| Summary: |
fdo-client-linuxapp fails to make changes with selinux in enforcing |
| Product: |
[Fedora] Fedora
|
Reporter: |
Paul Whalen <pwhalen> |
| Component: |
selinux-policy | Assignee: |
Nikola Knazekova <nknazeko> |
| Status: |
NEW
---
|
QA Contact: |
Fedora Extras Quality Assurance <extras-qa> |
| Severity: |
medium
|
Docs Contact: |
|
| Priority: |
unspecified
|
|
|
| Version: |
38 | CC: |
dwalsh, idiez, lvrabec, miabbott, mmalik, nknazeko, omosnacek, pbrobinson, perobins, pkoncity, vmojzis, zpytela
|
| Target Milestone: |
--- | |
|
| Target Release: |
--- | |
|
| Hardware: |
Unspecified | |
|
| OS: |
Linux | |
|
| Whiteboard: |
|
|
Fixed In Version:
|
|
Doc Type:
|
If docs needed, set a value
|
|---|
|
Doc Text:
|
|
Story Points:
|
---
|
|---|
|
Clone Of:
|
|
Environment:
|
|
|---|
|
Last Closed:
|
|
Type:
|
---
|
|---|
|
Regression:
|
---
|
Mount Type:
|
---
|
|---|
|
Documentation:
|
---
|
CRM:
|
|
|---|
|
Verified Versions:
|
|
Category:
|
---
|
|---|
|
oVirt Team:
|
---
|
RHEL 7.3 requirements from Atomic Host:
|
|
|---|
|
Cloudforms Team:
|
---
|
Target Upstream Version:
|
|
|---|
|
Embargoed:
|
|
| |
|---|
| Bug Depends On: |
|
|
|
| Bug Blocks: |
1269538
|
|
|
| Attachments: |
|
Running `fdo-client` on an F38 IoT system fails to make configured changes due to selinux denials: type=AVC msg=audit(1689703785.900:181): avc: denied { getattr } for pid=1279 comm="fdo-client-linu" path="/boot/device-credentials" dev="vda2" ino=24 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 type=AVC msg=audit(1689704283.118:192): avc: denied { getattr } for pid=1522 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Changing to Permissive allows the fdo-client to make the configured changes, sample AVC's listed below(full list attached): type=AVC msg=audit(1689704302.214:197): avc: denied { getattr } for pid=1534 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.214:198): avc: denied { read } for pid=1534 comm="fdo-client-linu" name="device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.214:199): avc: denied { open } for pid=1534 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.286:200): avc: denied { write } for pid=1534 comm="fdo-client-linu" name="hosts" dev="dm-1" ino=37021 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.286:201): avc: denied { setattr } for pid=1534 comm="fdo-client-linu" name="hosts" dev="dm-1" ino=37021 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.288:202): avc: denied { read } for pid=1534 comm="fdo-client-linu" name="passwd" dev="dm-1" ino=37071 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.288:203): avc: denied { open } for pid=1534 comm="fdo-client-linu" path="/etc/passwd" dev="dm-1" ino=37071 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 Reproducible: Always Steps to Reproduce: 1. Start the fdo-client-linuxapp.service on a host with selinux in enforcing 2. FDO client fails to make configuration changes Expected Results: Configuration changes to the running system.