search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

modules/contrib/bootupd: Remove module #2145

Open travier opened 1 month ago

travier commented 1 month ago

Bootupd is no longer using a systemd service and socket unit.

It is now called either directly from the command line by an administrator or in the furture as part of the boot process in a oneshot unit.

See: https://github.com/coreos/bootupd/issues/551

HuijingHei commented 1 month ago

Maybe also need to remove https://github.com/fedora-selinux/selinux-policy/blob/351a598ecbc0717926181e0a88d07878a12e7301/policy/modules.conf#L3117-L3122 which was from https://github.com/fedora-selinux/selinux-policy/commit/d4da143700e977ecc6a981b3ca83b218293f34c9

travier commented 1 month ago

To be paired with https://src.fedoraproject.org/rpms/selinux-policy/pull-request/431

zpytela commented 3 weeks ago

@travier I am afraid we are not going to make such a change without any serious justification. Having not confined service violates a DISA STIG rule which customers require, and using systemd-run means it runs as a service. Running from cli makes the policy not user, but it also cannot clash with it. If there are any particular problems, please report it so that we can work on a fix.

travier commented 1 week ago

Well, it's not really a service, it only runs under systemd-run to get an isolated environment. We don't confine every single mkfs calls with SELinux for example. It's only available to root and we expect that to be the constraint.

travier commented 1 week ago

Turns out we do! system_u:object_r:fsadm_exec_t:s0.

travier commented 1 week ago

But we don't do it for efibootmgr or bootctl which are in the same category:

$ ls -alhZ /usr/sbin/efibootmgr
-rwxr-xr-x. 4 root root system_u:object_r:bin_t:s0 50K Jan  1  1970 /usr/sbin/efibootmgr
$ ls -alhZ /usr/bin/bootctl
-rwxr-xr-x. 4 root root system_u:object_r:bin_t:s0 110K Jan  1  1970 /usr/bin/bootctl
travier commented 1 week ago

We could keep this module, but it needs work as how it is written right now likely does not work.

travier commented 1 week ago 
fs_search_dos(bootupd_t)
fs_search_efivarfs_dirs(bootupd_t)

It needs full writable access to /boot/efi.

HuijingHei commented 1 week ago

And if remove the permissive mode, bootupd will not work as there are a lot of denied logs.

travier commented 1 week ago

@HuijingHei Can you paste those logs here?

HuijingHei commented 1 week ago

Can you paste those logs here?

Sure, test with bootupd-0.2.19-1.fc40.x86_64 and selinux-policy-40.22-1.fc40.noarch on 40.20240624.20.0, run bootupctl validate, get avc denied logs:

[root@cosa-devsh ~]# rpm-ostree status
State: idle
Deployments:
● ostree-unverified-registry:quay.io/fedora/fedora-coreos:testing-devel
                   Digest: sha256:4f9d9087fe79e5e7d58fce2050df4d535ba5df1a2e39e5a811ff168bf6d714a2
                  Version: 40.20240624.20.0 (2024-06-24T23:50:24Z)

[root@cosa-devsh ~]# bootupctl validate
Skipped: BIOS
Validated: EFI
[root@cosa-devsh ~]# ausearch -m avc
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:150): avc:  denied  { getattr } for  pid=1615 comm="bootupd" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:151): avc:  denied  { getattr } for  pid=1615 comm="bootupd" path="/dev/vda2" dev="devtmpfs" ino=347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:152): avc:  denied  { execute } for  pid=1616 comm="bootupd" name="mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:153): avc:  denied  { read open } for  pid=1616 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:154): avc:  denied  { execute_no_trans } for  pid=1616 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.108:155): avc:  denied  { map } for  pid=1616 comm="mount" path="/usr/bin/mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:156): avc:  denied  { read } for  pid=1616 comm="mount" name="vda2" dev="devtmpfs" ino=347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:157): avc:  denied  { open } for  pid=1616 comm="mount" path="/dev/vda2" dev="devtmpfs" ino=347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:158): avc:  denied  { ioctl } for  pid=1616 comm="mount" path="/dev/vda2" dev="devtmpfs" ino=347 ioctlcmd=0x1272 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:159): avc:  denied  { read } for  pid=1616 comm="mount" name="252:2" dev="sysfs" ino=29428 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:160): avc:  denied  { read } for  pid=1616 comm="mount" name="vda2" dev="sysfs" ino=29403 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:161): avc:  denied  { read } for  pid=1616 comm="mount" name="dev" dev="sysfs" ino=29269 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:162): avc:  denied  { open } for  pid=1616 comm="mount" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29269 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:163): avc:  denied  { getattr } for  pid=1616 comm="mount" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29269 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.139:164): avc:  denied  { search } for  pid=1616 comm="mount" name="mount" dev="tmpfs" ino=340 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.139:165): avc:  denied  { getattr } for  pid=1616 comm="mount" path="/run/mount" dev="tmpfs" ino=340 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.139:166): avc:  denied  { read write } for  pid=1616 comm="mount" name="mount" dev="tmpfs" ino=340 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.148:167): avc:  denied  { mount } for  pid=1616 comm="mount" name="/" dev="vda2" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.148:168): avc:  denied  { mounton } for  pid=1616 comm="mount" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.150:169): avc:  denied  { getattr } for  pid=1615 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="vda2" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.150:170): avc:  denied  { read } for  pid=1615 comm="bootupd" name="BOOTX64.EFI" dev="vda2" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.150:171): avc:  denied  { open } for  pid=1615 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="vda2" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:172): avc:  denied  { search } for  pid=1615 comm="bootupd" name="pki" dev="vda4" ino=37801279 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:173): avc:  denied  { read } for  pid=1615 comm="bootupd" name="openssl.cnf" dev="vda4" ino=31457937 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:174): avc:  denied  { open } for  pid=1615 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=31457937 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:175): avc:  denied  { getattr } for  pid=1615 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=31457937 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.188:176): avc:  denied  { unmount } for  pid=1620 comm="umount" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1
travier commented 1 week ago

Great, if you could get the logs from an update as well that would be great.

HuijingHei commented 1 week ago

get the logs from an update

[root@cosa-devsh ~]# bootupctl update
Previous BIOS: grub2-tools-1:2.06-121.fc40.x86_64
Updated BIOS: grub2-tools-1:2.06-123.fc40.x86_64
Previous EFI: grub2-efi-x64-1:2.06-121.fc40.x86_64,shim-x64-15.8-3.x86_64
Updated EFI: grub2-efi-x64-1:2.06-123.fc40.x86_64,shim-x64-15.8-3.x86_64
[root@cosa-devsh ~]# ausearch -m avc
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:146): avc:  denied  { execute } for  pid=1601 comm="bootupd" name="mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:147): avc:  denied  { read open } for  pid=1601 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:148): avc:  denied  { execute_no_trans } for  pid=1601 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:149): avc:  denied  { map } for  pid=1601 comm="mount" path="/usr/bin/mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.201:150): avc:  denied  { search } for  pid=1601 comm="mount" name="mount" dev="tmpfs" ino=299 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.201:151): avc:  denied  { getattr } for  pid=1601 comm="mount" path="/run/mount" dev="tmpfs" ino=299 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.201:152): avc:  denied  { read write } for  pid=1601 comm="mount" name="mount" dev="tmpfs" ino=299 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.224:153): avc:  denied  { setsched } for  pid=1601 comm="mount" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:154): avc:  denied  { write } for  pid=1600 comm="bootupd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:155): avc:  denied  { add_name } for  pid=1600 comm="bootupd" name="bootupd-lock" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:156): avc:  denied  { create } for  pid=1600 comm="bootupd" name="bootupd-lock" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:157): avc:  denied  { write open } for  pid=1600 comm="bootupd" path="/run/bootupd-lock" dev="tmpfs" ino=1408 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.228:158): avc:  denied  { lock } for  pid=1600 comm="bootupd" path="/run/bootupd-lock" dev="tmpfs" ino=1408 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.228:159): avc:  denied  { write } for  pid=1600 comm="bootupd" name="/" dev="vda3" ino=2 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.230:160): avc:  denied  { write } for  pid=1600 comm="bootupd" path=2F626F6F742F233134202864656C6574656429 dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.237:161): avc:  denied  { add_name } for  pid=1600 comm="bootupd" name="#14" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.237:162): avc:  denied  { link } for  pid=1600 comm="bootupd" name="#14" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:163): avc:  denied  { remove_name } for  pid=1600 comm="bootupd" name=".tmp.kmi6M32u.tmp" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:164): avc:  denied  { rename } for  pid=1600 comm="bootupd" name=".tmp.kmi6M32u.tmp" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:165): avc:  denied  { unlink } for  pid=1600 comm="bootupd" name="bootupd-state.json" dev="vda3" ino=21 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:166): avc:  denied  { execute } for  pid=1603 comm="bootupd" name="findmnt" dev="vda4" ino=1422347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.239:167): avc:  denied  { execute_no_trans } for  pid=1603 comm="bootupd" path="/usr/bin/findmnt" dev="vda4" ino=1422347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.239:168): avc:  denied  { map } for  pid=1603 comm="findmnt" path="/usr/bin/findmnt" dev="vda4" ino=1422347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.246:169): avc:  denied  { read } for  pid=1604 comm="lsblk" name="block" dev="sysfs" ino=6 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.246:170): avc:  denied  { getattr } for  pid=1604 comm="lsblk" path="/dev/vda3" dev="devtmpfs" ino=348 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:171): avc:  denied  { read } for  pid=1604 comm="lsblk" name="252:3" dev="sysfs" ino=29718 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:172): avc:  denied  { read } for  pid=1604 comm="lsblk" name="dev" dev="sysfs" ino=29526 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:173): avc:  denied  { open } for  pid=1604 comm="lsblk" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29526 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:174): avc:  denied  { getattr } for  pid=1604 comm="lsblk" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29526 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:175): avc:  denied  { getattr } for  pid=1600 comm="bootupd" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:176): avc:  denied  { execute } for  pid=1605 comm="bootupd" name="grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:177): avc:  denied  { read open } for  pid=1605 comm="bootupd" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:178): avc:  denied  { execute_no_trans } for  pid=1605 comm="bootupd" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.249:179): avc:  denied  { map } for  pid=1605 comm="grub2-install" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.279:180): avc:  denied  { create } for  pid=1605 comm="grub2-install" name="ast.mo" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:181): avc:  denied  { getattr } for  pid=1605 comm="grub2-install" path="/dev/mapper/control" dev="devtmpfs" ino=161 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:182): avc:  denied  { read write } for  pid=1605 comm="grub2-install" name="control" dev="devtmpfs" ino=161 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:183): avc:  denied  { open } for  pid=1605 comm="grub2-install" path="/dev/mapper/control" dev="devtmpfs" ino=161 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:184): avc:  denied  { read } for  pid=1605 comm="grub2-install" name="devices" dev="proc" ino=4026532021 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:185): avc:  denied  { open } for  pid=1605 comm="grub2-install" path="/proc/devices" dev="proc" ino=4026532021 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:186): avc:  denied  { getattr } for  pid=1605 comm="grub2-install" path="/proc/devices" dev="proc" ino=4026532021 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:187): avc:  denied  { ioctl } for  pid=1605 comm="grub2-install" path="/dev/mapper/control" dev="devtmpfs" ino=161 ioctlcmd=0xfd00 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.977:188): avc:  denied  { read } for  pid=1605 comm="grub2-install" name="vda" dev="devtmpfs" ino=345 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.977:189): avc:  denied  { open } for  pid=1605 comm="grub2-install" path="/dev/vda" dev="devtmpfs" ino=345 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.977:190): avc:  denied  { ioctl } for  pid=1605 comm="grub2-install" path="/dev/vda" dev="devtmpfs" ino=345 ioctlcmd=0x1261 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.978:191): avc:  denied  { execute } for  pid=1606 comm="grub2-install" name="udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.978:192): avc:  denied  { read open } for  pid=1606 comm="grub2-install" path="/usr/bin/udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.978:193): avc:  denied  { execute_no_trans } for  pid=1606 comm="grub2-install" path="/usr/bin/udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.979:194): avc:  denied  { map } for  pid=1606 comm="udevadm" path="/usr/bin/udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.988:195): avc:  denied  { map } for  pid=1606 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.988:196): avc:  denied  { search } for  pid=1606 comm="udevadm" name="contexts" dev="vda4" ino=6293673 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:197): avc:  denied  { search } for  pid=1606 comm="udevadm" name="files" dev="vda4" ino=7441252 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:198): avc:  denied  { read } for  pid=1606 comm="udevadm" name="file_contexts.subs_dist" dev="vda4" ino=7441259 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:199): avc:  denied  { open } for  pid=1606 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="vda4" ino=7441259 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:200): avc:  denied  { getattr } for  pid=1606 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="vda4" ino=7441259 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:201): avc:  denied  { map } for  pid=1606 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.bin" dev="vda4" ino=7441418 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.993:202): avc:  denied  { getattr } for  pid=1606 comm="udevadm" path="/sys/dev/block/252:3" dev="sysfs" ino=29718 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.249:203): avc:  denied  { write } for  pid=1605 comm="grub2-install" name="vda" dev="devtmpfs" ino=345 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.307:204): avc:  denied  { unlink } for  pid=1605 comm="grub2-install" name="mda_text.mod~" dev="vda3" ino=32951 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.311:205): avc:  denied  { write } for  pid=1600 comm="bootupd" path=2F626F6F742F233137202864656C6574656429 dev="vda3" ino=17 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.313:206): avc:  denied  { link } for  pid=1600 comm="bootupd" name="#17" dev="vda3" ino=17 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.313:207): avc:  denied  { rename } for  pid=1600 comm="bootupd" name=".tmp.xBbMvtEE.tmp" dev="vda3" ino=17 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:208): avc:  denied  { search } for  pid=1600 comm="bootupd" name="pki" dev="vda4" ino=15782406 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:209): avc:  denied  { read } for  pid=1600 comm="bootupd" name="openssl.cnf" dev="vda4" ino=10541892 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:210): avc:  denied  { open } for  pid=1600 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=10541892 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:211): avc:  denied  { getattr } for  pid=1600 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=10541892 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.342:212): avc:  denied  { getattr } for  pid=1600 comm="bootupd" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.385:213): avc:  denied  { mount } for  pid=1627 comm="mount" name="/" dev="vda2" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.386:214): avc:  denied  { mounton } for  pid=1627 comm="mount" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.390:215): avc:  denied  { read } for  pid=1600 comm="bootupd" name="EFI" dev="vda2" ino=113 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:216): avc:  denied  { write } for  pid=1600 comm="bootupd" name="EFI" dev="vda2" ino=113 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:217): avc:  denied  { add_name } for  pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:218): avc:  denied  { create } for  pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:219): avc:  denied  { write open } for  pid=1600 comm="bootupd" path="/boot/efi/EFI/.tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.411:220): avc:  denied  { setattr } for  pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.411:221): avc:  denied  { remove_name } for  pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.411:222): avc:  denied  { rename } for  pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.419:223): avc:  denied  { unlink } for  pid=1600 comm="bootupd" name="grubx64.efi" dev="vda2" ino=128 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.426:224): avc:  denied  { unmount } for  pid=1634 comm="umount" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1
HuijingHei commented 1 week ago

Create https://issues.redhat.com/browse/FC-1230 to track the denied logs.