Bug 1823201 - systemd-logind: Failed to check file system type of "/boot/efi": Permission denied
Summary: systemd-logind: Failed to check file system type of "/boot/efi": Permission d...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: x86_64
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b0c3442939d7d1ba9c115049622...
Depends On: 1812955
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-12 16:07 UTC by Andrey
Modified: 2020-04-20 19:10 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1645631
Environment:
Last Closed: 2020-04-20 14:13:01 UTC
Type: ---


Attachments (Terms of Use)

Description Andrey 2020-04-12 16:07:35 UTC
+++ This bug was initially created as a clone of Bug #1645631 +++

Description of problem:
Have this in log on every boot:

audit[853]: AVC avc:  denied  { search } for  pid=853 comm="systemd-logind" name="boot" dev="sda2" ino=256 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
systemd-logind[853]: Failed to check file system type of "/boot/efi": Permission denied

$ sudo audit2allow -b
#============= systemd_logind_t ==============
allow systemd_logind_t unlabeled_t:dir search;


Fedora Silverblue 31.

Comment 1 Zdenek Pytela 2020-04-14 16:08:52 UTC
Hi,

Did you make any particular steps to get into this state? Was the initial installation without errors reported? Did you change any settings after installation, regarding to efi or selinux? The directory seems to have incorrect or no label. Is there a filesystem mounted? Please run the following commands:

ls -Zla /boot/efi
getfattr -dm - /boot/efi/
grep /boot /proc/mounts

and include any other possibly related information.

Comment 2 Andrey 2020-04-14 16:33:43 UTC
Hello, thanks for the reply,
I'm not aware if the error reported was just right after the initial install, but after that, I just moved my /boot partition to BTRFS subvolume.

Here is my corresponding fstab entries:
UUID=8e77b8ea-1c44-44a1-8829-8353a17536ed /boot                   btrfs   subvol=boot	1 2
UUID=7189-9B76				  /boot/efi               vfat    defaults,uid=0,gid=0,shortname=winnt 0 2 #umask=077

[bam@localhost ~]$ ls -Zla /boot/efi
total 211292
drwxr-xr-x. 6 root root system_u:object_r:dosfs_t:s0          4096 Jan  1  1970 .
drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0       378 Apr 14 00:38 ..
drwxr-xr-x. 3 root root system_u:object_r:dosfs_t:s0          4096 Mar 23 18:27 b55dcfd2dabe4fa480e5a25d9fad5577
drwxr-xr-x. 7 root root system_u:object_r:dosfs_t:s0          4096 Mar 13 22:22 EFI
drwxr-xr-x. 6 root root system_u:object_r:dosfs_t:s0          4096 Mar 12 05:47 grub
-rwxr-xr-x. 1 root root system_u:object_r:dosfs_t:s0      10126032 Mar 27  2016 KERNEL
-rwxr-xr-x. 1 root root system_u:object_r:dosfs_t:s0          1689 Feb 25 23:45 ks.cfg
drwxr-xr-x. 3 root root system_u:object_r:dosfs_t:s0          4096 Mar 21 20:51 loader
-rwxr-xr-x. 1 root root system_u:object_r:dosfs_t:s0         22668 Feb 24 01:13 rpmostreepayload.py
-rwxr-xr-x. 1 root root system_u:object_r:dosfs_t:s0     206184448 Mar 27  2016 SYSTEM

[bam@localhost ~]$ getfattr -dm - /boot/efi/
getfattr: Removing leading '/' from absolute path names
# file: boot/efi/
security.selinux="system_u:object_r:dosfs_t:s0"

[bam@localhost ~]$ grep /boot /proc/mounts
/dev/sda2 /boot btrfs rw,seclabel,relatime,ssd,space_cache,subvolid=475,subvol=/boot 0 0
/dev/sda1 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro 0 0

Comment 3 Lukas Vrabec 2020-04-20 14:13:01 UTC
Hi Andrey, 

As you mentioned you moved your /boot partition to BTRFS subvolume, this caused issue with label. 

Can you please relabel whole filesystem to make sure all labels properly set? 

# restorecon -Rv/ 

Closing this ticket as NOTABUG, if you catch some issues in future, feel free to re-open. 

Thanks,
Lukas.

Comment 4 Andrey 2020-04-20 18:29:05 UTC
(In reply to Lukas Vrabec from comment #3)
> Can you please relabel whole filesystem to make sure all labels properly
> set? 
> 
> # restorecon -Rv/ 
> 

Hi Lukas,
could I broke something with this command?
Seems I can't run rpm-ostree as normal user now:

$ rpm-ostree upgrade --reboot 
error: rpmostreed OS operation Upgrade not allowed for user


Apr 20 21:27:12 host polkitd[732]: Registered Authentication Agent for unix-process:151907:59329479 (system bus name :1.3820 >
Apr 20 21:27:12 host audit[732]: AVC avc:  denied  { read } for  pid=732 comm="polkitd" name="ae3b19437add0c5d97ddcd33359beab>
Apr 20 21:27:12 host audit[732]: AVC avc:  denied  { read } for  pid=732 comm="polkitd" name="lib" dev="sda2" ino=307 scontex>
Apr 20 21:27:12 host audit[151913]: AVC avc:  denied  { execute } for  pid=151913 comm="polkitd" name="pkla-check-authorizati>
Apr 20 21:27:12 host audit[732]: AVC avc:  denied  { read } for  pid=732 comm="polkitd" name="ae3b19437add0c5d97ddcd33359beab>
Apr 20 21:27:12 host rpm-ostree[1918]: Allowing active client :1.3822 (uid 1001)
Apr 20 21:27:12 host polkitd[732]: Error evaluating authorization rules
Apr 20 21:27:12 host rpm-ostree[1918]: client(id:cli dbus:1.3822 unit:gnome-terminal-server.service uid:1001) added; new tota>
Apr 20 21:27:15 host audit[732]: AVC avc:  denied  { read } for  pid=732 comm="polkitd" name="lib" dev="sda2" ino=307 scontex>
Apr 20 21:27:15 host audit[152220]: AVC avc:  denied  { execute } for  pid=152220 comm="polkitd" name="pkla-check-authorizati>
Apr 20 21:27:15 host polkitd[732]: Error evaluating authorization rules
Apr 20 21:27:15 host audit[732]: AVC avc:  denied  { read } for  pid=732 comm="polkitd" name="ae3b19437add0c5d97ddcd33359beab>
Apr 20 21:27:15 host rpm-ostree[1918]: client(id:cli dbus:1.3822 unit:gnome-terminal-server.service uid:1001) vanished; remai>
Apr 20 21:27:15 host audit[732]: AVC avc:  denied  { read } for  pid=732 comm="polkitd" name="ae3b19437add0c5d97ddcd33359beab>
Apr 20 21:27:15 host polkitd[732]: Unregistered Authentication Agent for unix-process:151907:59329479 (system bus name :1.382>
Apr 20 21:27:15 host audit[732]: AVC avc:  denied  { read } for  pid=732 comm="polkitd" name="lib" dev="sda2" ino=307 scontex>
Apr 20 21:27:15 host audit[152224]: AVC avc:  denied  { execute } for  pid=152224 comm="polkitd" name="pkla-check-authorizati>
Apr 20 21:27:15 host audit[732]: AVC avc:  denied  { read } for  pid=732 comm="polkitd" name="ae3b19437add0c5d97ddcd33359beab>
Apr 20 21:27:15 host polkitd[732]: Error evaluating authorization rules

Comment 5 Andrey 2020-04-20 19:10:53 UTC
(In reply to Lukas Vrabec from comment #3)
> Can you please relabel whole filesystem to make sure all labels properly
> set? 
> 
> # restorecon -Rv/ 
> 

Seems I broke my system:
$ sudo rpm-ostree upgrade --reboot 
...
Writing OSTree commit... done
Staging deployment... done
error: Child process exited with code 5
$

$ journalctl -e
Apr 20 21:41:01 host rpm-ostree[1918]: Wrote commit: 21666b0902add0bdc0009776584323ccfd378de6be32979d66ac691e15d2568d; New objects: meta:13 content:14 totaling 53.2 MB)
Apr 20 21:41:01 host audit[1]: AVC avc:  denied  { read } for  pid=1 comm="systemd" name="local" dev="sda2" ino=359 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file permissive=0
Apr 20 21:41:01 host systemd[1]: ostree-finalize-staged.service: Failed to open /usr/lib/systemd/system/ostree-finalize-staged.service: Permission denied
Apr 20 21:41:01 host rpm-ostree[1918]: Failed to start ostree-finalize-staged.service: Unit ostree-finalize-staged.service not found.
Apr 20 21:41:01 host audit[1]: AVC avc:  denied  { read } for  pid=1 comm="systemd" name="ostree-finalize-staged.service" dev="sda2" ino=20201 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0
Apr 20 21:41:01 host rpm-ostree[1918]: Txn Upgrade on /org/projectatomic/rpmostree1/fedora failed: Child process exited with code 5


Can I somehow restore it now?
Please help, it's disaster if I have to reinstall all the system!


Note You need to log in before you can comment on or make changes to this bug.