search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
165 stars 166 forks source link

Missing rules for bootupd on Fedora CoreOS Rawhide #2362

Open HuijingHei opened 2 weeks ago

HuijingHei commented 2 weeks ago

On Fedora CoreOS using Rawhide (using selinux-policy-41.18-1.fc42.noarch), get the following AVCs:

type=AVC msg=audit(1727251620.092:170): avc:  denied  { getattr } for  pid=1472 comm="bootupctl" path="/sysroot/.aleph-version.json" dev="vda4" ino=132 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1727251620.092:171): avc:  denied  { read } for  pid=1472 comm="bootupctl" name=".aleph-version.json" dev="vda4" ino=132 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1727251620.092:172): avc:  denied  { open } for  pid=1472 comm="bootupctl" path="/sysroot/.aleph-version.json" dev="vda4" ino=132 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1

And

type=AVC msg=audit(1727251620.089:166): avc:  denied  { search } for  pid=1475 comm="lsblk" name="udev" dev="tmpfs" ino=58 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1727251620.089:167): avc:  denied  { read } for  pid=1475 comm="lsblk" name="b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1727251620.089:168): avc:  denied  { open } for  pid=1475 comm="lsblk" path="/run/udev/data/b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1727251620.089:169): avc:  denied  { getattr } for  pid=1475 comm="lsblk" path="/run/udev/data/b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

We use lsblk in https://github.com/coreos/bootupd/pull/729

travier commented 6 days ago

@zpytela Gentle ping here. We would appreciate if we could that in Fedora 41. Thanks

HuijingHei commented 14 hours ago

Hi @zpytela , could you help to look at this when at your convenience? We need this for Fedora 41. Thanks!