Open HuijingHei opened 2 weeks ago
On Fedora CoreOS using Rawhide (using selinux-policy-41.18-1.fc42.noarch), get the following AVCs:
selinux-policy-41.18-1.fc42.noarch
type=AVC msg=audit(1727251620.092:170): avc: denied { getattr } for pid=1472 comm="bootupctl" path="/sysroot/.aleph-version.json" dev="vda4" ino=132 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1727251620.092:171): avc: denied { read } for pid=1472 comm="bootupctl" name=".aleph-version.json" dev="vda4" ino=132 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1727251620.092:172): avc: denied { open } for pid=1472 comm="bootupctl" path="/sysroot/.aleph-version.json" dev="vda4" ino=132 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
And
type=AVC msg=audit(1727251620.089:166): avc: denied { search } for pid=1475 comm="lsblk" name="udev" dev="tmpfs" ino=58 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1727251620.089:167): avc: denied { read } for pid=1475 comm="lsblk" name="b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1727251620.089:168): avc: denied { open } for pid=1475 comm="lsblk" path="/run/udev/data/b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1727251620.089:169): avc: denied { getattr } for pid=1475 comm="lsblk" path="/run/udev/data/b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
We use lsblk in https://github.com/coreos/bootupd/pull/729
lsblk
@zpytela Gentle ping here. We would appreciate if we could that in Fedora 41. Thanks
Hi @zpytela , could you help to look at this when at your convenience? We need this for Fedora 41. Thanks!
On Fedora CoreOS using Rawhide (using
selinux-policy-41.18-1.fc42.noarch
), get the following AVCs:And
We use
lsblk
in https://github.com/coreos/bootupd/pull/729