bootupd denied - Githubissues

System selinux policy version selinux-policy-39.3-1.fc39.noarch

After using bootc to switch to ostree based system and enabled bootupd, seeing following denials in audit.log(grouped by target type)

var_run_t

/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.334:410): avc:  denied  { write } for  pid=4795 comm="bootupd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.334:411): avc:  denied  { add_name } for  pid=4795 comm="bootupd" name="bootupd-lock" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.334:412): avc:  denied  { create } for  pid=4795 comm="bootupd" name="bootupd-lock" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.334:413): avc:  denied  { write open } for  pid=4795 comm="bootupd" path="/run/bootupd-lock" dev="tmpfs" ino=2796 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.334:414): avc:  denied  { lock } for  pid=4795 comm="bootupd" path="/run/bootupd-lock" dev="tmpfs" ino=2796 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1

bin_t

/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.431:423): avc:  denied  { execute } for  pid=4796 comm="bootupd" name="sync" dev="nvme0n1p3" ino=32003971 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.431:424): avc:  denied  { execute_no_trans } for  pid=4796 comm="bootupd" path="/usr/bin/sync" dev="nvme0n1p3" ino=32003971 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.432:425): avc:  denied  { map } for  pid=4796 comm="sync" path="/usr/bin/sync" dev="nvme0n1p3" ino=32003971 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

boot_t

/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.439:427): avc:  denied  { write } for  pid=4795 comm="bootupd" name="/" dev="nvme0n1p2" ino=128 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.439:428): avc:  denied  { write } for  pid=4795 comm="bootupd" path=2F626F6F742F23313336202864656C6574656429 dev="nvme0n1p2" ino=136 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.440:429): avc:  denied  { add_name } for  pid=4795 comm="bootupd" name="#136" dev="nvme0n1p2" ino=136 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.440:430): avc:  denied  { link } for  pid=4795 comm="bootupd" name="#136" dev="nvme0n1p2" ino=136 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.440:431): avc:  denied  { remove_name } for  pid=4795 comm="bootupd" name=".tmp.S786tkF6.tmp" dev="nvme0n1p2" ino=136 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.440:432): avc:  denied  { rename } for  pid=4795 comm="bootupd" name=".tmp.S786tkF6.tmp" dev="nvme0n1p2" ino=136 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1

cert_t

/var/log/audit/audit.log:type=AVC msg=audit(1706197327.229:9039): avc:  denied  { search } for  pid=46253 comm="bootupd" name="pki" dev="nvme0n1p3" ino=32702526 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.229:9040): avc:  denied  { read } for  pid=46253 comm="bootupd" name="openssl.cnf" dev="nvme0n1p3" ino=32703268 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.229:9041): avc:  denied  { open } for  pid=46253 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32703268 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.229:9042): avc:  denied  { getattr } for  pid=46253 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32703268 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.336:415): avc:  denied  { search } for  pid=4795 comm="bootupd" name="pki" dev="nvme0n1p3" ino=32105407 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.336:416): avc:  denied  { read } for  pid=4795 comm="bootupd" name="openssl.cnf" dev="nvme0n1p3" ino=32106157 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.336:417): avc:  denied  { open } for  pid=4795 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32106157 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.336:418): avc:  denied  { getattr } for  pid=4795 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32106157 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1151): avc:  denied  { search } for  pid=20096 comm="bootupd" name="pki" dev="nvme0n1p3" ino=32146063 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1152): avc:  denied  { read } for  pid=20096 comm="bootupd" name="openssl.cnf" dev="nvme0n1p3" ino=32146813 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1153): avc:  denied  { open } for  pid=20096 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32146813 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.931:1154): avc:  denied  { getattr } for  pid=20096 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32146813 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.163:2816): avc:  denied  { search } for  pid=22528 comm="bootupd" name="pki" dev="nvme0n1p3" ino=32243992 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.163:2817): avc:  denied  { read } for  pid=22528 comm="bootupd" name="openssl.cnf" dev="nvme0n1p3" ino=32244742 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.163:2818): avc:  denied  { open } for  pid=22528 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32244742 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.163:2819): avc:  denied  { getattr } for  pid=22528 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32244742 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1

dosfs_t

/var/log/audit/audit.log:type=AVC msg=audit(1706197327.228:9036): avc:  denied  { getattr } for  pid=46253 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.228:9037): avc:  denied  { read } for  pid=46253 comm="bootupd" name="BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.228:9038): avc:  denied  { open } for  pid=46253 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.407:419): avc:  denied  { getattr } for  pid=4795 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.407:420): avc:  denied  { read } for  pid=4795 comm="bootupd" name="BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.407:421): avc:  denied  { open } for  pid=4795 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.430:422): avc:  denied  { read } for  pid=4795 comm="bootupd" name="EFI" dev="nvme0n1p1" ino=113 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1148): avc:  denied  { getattr } for  pid=20096 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=121 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1149): avc:  denied  { read } for  pid=20096 comm="bootupd" name="BOOTX64.EFI" dev="nvme0n1p1" ino=121 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1150): avc:  denied  { open } for  pid=20096 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=121 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.162:2813): avc:  denied  { getattr } for  pid=22528 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.162:2814): avc:  denied  { read } for  pid=22528 comm="bootupd" name="BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.162:2815): avc:  denied  { open } for  pid=22528 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1

efivarfs_t

/var/log/audit/audit.log.3:type=AVC msg=audit(1706121499.997:386): avc:  denied  { getattr } for  pid=4767 comm="bootupd" path="/sys/firmware/efi/efivars" dev="efivarfs" ino=10267 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121499.997:387): avc:  denied  { search } for  pid=4767 comm="bootupd" name="/" dev="efivarfs" ino=10267 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.333:408): avc:  denied  { getattr } for  pid=4795 comm="bootupd" path="/sys/firmware/efi/efivars" dev="efivarfs" ino=10267 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.333:409): avc:  denied  { search } for  pid=4795 comm="bootupd" name="/" dev="efivarfs" ino=10267 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1

dac_override

/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.439:426): avc:  denied  { dac_override } for  pid=4795 comm="bootupd" capability=1  scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:system_r:bootupd_t:s0 tclass=capability permissive=1

auto generated policy:

module my-bootupd 1.0;

require {
    type efivarfs_t;
    type cert_t;
    type var_run_t;
    type boot_t;
    type dosfs_t;
    type bin_t;
    type bootupd_t;
    class dir { add_name getattr read remove_name search write };
    class file { create execute execute_no_trans getattr link lock open read rename write };
    class capability dac_override;
}

#============= bootupd_t ==============
allow bootupd_t bin_t:file { execute execute_no_trans };
allow bootupd_t boot_t:dir { add_name remove_name write };
allow bootupd_t boot_t:file { link rename write };
allow bootupd_t cert_t:dir search;
allow bootupd_t cert_t:file { getattr open read };
allow bootupd_t dosfs_t:dir read;
allow bootupd_t dosfs_t:file { getattr open read };
allow bootupd_t efivarfs_t:dir { getattr search };
allow bootupd_t self:capability dac_override;
allow bootupd_t var_run_t:dir { add_name write };
allow bootupd_t var_run_t:file { create lock open write };

fedora-selinux / selinux-policy

bootupd denied #2010