Description of problem: /efi is intended to be identical in purpose to /boot/efi, where the EFI System partition is to be mounted. The difference is systemd supports dynamic mount and unmount at /efi which is not supported at /boot/efi. The problem is there's no label on /efi and I get an avc [ 3.971099] f28h.local systemd-gpt-auto-generator[476]: /efi already populated, ignoring. [ 4.102022] f28h.local audit[476]: AVC avc: denied { read } for pid=476 comm="systemd-gpt-aut" name="efi" dev="nvme0n1p9" ino=3999777 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir permissive=0 Version-Release number of selected component (if applicable): systemd-238-7.fc28.1.x86_64 selinux-policy-3.14.1-21.fc28.noarch How reproducible: Always Steps to Reproduce: 1. sudo mkdir /efi 2. Edit /etc/fstab to comment out /boot/efi 3. Reboot Actual results: Errors with the mounting of the ESP by systemd to /efi Expected results: It should be able to be mounted and unmounted dynamically by systemd. Additional info: If /boot/efi is not a mount point (there's nothing mounted), its label is system_u:object_r:autofs_t:s0 If /boot/efi has an ESP currently mounted, its label is system_u:object_r:dosfs_t:s0 I'm not sure what label /efi would need or if transition is needed to support this dynamic mount and unmount. Thread about this at: https://lists.freedesktop.org/archives/systemd-devel/2018-April/040656.html The discoverable partition spec prefers /efi first and then /boot as the fallback. https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/
Created attachment 1426828 [details] journal.log journalctl with systemd debug enabled
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
selinux-policy-3.14.4-14.fc31.noarch systemd-242-3.git7a6d834.fc31.x86_64 [ 7.017335] frawvm.local systemd-gpt-auto-generator[635]: Cannot check if "/efi" is empty: Permission denied [ 13.380763] frawvm.local audit[635]: AVC avc: denied { read } for pid=635 comm="systemd-gpt-aut" name="efi" dev="dm-0" ino=1878 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir permissive=0
commit 62e78cf9f07ef77f1c9d7ce8633dd433310c59d6 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed May 15 15:42:11 2019 +0200 Label /efi same as /boot/efi boot_t BZ(1571962)
Chris, When you create /efi, you need to run restorecon to fix the label. # restorecon -Rv /efi
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.