 crashkernel=auto resume=/dev/mapper/rhel_storageqe--62-swap rd.lvm.lv=rhel_storageqe-62/root rd.lvm.lv=rhel_storageqe-62/swap console=ttyS0,115200n81

beaker job: https://beaker.engineering.redhat.com/jobs/3742750

Thanks
Yi
Comment 12 Lukas Vrabec 2019-08-26 16:36:09 UTC 
*** Bug 1744605 has been marked as a duplicate of this bug. ***
Comment 18 Yaniv Liberman 2019-08-29 11:23:12 UTC 
Hi,

As a follow-up on a ticket I have where this problem occurs [1]; the reported build in this bug report is RHEL-8.1.0-20190820.3, but I actually backtracked all the way to build RHEL-8.1.0-20190806.2 where the problem does not occur. However, in Beaker, we have a discrepancy between builds RHEL-8.1.0-20190806.2 and RHEL-8.1.0-20190815.n.0 - we don't have the builds in-between them imported into Beaker, so I jumped from RHEL-8.1.0-20190815.n.0 straight to RHEL-8.1.0-20190806.2.

At any rate, disabling SELinux is merely a workaround, right? Not a solution and just to rule it out, Beaker isn't the problem here, yes?

[1] PNT0638543, https://redhat.service-now.com/nav_to.do?uri=x_redha_pnt_devops_table.do?sys_id=d45f0dcd1b633fc003bb63d07e4bcb89
Comment 26 Ondrej Mosnacek 2019-09-02 06:57:23 UTC 
*** Bug 1747554 has been marked as a duplicate of this bug. ***
Comment 33 errata-xmlrpc 2019-11-05 22:12:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547
Note You need to log in before you can comment on or make changes to this bug.