Closed DaanDeMeyer closed 1 month ago
Jul 09 10:01:51 fedora audit[413]: AVC avc: denied { setfscreate } for pid=413 comm="systemd-debug-g" scontext=system_u:system_r:systemd_debug_generator_t:s0 tcontext=system_u:system_r:systemd_debug_generator_t:s0 tclass=process permissive=1 Jul 09 10:01:51 fedora audit[414]: AVC avc: denied { read } for pid=414 comm="systemd-fstab-g" name="fstab.extra" dev="tmpfs" ino=7 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 Jul 09 10:01:51 fedora audit[414]: AVC avc: denied { open } for pid=414 comm="systemd-fstab-g" path="/run/credentials/@system/fstab.extra" dev="tmpfs" ino=7 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 Jul 09 10:01:51 fedora audit[414]: AVC avc: denied { getattr } for pid=414 comm="systemd-fstab-g" path="/run/credentials/@system/fstab.extra" dev="tmpfs" ino=7 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 Jul 09 10:01:51 fedora audit[414]: AVC avc: denied { getattr } for pid=414 comm="systemd-fstab-g" path="/work" dev="sdb3" ino=347814194 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jul 09 10:01:51 fedora audit[414]: AVC avc: denied { search } for pid=414 comm="systemd-fstab-g" name="work" dev="sdb3" ino=347814194 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jul 09 10:01:51 fedora audit[416]: AVC avc: denied { setfscreate } for pid=416 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1 Jul 09 10:01:51 fedora audit[440]: AVC avc: denied { write } for pid=440 comm="systemd-pcrexte" name="tpm2-measure.log" dev="tmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1 Jul 09 10:01:51 fedora audit[440]: AVC avc: denied { setattr } for pid=440 comm="systemd-pcrexte" name="tpm2-measure.log" dev="tmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1 Jul 09 10:01:51 fedora audit[463]: AVC avc: denied { write } for pid=463 comm="systemd-pcrexte" name="tpm2-measure.log" dev="tmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1 Jul 09 10:01:51 fedora audit[463]: AVC avc: denied { setattr } for pid=463 comm="systemd-pcrexte" name="tpm2-measure.log" dev="tmpfs" ino=113 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1 Jul 09 10:01:52 fedora audit[474]: AVC avc: denied { write } for pid=474 comm="systemd-nsresou" name="memory.pressure" dev="cgroup2" ino=2901 scontext=system_u:system_r:systemd_nsresourced_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 Jul 09 10:01:52 fedora audit[499]: AVC avc: denied { connectto } for pid=499 comm="(networkd)" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_nsresourced_t:s0 tclass=unix_stream_socket permissive=1 Jul 09 10:01:52 fedora audit[521]: AVC avc: denied { connectto } for pid=521 comm="(tworkctl)" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_nsresourced_t:s0 tclass=unix_stream_socket permissive=1 Jul 09 10:01:52 fedora audit[499]: AVC avc: denied { read } for pid=499 comm="systemd-network" path="/var/lib/systemd/network" dev="sdb3" ino=347781811 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 Jul 09 10:01:52 fedora audit[499]: AVC avc: denied { write } for pid=499 comm="systemd-network" name="network" dev="sdb3" ino=347781811 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 Jul 09 10:01:52 fedora audit[499]: AVC avc: denied { getattr } for pid=499 comm="systemd-network" path="/var/lib/systemd/network" dev="sdb3" ino=347781811 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 Jul 09 10:01:53 fedora audit[581]: AVC avc: denied { connectto } for pid=581 comm="(emd-oomd)" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_nsresourced_t:s0 tclass=unix_stream_socket permissive=1
All of these are expected and triggered by using various features of systemd or util-linux and should be allowed by the policy.
To reproduce:
git clone https://github.com/systemd/mkosi cd mkosi sudo bin/mkosi -d fedora -r rawhide -p selinux-policy-targeted --selinux-relabel=auto -t disk -f qemu journalctl -g AVC
Please try the latest build: https://bodhi.fedoraproject.org/updates/FEDORA-2024-64134f8805 All except pcrextend, which needs confining, should be addressed.
These are fixed, thanks!
All of these are expected and triggered by using various features of systemd or util-linux and should be allowed by the policy.
To reproduce: