Bug 2137324

Summary: SELinux is preventing systemd_gpt_generator_t write to fixed_disk_device_t blk_file
Product: [Fedora] Fedora Reporter: Patrik Koncity <pkoncity>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-24 13:11:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Koncity 2022-10-24 13:06:56 UTC 
Description of problem:
SELinux is preventing systemd_gpt_generator_t write to fixed_disk_device_t blk_file.

Version-Release number of selected component (if applicable):
selinux-policy
keylime

Actual results:
Tests show denials.


Expected results:
Tests won't show any denials.


Additional info:
From keylime point of view, the denials not cause any fails in testsuite. So maybe possible way how to solve it is dontaudit these rules. I'm not able to reproduce, it appears only in CI. 



type=AVC msg=audit(1666601751.037:589): avc:  denied  { write } for  pid=29242 comm="systemd-gpt-aut" name="nvme0n1" dev="devtmpfs" ino=298 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0

https://artifacts.dev.testing-farm.io/59192121-dab6-4a22-91be-d07f0335e0e9/
Comment 1 Patrik Koncity 2022-10-24 13:09:04 UTC 
Also need to dontaudit these rule:

dontaudit systemd_gpt_generator_t systemd_gpt_generator_t:capability sys_admin;
Comment 2 Zdenek Pytela 2022-10-24 13:11:24 UTC 
Should be fixed in rawhide soon, not sure about other releases.

*** This bug has been marked as a duplicate of bug 2083900 ***