Bug 2224599

Summary: fdo-client-linuxapp fails to make changes with selinux in enforcing
Product: [Fedora] Fedora Reporter: Paul Whalen <pwhalen>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: dwalsh, idiez, lvrabec, miabbott, mmalik, nknazeko, omosnacek, pbrobinson, perobins, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-28 13:34:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1269538    
Attachments:
Description Flags
fdo-client-avcs none

Description Paul Whalen 2023-07-21 15:44:30 UTC 
Running `fdo-client` on an F38 IoT system fails to make configured changes due to selinux denials:

type=AVC msg=audit(1689703785.900:181): avc:  denied  { getattr } for  pid=1279 comm="fdo-client-linu" path="/boot/device-credentials" dev="vda2" ino=24 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
type=AVC msg=audit(1689704283.118:192): avc:  denied  { getattr } for  pid=1522 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

Changing to Permissive allows the fdo-client to make the configured changes, sample AVC's listed below(full list attached):

type=AVC msg=audit(1689704302.214:197): avc:  denied  { getattr } for  pid=1534 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.214:198): avc:  denied  { read } for  pid=1534 comm="fdo-client-linu" name="device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.214:199): avc:  denied  { open } for  pid=1534 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.286:200): avc:  denied  { write } for  pid=1534 comm="fdo-client-linu" name="hosts" dev="dm-1" ino=37021 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.286:201): avc:  denied  { setattr } for  pid=1534 comm="fdo-client-linu" name="hosts" dev="dm-1" ino=37021 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.288:202): avc:  denied  { read } for  pid=1534 comm="fdo-client-linu" name="passwd" dev="dm-1" ino=37071 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689704302.288:203): avc:  denied  { open } for  pid=1534 comm="fdo-client-linu" path="/etc/passwd" dev="dm-1" ino=37071 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1


Reproducible: Always

Steps to Reproduce:
1. Start the fdo-client-linuxapp.service on a host with selinux in enforcing
2. FDO client fails to make configuration changes


Expected Results:  
Configuration changes to the running system.
Comment 1 Paul Whalen 2023-07-21 15:47:42 UTC 
Created attachment 1976962 [details]
fdo-client-avcs
Comment 2 Aoife Moloney 2024-05-28 13:34:00 UTC 
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21.

Fedora Linux 38 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.