Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1843920

Summary:	389-ds-base causes AVC when running
Product:	Red Hat Enterprise Linux 8	Reporter:	Alexander Bokovoy <abokovoy>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED DUPLICATE	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.3	CC:	cheimes, lvrabec, mmalik, plautrba, ssekidde
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.0	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-06-10 14:06:05 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alexander Bokovoy 2020-06-04 12:08:54 UTC

Repeatable AVC when accessing / for read:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      32
selinux-policy-3.14.3-44.el8.noarch
----
time->Thu Jun  4 06:39:54 2020
type=PROCTITLE msg=audit(1591267194.063:1481): proctitle=2F7573722F7362696E2F6E732D736C617064002D44002F6574632F6469727372762F736C6170642D544553545245414C4D2D54455354002D69002F72756E2F6469727372762F736C6170642D544553545245414C4D2D544553542E706964
type=PATH msg=audit(1591267194.063:1481): item=0 name="/sys/fs/cgroup/memory" inode=1 dev=00:25 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1591267194.063:1481): cwd="/var/log/dirsrv/slapd-TESTREALM-TEST"
type=SYSCALL msg=audit(1591267194.063:1481): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ff8342f1620 a2=90800 a3=0 items=1 ppid=1 pid=27558 auid=4294967295 uid=389 gid=389 euid=389 suid=389 fsuid=389 egid=389 sgid=389 fsgid=389 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1591267194.063:1481): avc:  denied  { read } for  pid=27558 comm="ns-slapd" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----
time->Thu Jun  4 06:39:54 2020
type=PROCTITLE msg=audit(1591267194.068:1482): proctitle=2F7573722F7362696E2F6E732D736C617064002D44002F6574632F6469727372762F736C6170642D544553545245414C4D2D54455354002D69002F72756E2F6469727372762F736C6170642D544553545245414C4D2D544553542E706964
type=PATH msg=audit(1591267194.068:1482): item=0 name="/sys/fs/cgroup/memory" inode=1 dev=00:25 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1591267194.068:1482): cwd="/var/log/dirsrv/slapd-TESTREALM-TEST"
type=SYSCALL msg=audit(1591267194.068:1482): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ff8342f1620 a2=90800 a3=0 items=1 ppid=1 pid=27558 auid=4294967295 uid=389 gid=389 euid=389 suid=389 fsuid=389 egid=389 sgid=389 fsgid=389 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1591267194.068:1482): avc:  denied  { read } for  pid=27558 comm="ns-slapd" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----

Comment 1 Zdenek Pytela 2020-06-10 14:06:05 UTC


*** This bug has been marked as a duplicate of bug 1836795 ***