Issue
What were you trying to do that didn't work?
Everything seems to work as expected, but SELinux denials appear.
Please provide the package NVR for which bug is seen:
kernel-5.14.0-425.el9.x86_64
kernel-core-5.14.0-425.el9.x86_64
kernel-modules-5.14.0-425.el9.x86_64
kernel-modules-core-5.14.0-425.el9.x86_64
kernel-tools-5.14.0-425.el9.x86_64
kernel-tools-libs-5.14.0-425.el9.x86_64
microcode_ctl-20230808-2.20231009.1.el9_3.noarch
selinux-policy-38.1.33-1.el9.noarch
selinux-policy-devel-38.1.33-1.el9.noarch
selinux-policy-targeted-38.1.33-1.el9.noarch
How reproducible:
always on bare metal machines
Steps to reproduce
get a RHEL-9.4 machine (targeted policy is active)
run the following automated test: /CoreOS/selinux-policy/Regression/microcode-and-similar
search for SELinux denials
Expected results
no SELinux denials
Actual results (enforcing mode)
----
type=PROCTITLE msg=audit(02/27/2024 07:10:25.660:597) : proctitle=/usr/bin/bash -efu /usr/libexec/microcode_ctl/reload_microcode
type=PATH msg=audit(02/27/2024 07:10:25.660:597) : item=0 name=/sys/devices/system/cpu/microcode/ inode=112738 dev=00:15 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/27/2024 07:10:25.660:597) : cwd=/
type=SYSCALL msg=audit(02/27/2024 07:10:25.660:597) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x559659d372f0 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=1 ppid=1 pid=42698 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=reload_microcod exe=/usr/bin/bash subj=system_u:system_r:cpucontrol_t:s0 key=(null)
type=AVC msg=audit(02/27/2024 07:10:25.660:597) : avc: denied { write } for pid=42698 comm=reload_microcod name=microcode dev="sysfs" ino=112738 scontext=system_u:system_r:cpucontrol_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
----