Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1598201 - avc: denied { map } comm="systemd-sysctl" path="/etc/ld.so.cache" on rhel-alt-7.6 s390x installation
Summary: avc: denied { map } comm="systemd-sysctl" path="/etc/ld.so.cache" on rhel-a...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6-Alt
Hardware: s390x
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-04 15:38 UTC by Edjunior Barbosa Machado
Modified: 2018-07-17 21:40 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-17 21:40:25 UTC
Target Upstream Version:


Attachments (Terms of Use)
/distribution/install/Sysinfo logfile (deleted)
2018-07-04 15:38 UTC, Edjunior Barbosa Machado
no flags Details

Description Edjunior Barbosa Machado 2018-07-04 15:38:29 UTC
Created attachment 1456520 [details]
/distribution/install/Sysinfo logfile

Description of problem:

AVC failures are occurring during RHEL-ALT-7.6-20180626.3 Server s390x installation via beaker (https://beaker.engineering.redhat.com/recipes/5348461#task75053690):

******** SElinux AVC Failures ********
[    5.523065] audit: type=1400 audit(1530711965.557:4): avc:  denied  { map } for  pid=852 comm="systemd-sysctl" path="/etc/ld.so.cache" dev="dm-0" ino=17492956 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
[    5.631601] audit: type=1400 audit(1530711965.667:5): avc:  denied  { map } for  pid=870 comm="systemd-tmpfile" path="/etc/ld.so.cache" dev="dm-0" ino=17492956 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
[    5.644381] audit: type=1400 audit(1530711965.687:6): avc:  denied  { map } for  pid=868 comm="systemd-hwdb" path="/etc/ld.so.cache" dev="dm-0" ino=17492956 scontext=system_u:system_r:systemd_hwdb_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
[    5.746727] audit: type=1400 audit(1530711965.787:7): avc:  denied  { map } for  pid=897 comm="hostname" path="/etc/ld.so.cache" dev="dm-0" ino=17492956 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
[    7.372538] audit: type=1400 audit(1530711967.407:8): avc:  denied  { map } for  pid=1115 comm="restorecon" path="/etc/ld.so.cache" dev="dm-0" ino=17492956 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
[    7.384807] audit: type=1400 audit(1530711967.427:9): avc:  denied  { map } for  pid=1117 comm="systemd-tmpfile" path="/etc/ld.so.cache" dev="dm-0" ino=17492956 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
******** End System Information ********

This problem was not found when installing in other architectures.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-204.el7.noarch

How reproducible:
2 of 2 attempts when installing RHEL-ALT-7.6-20180626.3 Server s390x on beaker

Actual results:
/distribution/install/Sysinfo logfile attached

Expected results:
No AVC failures

Comment 2 Milos Malik 2018-07-09 10:25:53 UTC
The /etc/ld.so.cache file is mislabeled, because SELinux denials mentioned above show tcontext=system_u:object_r:etc_t:s0. Correct label is:

# matchpathcon /etc/ld.so.cache 
/etc/ld.so.cache	system_u:object_r:ld_so_cache_t:s0
#

Please run following command, which corrects the label:

# restorecon -Rv /etc

Comment 3 Lukas Vrabec 2018-07-17 21:40:25 UTC
Based on comment#2 closing this ticket.


Note You need to log in before you can comment on or make changes to this bug.