RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
While running swraid trim test [1] we hit the following avc denial on ppc64le.

time->Mon May 23 20:47:16 2022
type=PROCTITLE msg=audit(1653353236.083:10751): proctitle=2F7573722F7362696E2F6D6461646D002D2D64657461696C002D2D6E6F2D64657669636573002D2D6578706F7274002F6465762F6D6431
type=SYSCALL msg=audit(1653353236.083:10751): arch=c0000015 syscall=286 success=no exit=-13 a0=4 a1=10038ff0fd5 a2=4800 a3=0 items=0 ppid=1230840 pid=1230843 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdadm" exe="/usr/sbin/mdadm" subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1653353236.083:10751): avc:  denied  { read } for  pid=1230843 comm="mdadm" name="/" dev="mqueue" ino=13339 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c1022,c1023 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-98.el8.noarch

How reproducible:
Not sure yet

Steps to Reproduce:
1.Run test [1]


Additional info:
test logs: https://datawarehouse.cki-project.org/kcidb/tests/3606233
cki issue tracker: https://datawarehouse.cki-project.org/issue/1240

[1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/trim

Bruno,

Can this possibly an unwanted effect of some previous test? 

It seems /dev/mqueue has incorrect label, it should look like this:

rhel87# LC_ALL=C ls -lZd /dev/mqueue
drwxrwxrwt. 2 root root system_u:object_r:tmpfs_t:s0 40 May 30 03:17 /dev/mqueue

Interesting I tried to reproduce this and it looks like swraid/trim test starts to hit this avc denial after podman tests, but I don't know why that would happen.

From selinux-policy PoV this currently looks more like a test issue - remnants of setting of a previously run test, hence closing. If the issue persists, you can create a local module to hide the denials as a workaround:

  # cat local_dontaudit_mdadm.cil
(dontaudit mdadm_t container_file_t (dir (getattr open read)))
  # semodule -i local_dontaudit_mdadm.cil

If you need to pursue this matter further, feel free to reopen this bug again and attach the needed information.