Bug 1975125 - avc: denied for comm="systemd-gpt-aut" dev="tmpfs"
Summary: avc: denied for comm="systemd-gpt-aut" dev="tmpfs"
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: aarch64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: ARMTracker
TreeView+ depends on / blocked
 
Reported: 2021-06-23 07:22 UTC by Bruno Goncalves
Modified: 2022-04-08 13:55 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-04-08 13:55:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Bruno Goncalves 2021-06-23 07:22:44 UTC 
Description of problem:
We noticed this issue running CKI "Networking bridge: sanity" [1] on a aarch64 machine.

----
time->Sun Jun 20 04:09:04 2021
type=AVC msg=audit(1624176544.113:1062): avc:  denied  { read } for  pid=770801 comm="systemd-gpt-aut" name="b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Sun Jun 20 04:09:04 2021
type=AVC msg=audit(1624176544.113:1063): avc:  denied  { open } for  pid=770801 comm="systemd-gpt-aut" path="/run/udev/data/b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Sun Jun 20 04:09:04 2021
type=AVC msg=audit(1624176544.113:1064): avc:  denied  { getattr } for  pid=770801 comm="systemd-gpt-aut" path="/run/udev/data/b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Sun Jun 20 04:09:56 2021
type=AVC msg=audit(1624176596.073:1131): avc:  denied  { read } for  pid=771707 comm="systemd-gpt-aut" name="b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Sun Jun 20 04:09:56 2021
type=AVC msg=audit(1624176596.073:1132): avc:  denied  { open } for  pid=771707 comm="systemd-gpt-aut" path="/run/udev/data/b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Sun Jun 20 04:09:56 2021
type=AVC msg=audit(1624176596.073:1133): avc:  denied  { getattr } for  pid=771707 comm="systemd-gpt-aut" path="/run/udev/data/b252:1" dev="tmpfs" ino=916 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

Version-Release number of selected component (if applicable):
selinux-policy-34.9-1.fc35.noarch

How reproducible:
100%

Steps to Reproduce:
1.Run the test [1] on aarch64 machine on Rawhide compose that includes selinux-policy-34.9-1.fc35.noarch


[1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/networking/bridge/sanity_check
Comment 2 Zdenek Pytela 2021-06-23 09:02:58 UTC 
For a quick workaround, execute these commands:

echo '(allow systemd_gpt_generator_t udev_var_run_t (file (getattr open read ioctl lock)))' > local_sd_gpt_aut.cil
semodule -i local_sd_gpt_aut.cil

and, once the module is not needed,
semodule -r local_sd_gpt_aut.cil
Comment 3 Ben Cotton 2021-08-10 13:08:32 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.
Note You need to log in before you can comment on or make changes to this bug.