Bug 2181389 - [RHEL-9.2] avc: denied { module_request } for pid=265552 comm="rhsmcertd-worke" kmod="net-pf-10"
Summary: [RHEL-9.2] avc: denied { module_request } for pid=265552 comm="rhsmcertd-w...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.2
Hardware: aarch64
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Nikola Knazekova
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
: 2181391 2181392 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-24 01:00 UTC by PaulB
Modified: 2023-08-01 15:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-01 15:47:22 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-152950 0 None None None 2023-03-24 01:02:14 UTC

Description PaulB 2023-03-24 01:00:58 UTC 
Description of problem:
The following avc issue is reported when testing target system:
avc:  denied  { module_request } for  pid=265552 comm="rhsmcertd-worke" kmod="net-pf-10"

Version-Release number of selected component (if applicable):
 distro: RHEL-9.2.0-20230321.9
 kernel: 5.14.0-284.4.1.el9_2
 selinux-policy: 38.1.9-1.el9_2.noarch
 test: https://gitlab.com/redhat/centos-stream/tests/kernel/kernel-tests/-/archive/main/kernel-tests.tar.gz#distribution/ltp/lite
       (ltp-20230127)

How reproducible:
yes issue is reproducible

Steps to Reproduce:
1. Install nvidia-bluefield2 host with RHEL-9.2.0-20230321.9
2. Install  kernel 5.14.0-284.4.1.el9_2
3. Run https://gitlab.com/redhat/centos-stream/tests/kernel/kernel-tests/-/archive/main/kernel-tests.tar.gz#distribution/ltp/lite

Actual results:
https://beaker.engineering.redhat.com/recipes/13606079#task157959249
https://beaker-archive.hosts.prod.psi.bos.redhat.com/beaker-logs/2023/03/76586/7658680/13606079/157959249/738772073/avc.log
---%<-snip->%---
type=AVC msg=audit(1679607603.942:966): avc:  denied  { module_request } for  pid=265552 comm="rhsmcertd-worke" kmod="net-pf-10" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
---%<-snip->%---

Expected results:
no ACV messages are expected

Additional info:
Comment 2 Zdenek Pytela 2023-07-14 13:38:56 UTC 
It looks IPv6 was disabled at this host and adding an allow rule to SELinux would not help to resolve the underlying problem, exposing the denial actually points to the fact there is some problem.

Unfortunately, disabling IPv6 via ipv6.disable=1 doesn't play well with SELinux. Please see bug 641836 for some explanations. It is recommended to disable IPv6 via the net.ipv6.conf.all.disable_ipv6 sysctl instead.

Also refer to the following kbase article:
How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux?
https://access.redhat.com/solutions/8709

If there is no other information regarding this issue, we will proceed and close the bz.
Comment 3 Zdenek Pytela 2023-07-14 13:40:08 UTC 
*** Bug 2181391 has been marked as a duplicate of this bug. ***
Comment 4 Zdenek Pytela 2023-07-14 13:40:15 UTC 
*** Bug 2181392 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.