Bug 2443825
| Summary: | Selinux failure for bootupctl | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Cristian Le <fedora> | ||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
| Status: | POST --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | rawhide | CC: | dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela | ||||
| Target Milestone: | --- | Flags: | zpytela:
mirror+
|
||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | --- | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | --- | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 2131676 [details]
avc.txt
Hi, I've prepared a PR, but reading the description again I have a question: Which service executes bootupctl here? It is a confined command, so there rather should be a transition. $ matchpathcon /usr/bin/bootupctl /usr/bin/bootupctl system_u:object_r:bootupd_exec_t:s0 Afaict it is happening somewhere in our testing codepath of `/tests/provision/bootc`. We don't call `bootupctl` directly but something in `podman (machine|build)` does. Maybe we can provide you a reproducer: - From tmt repo - Run the test file `tests/provision/bootc/test.sh` - Get the avc log (not really sure how this is done) |
Started to get these selinux failure for bootpctl (part of bootc) ``` ---- type=AVC msg=audit(02/27/26 15:09:37.739:2040) : avc: denied { nnp_transition nosuid_transition } for pid=13078 comm=bootupctl scontext=system_u:system_r:install_t:s0:c75,c789 tcontext=system_u:system_r:mount_t:s0:c75,c789 tclass=process2 permissive=0 ---- type=SELINUX_ERR msg=audit(02/27/26 15:09:37.739:2041) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:install_t:s0:c75,c789 newcontext=system_u:system_r:mount_t:s0:c75,c789 ``` Is it known or tracked? Reproducible: Always