+++ This bug was initially created as a clone of Bug #1645631 +++ Description of problem: Have this in log on every boot: audit[853]: AVC avc: denied { search } for pid=853 comm="systemd-logind" name="boot" dev="sda2" ino=256 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 systemd-logind[853]: Failed to check file system type of "/boot/efi": Permission denied $ sudo audit2allow -b #============= systemd_logind_t ============== allow systemd_logind_t unlabeled_t:dir search; Fedora Silverblue 31.
Hi, Did you make any particular steps to get into this state? Was the initial installation without errors reported? Did you change any settings after installation, regarding to efi or selinux? The directory seems to have incorrect or no label. Is there a filesystem mounted? Please run the following commands: ls -Zla /boot/efi getfattr -dm - /boot/efi/ grep /boot /proc/mounts and include any other possibly related information.
Hello, thanks for the reply, I'm not aware if the error reported was just right after the initial install, but after that, I just moved my /boot partition to BTRFS subvolume. Here is my corresponding fstab entries: UUID=8e77b8ea-1c44-44a1-8829-8353a17536ed /boot btrfs subvol=boot 1 2 UUID=7189-9B76 /boot/efi vfat defaults,uid=0,gid=0,shortname=winnt 0 2 #umask=077 [bam@localhost ~]$ ls -Zla /boot/efi total 211292 drwxr-xr-x. 6 root root system_u:object_r:dosfs_t:s0 4096 Jan 1 1970 . drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 378 Apr 14 00:38 .. drwxr-xr-x. 3 root root system_u:object_r:dosfs_t:s0 4096 Mar 23 18:27 b55dcfd2dabe4fa480e5a25d9fad5577 drwxr-xr-x. 7 root root system_u:object_r:dosfs_t:s0 4096 Mar 13 22:22 EFI drwxr-xr-x. 6 root root system_u:object_r:dosfs_t:s0 4096 Mar 12 05:47 grub -rwxr-xr-x. 1 root root system_u:object_r:dosfs_t:s0 10126032 Mar 27 2016 KERNEL -rwxr-xr-x. 1 root root system_u:object_r:dosfs_t:s0 1689 Feb 25 23:45 ks.cfg drwxr-xr-x. 3 root root system_u:object_r:dosfs_t:s0 4096 Mar 21 20:51 loader -rwxr-xr-x. 1 root root system_u:object_r:dosfs_t:s0 22668 Feb 24 01:13 rpmostreepayload.py -rwxr-xr-x. 1 root root system_u:object_r:dosfs_t:s0 206184448 Mar 27 2016 SYSTEM [bam@localhost ~]$ getfattr -dm - /boot/efi/ getfattr: Removing leading '/' from absolute path names # file: boot/efi/ security.selinux="system_u:object_r:dosfs_t:s0" [bam@localhost ~]$ grep /boot /proc/mounts /dev/sda2 /boot btrfs rw,seclabel,relatime,ssd,space_cache,subvolid=475,subvol=/boot 0 0 /dev/sda1 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro 0 0
Hi Andrey, As you mentioned you moved your /boot partition to BTRFS subvolume, this caused issue with label. Can you please relabel whole filesystem to make sure all labels properly set? # restorecon -Rv/ Closing this ticket as NOTABUG, if you catch some issues in future, feel free to re-open. Thanks, Lukas.
(In reply to Lukas Vrabec from comment #3) > Can you please relabel whole filesystem to make sure all labels properly > set? > > # restorecon -Rv/ > Hi Lukas, could I broke something with this command? Seems I can't run rpm-ostree as normal user now: $ rpm-ostree upgrade --reboot error: rpmostreed OS operation Upgrade not allowed for user Apr 20 21:27:12 host polkitd[732]: Registered Authentication Agent for unix-process:151907:59329479 (system bus name :1.3820 > Apr 20 21:27:12 host audit[732]: AVC avc: denied { read } for pid=732 comm="polkitd" name="ae3b19437add0c5d97ddcd33359beab> Apr 20 21:27:12 host audit[732]: AVC avc: denied { read } for pid=732 comm="polkitd" name="lib" dev="sda2" ino=307 scontex> Apr 20 21:27:12 host audit[151913]: AVC avc: denied { execute } for pid=151913 comm="polkitd" name="pkla-check-authorizati> Apr 20 21:27:12 host audit[732]: AVC avc: denied { read } for pid=732 comm="polkitd" name="ae3b19437add0c5d97ddcd33359beab> Apr 20 21:27:12 host rpm-ostree[1918]: Allowing active client :1.3822 (uid 1001) Apr 20 21:27:12 host polkitd[732]: Error evaluating authorization rules Apr 20 21:27:12 host rpm-ostree[1918]: client(id:cli dbus:1.3822 unit:gnome-terminal-server.service uid:1001) added; new tota> Apr 20 21:27:15 host audit[732]: AVC avc: denied { read } for pid=732 comm="polkitd" name="lib" dev="sda2" ino=307 scontex> Apr 20 21:27:15 host audit[152220]: AVC avc: denied { execute } for pid=152220 comm="polkitd" name="pkla-check-authorizati> Apr 20 21:27:15 host polkitd[732]: Error evaluating authorization rules Apr 20 21:27:15 host audit[732]: AVC avc: denied { read } for pid=732 comm="polkitd" name="ae3b19437add0c5d97ddcd33359beab> Apr 20 21:27:15 host rpm-ostree[1918]: client(id:cli dbus:1.3822 unit:gnome-terminal-server.service uid:1001) vanished; remai> Apr 20 21:27:15 host audit[732]: AVC avc: denied { read } for pid=732 comm="polkitd" name="ae3b19437add0c5d97ddcd33359beab> Apr 20 21:27:15 host polkitd[732]: Unregistered Authentication Agent for unix-process:151907:59329479 (system bus name :1.382> Apr 20 21:27:15 host audit[732]: AVC avc: denied { read } for pid=732 comm="polkitd" name="lib" dev="sda2" ino=307 scontex> Apr 20 21:27:15 host audit[152224]: AVC avc: denied { execute } for pid=152224 comm="polkitd" name="pkla-check-authorizati> Apr 20 21:27:15 host audit[732]: AVC avc: denied { read } for pid=732 comm="polkitd" name="ae3b19437add0c5d97ddcd33359beab> Apr 20 21:27:15 host polkitd[732]: Error evaluating authorization rules
(In reply to Lukas Vrabec from comment #3) > Can you please relabel whole filesystem to make sure all labels properly > set? > > # restorecon -Rv/ > Seems I broke my system: $ sudo rpm-ostree upgrade --reboot ... Writing OSTree commit... done Staging deployment... done error: Child process exited with code 5 $ $ journalctl -e Apr 20 21:41:01 host rpm-ostree[1918]: Wrote commit: 21666b0902add0bdc0009776584323ccfd378de6be32979d66ac691e15d2568d; New objects: meta:13 content:14 totaling 53.2 MB) Apr 20 21:41:01 host audit[1]: AVC avc: denied { read } for pid=1 comm="systemd" name="local" dev="sda2" ino=359 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file permissive=0 Apr 20 21:41:01 host systemd[1]: ostree-finalize-staged.service: Failed to open /usr/lib/systemd/system/ostree-finalize-staged.service: Permission denied Apr 20 21:41:01 host rpm-ostree[1918]: Failed to start ostree-finalize-staged.service: Unit ostree-finalize-staged.service not found. Apr 20 21:41:01 host audit[1]: AVC avc: denied { read } for pid=1 comm="systemd" name="ostree-finalize-staged.service" dev="sda2" ino=20201 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0 Apr 20 21:41:01 host rpm-ostree[1918]: Txn Upgrade on /org/projectatomic/rpmostree1/fedora failed: Child process exited with code 5 Can I somehow restore it now? Please help, it's disaster if I have to reinstall all the system!