Bug 2367958

Summary: denied read on LiveCD
Product: [Fedora] Fedora Reporter: Karel Zak <kzak>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, ipedrosa, lvrabec, mmalik, ngompa13, omosnacek, pkoncity, vmojzis, zbyszek, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2360108    

Description Karel Zak 2025-05-22 10:40:04 UTC 
After upgrading to the latest util-linux v2.41, the LiveCD is almost useless due to denied reads:
                                                                                     
May 22 09:42:37 localhost-live audit[1348]: AVC avc:  denied  { read } for  pid=1348 comm="firewalld" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1
May 22 09:42:48 localhost-live audit[2484]: AVC avc:  denied  { read } for  pid=2484 comm="sssd_kcm" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1
May 22 09:42:49 localhost-live audit[2515]: AVC avc:  denied  { read } for  pid=2515 comm="systemd-localed" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1
May 22 09:42:50 localhost-live audit[2562]: AVC avc:  denied  { read } for  pid=2562 comm="pkla-check-auth" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:policykit_auth_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1
May 22 09:42:50 localhost-live audit[2555]: AVC avc:  denied  { read } for  pid=2555 comm="geoclue" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1
May 22 09:42:51 localhost-live audit[2555]: AVC avc:  denied  { read } for  pid=2555 comm="geoclue" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1
May 22 09:42:54 localhost-live audit[2765]: AVC avc:  denied  { read } for  pid=2765 comm="pkla-check-auth" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:policykit_auth_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1
May 22 09:43:01 localhost-live audit[2607]: AVC avc:  denied  { read } for  pid=2607 comm="wpa_supplicant" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1
May 22 09:43:18 localhost-live audit[2270]: AVC avc:  denied  { read } for  pid=2270 comm="cupsd" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1
                                                                                                                                                               I believe the issue is related to https://bugzilla.redhat.com/show_bug.cgi?id=2367956.

Reproducible: Always
Comment 1 Zdenek Pytela 2025-05-22 10:46:23 UTC 
Hi Karel,

in the denials there is permissive=1 indicating the system was in permissive mode. Did you change it intentionally in order to get all denials?
Comment 2 Zdenek Pytela 2025-05-22 10:51:34 UTC 
Additional question: Do you happen to know what changed in util-linux v2.41 leading to these denials?

I can't see anything at a first glance:
https://www.kernel.org/pub/linux/utils/util-linux/v2.41/v2.41-ReleaseNotes
Comment 3 Karel Zak 2025-05-22 12:27:02 UTC 
The log is from a system booted with enforcing=0 on the kernel command line.
 
The only relevant thing in the update is that there is no loop device, but a directly mounted image. See #2367956.
Comment 4 Karel Zak 2025-05-27 08:02:16 UTC 
Hey team, do you need more logs or anything else? The issue is with the block on the util-linux upgrade, and it's affecting other Rawhide plans like the migration to lastlog2.
Comment 5 Zdenek Pytela 2025-05-29 17:26:51 UTC 
No more logs, rather more insights and background.
Reading files with iso9660_t directly just does not feel right.