Open travier opened 1 month ago
To be paired with https://src.fedoraproject.org/rpms/selinux-policy/pull-request/431
@travier I am afraid we are not going to make such a change without any serious justification. Having not confined service violates a DISA STIG rule which customers require, and using systemd-run means it runs as a service. Running from cli makes the policy not user, but it also cannot clash with it. If there are any particular problems, please report it so that we can work on a fix.
Well, it's not really a service, it only runs under systemd-run to get an isolated environment. We don't confine every single mkfs calls with SELinux for example. It's only available to root and we expect that to be the constraint.
Turns out we do! system_u:object_r:fsadm_exec_t:s0
.
But we don't do it for efibootmgr
or bootctl
which are in the same category:
$ ls -alhZ /usr/sbin/efibootmgr
-rwxr-xr-x. 4 root root system_u:object_r:bin_t:s0 50K Jan 1 1970 /usr/sbin/efibootmgr
$ ls -alhZ /usr/bin/bootctl
-rwxr-xr-x. 4 root root system_u:object_r:bin_t:s0 110K Jan 1 1970 /usr/bin/bootctl
We could keep this module, but it needs work as how it is written right now likely does not work.
fs_search_dos(bootupd_t)
fs_search_efivarfs_dirs(bootupd_t)
It needs full writable access to /boot/efi
.
And if remove the permissive mode, bootupd will not work as there are a lot of denied logs.
@HuijingHei Can you paste those logs here?
Can you paste those logs here?
Sure, test with bootupd-0.2.19-1.fc40.x86_64
and selinux-policy-40.22-1.fc40.noarch
on 40.20240624.20.0
, run bootupctl validate
, get avc denied logs:
[root@cosa-devsh ~]# rpm-ostree status
State: idle
Deployments:
● ostree-unverified-registry:quay.io/fedora/fedora-coreos:testing-devel
Digest: sha256:4f9d9087fe79e5e7d58fce2050df4d535ba5df1a2e39e5a811ff168bf6d714a2
Version: 40.20240624.20.0 (2024-06-24T23:50:24Z)
[root@cosa-devsh ~]# bootupctl validate
Skipped: BIOS
Validated: EFI
[root@cosa-devsh ~]# ausearch -m avc
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:150): avc: denied { getattr } for pid=1615 comm="bootupd" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:151): avc: denied { getattr } for pid=1615 comm="bootupd" path="/dev/vda2" dev="devtmpfs" ino=347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:152): avc: denied { execute } for pid=1616 comm="bootupd" name="mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:153): avc: denied { read open } for pid=1616 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:154): avc: denied { execute_no_trans } for pid=1616 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.108:155): avc: denied { map } for pid=1616 comm="mount" path="/usr/bin/mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:156): avc: denied { read } for pid=1616 comm="mount" name="vda2" dev="devtmpfs" ino=347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:157): avc: denied { open } for pid=1616 comm="mount" path="/dev/vda2" dev="devtmpfs" ino=347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:158): avc: denied { ioctl } for pid=1616 comm="mount" path="/dev/vda2" dev="devtmpfs" ino=347 ioctlcmd=0x1272 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:159): avc: denied { read } for pid=1616 comm="mount" name="252:2" dev="sysfs" ino=29428 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:160): avc: denied { read } for pid=1616 comm="mount" name="vda2" dev="sysfs" ino=29403 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:161): avc: denied { read } for pid=1616 comm="mount" name="dev" dev="sysfs" ino=29269 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:162): avc: denied { open } for pid=1616 comm="mount" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29269 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:163): avc: denied { getattr } for pid=1616 comm="mount" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29269 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.139:164): avc: denied { search } for pid=1616 comm="mount" name="mount" dev="tmpfs" ino=340 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.139:165): avc: denied { getattr } for pid=1616 comm="mount" path="/run/mount" dev="tmpfs" ino=340 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.139:166): avc: denied { read write } for pid=1616 comm="mount" name="mount" dev="tmpfs" ino=340 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.148:167): avc: denied { mount } for pid=1616 comm="mount" name="/" dev="vda2" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.148:168): avc: denied { mounton } for pid=1616 comm="mount" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.150:169): avc: denied { getattr } for pid=1615 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="vda2" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.150:170): avc: denied { read } for pid=1615 comm="bootupd" name="BOOTX64.EFI" dev="vda2" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.150:171): avc: denied { open } for pid=1615 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="vda2" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:172): avc: denied { search } for pid=1615 comm="bootupd" name="pki" dev="vda4" ino=37801279 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:173): avc: denied { read } for pid=1615 comm="bootupd" name="openssl.cnf" dev="vda4" ino=31457937 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:174): avc: denied { open } for pid=1615 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=31457937 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:175): avc: denied { getattr } for pid=1615 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=31457937 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.188:176): avc: denied { unmount } for pid=1620 comm="umount" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1
Great, if you could get the logs from an update as well that would be great.
get the logs from an update
[root@cosa-devsh ~]# bootupctl update
Previous BIOS: grub2-tools-1:2.06-121.fc40.x86_64
Updated BIOS: grub2-tools-1:2.06-123.fc40.x86_64
Previous EFI: grub2-efi-x64-1:2.06-121.fc40.x86_64,shim-x64-15.8-3.x86_64
Updated EFI: grub2-efi-x64-1:2.06-123.fc40.x86_64,shim-x64-15.8-3.x86_64
[root@cosa-devsh ~]# ausearch -m avc
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:146): avc: denied { execute } for pid=1601 comm="bootupd" name="mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:147): avc: denied { read open } for pid=1601 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:148): avc: denied { execute_no_trans } for pid=1601 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:149): avc: denied { map } for pid=1601 comm="mount" path="/usr/bin/mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.201:150): avc: denied { search } for pid=1601 comm="mount" name="mount" dev="tmpfs" ino=299 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.201:151): avc: denied { getattr } for pid=1601 comm="mount" path="/run/mount" dev="tmpfs" ino=299 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.201:152): avc: denied { read write } for pid=1601 comm="mount" name="mount" dev="tmpfs" ino=299 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.224:153): avc: denied { setsched } for pid=1601 comm="mount" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:154): avc: denied { write } for pid=1600 comm="bootupd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:155): avc: denied { add_name } for pid=1600 comm="bootupd" name="bootupd-lock" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:156): avc: denied { create } for pid=1600 comm="bootupd" name="bootupd-lock" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:157): avc: denied { write open } for pid=1600 comm="bootupd" path="/run/bootupd-lock" dev="tmpfs" ino=1408 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.228:158): avc: denied { lock } for pid=1600 comm="bootupd" path="/run/bootupd-lock" dev="tmpfs" ino=1408 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.228:159): avc: denied { write } for pid=1600 comm="bootupd" name="/" dev="vda3" ino=2 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.230:160): avc: denied { write } for pid=1600 comm="bootupd" path=2F626F6F742F233134202864656C6574656429 dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.237:161): avc: denied { add_name } for pid=1600 comm="bootupd" name="#14" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.237:162): avc: denied { link } for pid=1600 comm="bootupd" name="#14" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:163): avc: denied { remove_name } for pid=1600 comm="bootupd" name=".tmp.kmi6M32u.tmp" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:164): avc: denied { rename } for pid=1600 comm="bootupd" name=".tmp.kmi6M32u.tmp" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:165): avc: denied { unlink } for pid=1600 comm="bootupd" name="bootupd-state.json" dev="vda3" ino=21 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:166): avc: denied { execute } for pid=1603 comm="bootupd" name="findmnt" dev="vda4" ino=1422347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.239:167): avc: denied { execute_no_trans } for pid=1603 comm="bootupd" path="/usr/bin/findmnt" dev="vda4" ino=1422347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.239:168): avc: denied { map } for pid=1603 comm="findmnt" path="/usr/bin/findmnt" dev="vda4" ino=1422347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.246:169): avc: denied { read } for pid=1604 comm="lsblk" name="block" dev="sysfs" ino=6 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.246:170): avc: denied { getattr } for pid=1604 comm="lsblk" path="/dev/vda3" dev="devtmpfs" ino=348 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:171): avc: denied { read } for pid=1604 comm="lsblk" name="252:3" dev="sysfs" ino=29718 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:172): avc: denied { read } for pid=1604 comm="lsblk" name="dev" dev="sysfs" ino=29526 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:173): avc: denied { open } for pid=1604 comm="lsblk" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29526 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:174): avc: denied { getattr } for pid=1604 comm="lsblk" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29526 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:175): avc: denied { getattr } for pid=1600 comm="bootupd" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:176): avc: denied { execute } for pid=1605 comm="bootupd" name="grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:177): avc: denied { read open } for pid=1605 comm="bootupd" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:178): avc: denied { execute_no_trans } for pid=1605 comm="bootupd" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.249:179): avc: denied { map } for pid=1605 comm="grub2-install" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.279:180): avc: denied { create } for pid=1605 comm="grub2-install" name="ast.mo" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:181): avc: denied { getattr } for pid=1605 comm="grub2-install" path="/dev/mapper/control" dev="devtmpfs" ino=161 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:182): avc: denied { read write } for pid=1605 comm="grub2-install" name="control" dev="devtmpfs" ino=161 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:183): avc: denied { open } for pid=1605 comm="grub2-install" path="/dev/mapper/control" dev="devtmpfs" ino=161 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:184): avc: denied { read } for pid=1605 comm="grub2-install" name="devices" dev="proc" ino=4026532021 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:185): avc: denied { open } for pid=1605 comm="grub2-install" path="/proc/devices" dev="proc" ino=4026532021 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:186): avc: denied { getattr } for pid=1605 comm="grub2-install" path="/proc/devices" dev="proc" ino=4026532021 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:187): avc: denied { ioctl } for pid=1605 comm="grub2-install" path="/dev/mapper/control" dev="devtmpfs" ino=161 ioctlcmd=0xfd00 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.977:188): avc: denied { read } for pid=1605 comm="grub2-install" name="vda" dev="devtmpfs" ino=345 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.977:189): avc: denied { open } for pid=1605 comm="grub2-install" path="/dev/vda" dev="devtmpfs" ino=345 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.977:190): avc: denied { ioctl } for pid=1605 comm="grub2-install" path="/dev/vda" dev="devtmpfs" ino=345 ioctlcmd=0x1261 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.978:191): avc: denied { execute } for pid=1606 comm="grub2-install" name="udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.978:192): avc: denied { read open } for pid=1606 comm="grub2-install" path="/usr/bin/udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.978:193): avc: denied { execute_no_trans } for pid=1606 comm="grub2-install" path="/usr/bin/udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.979:194): avc: denied { map } for pid=1606 comm="udevadm" path="/usr/bin/udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.988:195): avc: denied { map } for pid=1606 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.988:196): avc: denied { search } for pid=1606 comm="udevadm" name="contexts" dev="vda4" ino=6293673 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:197): avc: denied { search } for pid=1606 comm="udevadm" name="files" dev="vda4" ino=7441252 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:198): avc: denied { read } for pid=1606 comm="udevadm" name="file_contexts.subs_dist" dev="vda4" ino=7441259 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:199): avc: denied { open } for pid=1606 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="vda4" ino=7441259 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:200): avc: denied { getattr } for pid=1606 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="vda4" ino=7441259 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:201): avc: denied { map } for pid=1606 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.bin" dev="vda4" ino=7441418 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.993:202): avc: denied { getattr } for pid=1606 comm="udevadm" path="/sys/dev/block/252:3" dev="sysfs" ino=29718 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.249:203): avc: denied { write } for pid=1605 comm="grub2-install" name="vda" dev="devtmpfs" ino=345 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.307:204): avc: denied { unlink } for pid=1605 comm="grub2-install" name="mda_text.mod~" dev="vda3" ino=32951 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.311:205): avc: denied { write } for pid=1600 comm="bootupd" path=2F626F6F742F233137202864656C6574656429 dev="vda3" ino=17 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.313:206): avc: denied { link } for pid=1600 comm="bootupd" name="#17" dev="vda3" ino=17 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.313:207): avc: denied { rename } for pid=1600 comm="bootupd" name=".tmp.xBbMvtEE.tmp" dev="vda3" ino=17 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:208): avc: denied { search } for pid=1600 comm="bootupd" name="pki" dev="vda4" ino=15782406 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:209): avc: denied { read } for pid=1600 comm="bootupd" name="openssl.cnf" dev="vda4" ino=10541892 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:210): avc: denied { open } for pid=1600 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=10541892 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:211): avc: denied { getattr } for pid=1600 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=10541892 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.342:212): avc: denied { getattr } for pid=1600 comm="bootupd" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.385:213): avc: denied { mount } for pid=1627 comm="mount" name="/" dev="vda2" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.386:214): avc: denied { mounton } for pid=1627 comm="mount" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.390:215): avc: denied { read } for pid=1600 comm="bootupd" name="EFI" dev="vda2" ino=113 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:216): avc: denied { write } for pid=1600 comm="bootupd" name="EFI" dev="vda2" ino=113 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:217): avc: denied { add_name } for pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:218): avc: denied { create } for pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:219): avc: denied { write open } for pid=1600 comm="bootupd" path="/boot/efi/EFI/.tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.411:220): avc: denied { setattr } for pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.411:221): avc: denied { remove_name } for pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.411:222): avc: denied { rename } for pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.419:223): avc: denied { unlink } for pid=1600 comm="bootupd" name="grubx64.efi" dev="vda2" ino=128 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.426:224): avc: denied { unmount } for pid=1634 comm="umount" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1
Create https://issues.redhat.com/browse/FC-1230 to track the denied logs.
Bootupd is no longer using a systemd service and socket unit.
It is now called either directly from the command line by an administrator or in the furture as part of the boot process in a oneshot unit.
See: https://github.com/coreos/bootupd/issues/551