Closed DaanDeMeyer closed 9 months ago
@DaanDeMeyer thanks for reporting, is there a simple way of reproducing?
git clone https://github.com/systemd/mkosi
cd mkosi
Write the following to mkosi.conf
in mkosi/:
[Distribution]
Release=39
[Content]
Bootable=yes
Autologin=yes
Packages=
attr
coreutils
kernel-core
systemd
systemd-boot
udev
util-linux
less
python3
bubblewrap
policycoreutils
policycoreutils-python-utils
selinux-policy
selinux-policy-devel
selinux-policy-targeted
setools-console
[Host]
KernelCommandLineExtra=enforcing=0
And then run:
bin/mkosi --tools-tree=default -f qemu
You'll end up in a VM where you can run journalctl -g AVC
and it will contain these denials.
Since the vsock stuff relies on VMs I don't have a simpler reproducer at hand.
I am sorry, I was able to make that working only on F38 where there is just older systemd. I wanted to see the results in full auditing: https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing
Is it a result of this change?
Yes indeed, that's the one
Closing as there is now a PR https://github.com/fedora-selinux/selinux-policy/pull/1952 Sorry for the delay.
Thanks for taking the time to fix this!
In its latest release, systemd has gained features that make use of AF_VSOCK. Currently using these features leads to selinux denials.
It'd be great if these could be allowed