Bug 2292627
| Summary: | SELinux is preventing systemd-cryptse from 'search' accesses on the directory dev-mapper-luks\x2d41cf8d65\x2daf41\x2d4e50\x2db651\x2dd73a2ce3abea.device.d. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andrei Nevedomskii <little.angry.satan> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 40 | CC: | dwalsh, little.angry.satan, lvrabec, mmalik, omosnacek, philipp.raich, pkoncity, poppyschmo, vmojzis, zpytela | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:8fa4532e4b2c9244bb816f0d2d39c7ea9a8167c71f52cd84663df0653131b004;VARIANT_ID=workstation; | ||||||||
| Fixed In Version: | selinux-policy-40.24-1.fc40 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2024-07-19 01:46:16 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 2037552 [details]
File: description
Created attachment 2037553 [details]
File: os_info
*** Bug 2292480 has been marked as a duplicate of this bug. *** *** Bug 2293037 has been marked as a duplicate of this bug. *** I believe this is fixed in selinux-policy-40.23-1.fc40 FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc FEDORA-2024-f30b2bffdc has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f30b2bffdc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. Hi, I'm getting an almost identical error, except for write access. This is with 40.23 and 40.24. Please let me know if I should post this somewhere else. Thank you. Output from sealert follows:
SELinux is preventing systemd-cryptse from write access on the directory dev-mapper-luks\x2dvol1.device.d.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd-cryptse should be allowed write access on the dev-mapper-luks\x2dvol1.device.d directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-cryptse' --raw | audit2allow -M my-systemdcryptse
# semodule -X 300 -i my-systemdcryptse.pp
Additional Information:
Source Context system_u:system_r:systemd_cryptsetup_generator_t:s
0
Target Context system_u:object_r:systemd_fstab_generator_unit_fil
e_t:s0
Target Objects dev-mapper-luks\x2dvol1.device.d [ dir ]
Source systemd-cryptse
Source Path systemd-cryptse
Port <Unknown>
Host localhost
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-40.24-1.fc40.noarch
Local Policy RPM selinux-policy-targeted-40.24-1.fc40.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost
Platform Linux localhost 6.8.11-300.fc40.x86_64 #1 SMP
PREEMPT_DYNAMIC Mon May 27 14:53:33 UTC 2024
x86_64
Alert Count 2
First Seen 2024-07-21 15:30:55 PDT
Last Seen 2024-07-21 15:30:55 PDT
Local ID d38e43ad-b9c7-4353-8be5-3281e9179feb
Raw Audit Messages
type=AVC msg=audit(1721601055.839:1348): avc: denied { write } for pid=89179 comm="systemd-cryptse" name="dev-mapper-luks\x2dvol1.device.d" dev="tmpfs" ino=4245 scontext=system_u:system_r:systemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:systemd_fstab_generator_unit_file_t:s0 tclass=dir permissive=0
Hash: systemd-cryptse,systemd_cryptsetup_generator_t,systemd_fstab_generator_unit_file_t,dir,write
(In reply to J Soko from comment #9) > Hi, I'm getting an almost identical error, except for write access. This is > with 40.23 and 40.24. I am no longer affected by this as of version 40.26. Thanks for fixing it. |
Description of problem: SELinux is preventing systemd-cryptse from 'search' accesses on the directory dev-mapper-luks\x2d41cf8d65\x2daf41\x2d4e50\x2db651\x2dd73a2ce3abea.device.d. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-cryptse should be allowed search access on the dev-mapper-luks\x2d41cf8d65\x2daf41\x2d4e50\x2db651\x2dd73a2ce3abea.device.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-cryptse' --raw | audit2allow -M my-systemdcryptse # semodule -X 300 -i my-systemdcryptse.pp Additional Information: Source Context system_u:system_r:systemd_cryptsetup_generator_t:s 0 Target Context system_u:object_r:systemd_fstab_generator_unit_fil e_t:s0 Target Objects dev-mapper-luks\x2d41cf8d65\x2daf41\x2d4e50\x2db65 1\x2dd73a2ce3abea.device.d [ dir ] Source systemd-cryptse Source Path systemd-cryptse Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.8.11-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Mon May 27 14:53:33 UTC 2024 x86_64 Alert Count 2 First Seen 2024-06-14 14:11:15 CEST Last Seen 2024-06-14 14:11:15 CEST Local ID 9fc65896-de26-4157-a590-8801b09c9ca0 Raw Audit Messages type=AVC msg=audit(1718367075.364:523): avc: denied { search } for pid=15111 comm="systemd-cryptse" name="dev-mapper-luks\x2d41cf8d65\x2daf41\x2d4e50\x2db651\x2dd73a2ce3abea.device.d" dev="tmpfs" ino=3232 scontext=system_u:system_r:systemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:systemd_fstab_generator_unit_file_t:s0 tclass=dir permissive=0 Hash: systemd-cryptse,systemd_cryptsetup_generator_t,systemd_fstab_generator_unit_file_t,dir,search Version-Release number of selected component: selinux-policy-targeted-40.22-1.fc40.noarch Additional info: reporter: libreport-2.17.15 component: selinux-policy reason: SELinux is preventing systemd-cryptse from 'search' accesses on the directory dev-mapper-luks\x2d41cf8d65\x2daf41\x2d4e50\x2db651\x2dd73a2ce3abea.device.d. type: libreport hashmarkername: setroubleshoot package: selinux-policy-targeted-40.22-1.fc40.noarch kernel: 6.8.11-300.fc40.x86_64 component: selinux-policy