Description of problem: This happens whenever systemd generators are run, i.e. during boot or when running "systemctl daemon-reload". I do not have /boot listed in /etc/fstab and rely on systemd-gpt-auto-generator to find the EFI System Partition and generate the mount and automount units for it. To allow this access (and related ones), audit2allow generated the following module: module my-systemdgptaut 1.0; require { type efivarfs_t; type systemd_gpt_generator_t; class file { getattr open read }; } #============= systemd_gpt_generator_t ============== allow systemd_gpt_generator_t efivarfs_t:file { getattr open read }; SELinux is preventing systemd-gpt-aut from 'open' accesses on the file /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f default label should be sysfs_t. Then you can run restorecon. Do # /sbin/restorecon -v /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that systemd-gpt-aut should be allowed open access on the LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut # semodule -X 300 -i my-systemdgptaut.pp Additional Information: Source Context system_u:system_r:systemd_gpt_generator_t:s0 Target Context system_u:object_r:efivarfs_t:s0 Target Objects /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a6 7b082-0a4c-41cf-b6c7-440b29bb8c4f [ file ] Source systemd-gpt-aut Source Path systemd-gpt-aut Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-225.3.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.8.13-300.fc25.x86_64 #1 SMP Fri Dec 9 14:52:00 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-12-12 16:31:19 CET Last Seen 2016-12-12 16:31:19 CET Local ID 673c88b1-14b9-4f7e-ab92-1fd1acb09806 Raw Audit Messages type=AVC msg=audit(1481556679.91:208): avc: denied { open } for pid=4713 comm="systemd-gpt-aut" path="/sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=12309 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 Hash: systemd-gpt-aut,systemd_gpt_generator_t,efivarfs_t,file,open Version-Release number of selected component: selinux-policy-3.13.1-225.3.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.13-300.fc25.x86_64 type: libreport
selinux-policy-3.13.1-225.6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a
selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a
selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.