Bug 1991077

Summary: AVC avc: denied { read } for pid=3083 comm="systemd-gpt-aut" name="b8:1" dev="tmpfs"
Product: [Fedora] Fedora Reporter: Chris Murphy <bugzilla>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 35CC: dwalsh, fhrdina, grepl.miroslav, lvrabec, mmalik, omosnace, vmojzis, walters, zbyszek, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-12 15:19:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
journalctl none

Description Chris Murphy 2021-08-07 03:28:12 UTC 
Created attachment 1811731 [details]
journalctl

Description of problem:

Getting an AVC denial and subsequent systemd-gpt-auto-generator failure.


Version-Release number of selected component (if applicable):
systemd-249.2-1.fc35.x86_64
selinux-policy-34.14-2.fc35.noarch


How reproducible:
Transient but often


Steps to Reproduce:
1. Boot
2.
3.

Actual results:

Aug 06 22:51:41 fmac.local audit[3083]: AVC avc:  denied  { read } for  pid=3083 comm="systemd-gpt-aut" name="b8:1" dev="tmpfs" ino=1047 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
Aug 06 22:51:41 fmac.local systemd-gpt-auto-generator[3083]: Failed to dissect: Permission denied
Aug 06 22:51:41 fmac.local systemd[3067]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1.


Expected results:

It probably should be allowed


Additional info:
Comment 1 Chris Murphy 2021-08-07 03:41:33 UTC 
Ordinarily this release criterion's "notification" is considered to be a desktop notification. https://fedoraproject.org/wiki/Fedora_35_Final_Release_Criteria#SELinux_and_crash_notifications
However, I think Fedora CoreOS makes use of Discoverable Partitions Spec? Or intends to? If so then this could be argued to be a blocker, since in that case the mechanism of notification is such an AVC denial appearing in the journal. For everything else, as far as I know, we're not using discoverable partition spec (yet).
Comment 2 Ben Cotton 2021-08-10 13:36:18 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.
Comment 3 Zdenek Pytela 2022-09-12 15:19:00 UTC 
This bz has been fixed in F35.