Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1359789 - avc: denied { read } for pid=25872 comm="iptables" name="xtables.lock
Summary: avc: denied { read } for pid=25872 comm="iptables" name="xtables.lock
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-25 12:52 UTC by Petr Sklenar
Modified: 2017-08-01 15:12 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.13.1-130.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 15:12:40 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC
Red Hat Bugzilla 1401208 None None None Never

Internal Links: 1401208

Description Petr Sklenar 2016-07-25 12:52:00 UTC
Description of problem:
avc denial only on ppc64le

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-89.el7.noarch

How reproducible:
always

Steps to Reproduce:
1.https://beaker.engineering.redhat.com/tasks/executed?recipe_task_id=43316647&recipe_task_id=43327563&recipe_task_id=43317166&recipe_task_id=43316903&recipe_task_id=43316389&new_pkg_tasks=43316647,43327563,43317166,43316903,43316389
2. start test /CoreOS/iptables/Sanity/bz590186-Contrary-to-expectations-IPv6-transparent-proxy on rhel73 ppc64le

Actual results:
time->Thu Jul 21 01:54:35 2016
type=SYSCALL msg=audit(1469062475.700:1961): arch=c0000015 syscall=5 success=no exit=-13 a0=10015d40 a1=40 a2=180 a3=0 items=0 ppid=25766 pid=25872 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(1469062475.700:1961): avc:  denied  { read } for  pid=25872 comm="iptables" name="xtables.lock" dev="tmpfs" ino=163018 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:sosreport_var_run_t:s0 tclass=file
----

Expected results:
no avc

Additional info:

Comment 7 Ryan Barry 2017-01-09 21:48:31 UTC
We also see this on x86_64 builds of RHV-H. It doesn't seem to be reproducible on RHEL installs on x86_64, but we share the same version of selinux-policy here

Comment 13 errata-xmlrpc 2017-08-01 15:12:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.