1934719 – SELinux is preventing pesignd from 'read' accesses on the plik /var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage.

Bug 1934719 - SELinux is preventing pesignd from 'read' accesses on the plik /var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage.

Summary: SELinux is preventing pesignd from 'read' accesses on the plik /var/lib/mock/...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	42
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:541853d863189f649942d46a1fa...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-03-03 17:49 UTC by Julian Sikorski
Modified:	2025-02-26 12:51 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Julian Sikorski 2021-03-03 17:49:58 UTC

Description of problem:
I tried to build a self-signed kernel following the following guide:
https://gist.github.com/chenxiaolong/520914b191f17194a0acdc0e03122e63
Running
sudo semanage permissive -a pesign_t
Has allowed me to successfully build a signed kernel.
SELinux is preventing pesignd from 'read' accesses on the plik /var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage.

*****  Plugin catchall (100. confidence) suggests   **************************

Aby pesignd powinno mieć domyślnie read dostęp do bzImage file.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Do
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# ausearch -c 'pesignd' --raw | audit2allow -M my-pesignd
# semodule -X 300 -i my-pesignd.pp

Additional Information:
Source Context                system_u:system_r:pesign_t:s0
Target Context                unconfined_u:object_r:mock_var_lib_t:s0
Target Objects                /var/lib/mock/fedora-33-x86_64/root/builddir/build
                              /BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.
                              x86_64/arch/x86/boot/bzImage [ file ]
Source                        pesignd
Source Path                   pesignd
Port                          <Nieznane>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-34.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.10.19-200.fc33.x86_64 #1 SMP Fri
                              Feb 26 16:21:30 UTC 2021 x86_64 x86_64
Alert Count                   4
First Seen                    2021-03-03 17:02:47 CET
Last Seen                     2021-03-03 18:24:35 CET
Local ID                      4146bbe9-6b20-4613-96cb-161bb70fcc54

Raw Audit Messages
type=AVC msg=audit(1614792275.801:2083): avc:  denied  { read } for  pid=1457161 comm="pesignd" path="/var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage" dev="dm-0" ino=5663890 scontext=system_u:system_r:pesign_t:s0 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=1


Hash: pesignd,pesign_t,mock_var_lib_t,file,read

Version-Release number of selected component:
selinux-policy-targeted-3.14.6-34.fc33.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.10.19-200.fc33.x86_64
type:           libreport

Comment 1 Julian Sikorski 2021-03-03 17:53:37 UTC

A few other errors have popped up during the build:



SELinux powstrzymuje pesignd przed dostępem write w plik /var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/vmlinuz.tmp.

*****  Wtyczka catchall (100. zaufania) sugeruje   ***************************

Aby pesignd powinno mieć domyślnie write dostęp do vmlinuz.tmp file.
Wtedy proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Wykonać
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# ausearch -c 'pesignd' --raw | audit2allow -M my-pesignd
# semodule -X 300 -i my-pesignd.pp

Dodatkowe informacje:
Kontekst źródłowy             system_u:system_r:pesign_t:s0
Kontekst docelowy             unconfined_u:object_r:mock_var_lib_t:s0
Obiekty docelowe              /var/lib/mock/fedora-33-x86_64/root/builddir/build
                              /BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.
                              x86_64/vmlinuz.tmp [ file ]
Źródło                        pesignd
Ścieżka źródłowa              pesignd
Port                          <Nieznane>
Komputer                      (removed)
Źródłowe pakiety RPM          
Docelowe pakiety RPM          
Pakiet RPM polityki SELinuksa selinux-policy-targeted-3.14.6-34.fc33.noarch
Lokalny pakiet RPM polityki   selinux-policy-targeted-3.14.6-34.fc33.noarch
SELinux jest włączony         True
Typ polityki                  targeted
Tryb wymuszania               Enforcing
Nazwa komputera               (removed)
Platforma                     Linux napoleon2 5.10.19-200.fc33.x86_64 #1 SMP Fri
                              Feb 26 16:21:30 UTC 2021 x86_64 x86_64
Liczba alarmów                3
Po raz pierwszy               2021-03-03 17:37:36 CET
Po raz ostatni                2021-03-03 18:24:35 CET
Lokalny identyfikator         a004caa9-33b9-4ed1-95ae-c58c7d4367f2

Surowe komunikaty audytu
type=AVC msg=audit(1614792275.801:2084): avc:  denied  { write } for  pid=1457161 comm="pesignd" path="/var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/vmlinuz.tmp" dev="dm-0" ino=5128851 scontext=system_u:system_r:pesign_t:s0 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=1


Hash: pesignd,pesign_t,mock_var_lib_t,file,write



SELinux powstrzymuje pesignd przed dostępem getattr w plik /var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage.

*****  Wtyczka catchall (100. zaufania) sugeruje   ***************************

Aby pesignd powinno mieć domyślnie getattr dostęp do bzImage file.
Wtedy proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Wykonać
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# ausearch -c 'pesignd' --raw | audit2allow -M my-pesignd
# semodule -X 300 -i my-pesignd.pp

Dodatkowe informacje:
Kontekst źródłowy             system_u:system_r:pesign_t:s0
Kontekst docelowy             unconfined_u:object_r:mock_var_lib_t:s0
Obiekty docelowe              /var/lib/mock/fedora-33-x86_64/root/builddir/build
                              /BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.
                              x86_64/arch/x86/boot/bzImage [ file ]
Źródło                        pesignd
Ścieżka źródłowa              pesignd
Port                          <Nieznane>
Komputer                      napoleon2
Źródłowe pakiety RPM          
Docelowe pakiety RPM          
Pakiet RPM polityki SELinuksa selinux-policy-targeted-3.14.6-34.fc33.noarch
Lokalny pakiet RPM polityki   selinux-policy-targeted-3.14.6-34.fc33.noarch
SELinux jest włączony         True
Typ polityki                  targeted
Tryb wymuszania               Enforcing
Nazwa komputera               napoleon2
Platforma                     Linux napoleon2 5.10.19-200.fc33.x86_64 #1 SMP Fri
                              Feb 26 16:21:30 UTC 2021 x86_64 x86_64
Liczba alarmów                1
Po raz pierwszy               2021-03-03 18:24:35 CET
Po raz ostatni                2021-03-03 18:24:35 CET
Lokalny identyfikator         1574dfce-2148-4255-b287-d5de8bac40fe

Surowe komunikaty audytu
type=AVC msg=audit(1614792275.801:2085): avc:  denied  { getattr } for  pid=1457161 comm="pesignd" path="/var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage" dev="dm-0" ino=5663890 scontext=system_u:system_r:pesign_t:s0 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=1


Hash: pesignd,pesign_t,mock_var_lib_t,file,getattr



SELinux powstrzymuje pesignd przed dostępem map w plik /var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage.

*****  Wtyczka catchall_boolean (89.3 zaufania) sugeruje   *******************

Aby allow domain to can mmap files
Wtedy należy powiadomić o tym SELinuksa włączając zmienną logiczną „domain_can_mmap_files”.

Wykonać
setsebool -P domain_can_mmap_files 1

*****  Wtyczka catchall (11.6 zaufania) sugeruje   ***************************

Aby pesignd powinno mieć domyślnie map dostęp do bzImage file.
Wtedy proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Wykonać
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# ausearch -c 'pesignd' --raw | audit2allow -M my-pesignd
# semodule -X 300 -i my-pesignd.pp

Dodatkowe informacje:
Kontekst źródłowy             system_u:system_r:pesign_t:s0
Kontekst docelowy             unconfined_u:object_r:mock_var_lib_t:s0
Obiekty docelowe              /var/lib/mock/fedora-33-x86_64/root/builddir/build
                              /BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.
                              x86_64/arch/x86/boot/bzImage [ file ]
Źródło                        pesignd
Ścieżka źródłowa              pesignd
Port                          <Nieznane>
Komputer                      napoleon2
Źródłowe pakiety RPM          
Docelowe pakiety RPM          
Pakiet RPM polityki SELinuksa selinux-policy-targeted-3.14.6-34.fc33.noarch
Lokalny pakiet RPM polityki   selinux-policy-targeted-3.14.6-34.fc33.noarch
SELinux jest włączony         True
Typ polityki                  targeted
Tryb wymuszania               Enforcing
Nazwa komputera               napoleon2
Platforma                     Linux napoleon2 5.10.19-200.fc33.x86_64 #1 SMP Fri
                              Feb 26 16:21:30 UTC 2021 x86_64 x86_64
Liczba alarmów                1
Po raz pierwszy               2021-03-03 18:24:35 CET
Po raz ostatni                2021-03-03 18:24:35 CET
Lokalny identyfikator         0534beb9-57e7-41bb-ae65-7129ae3b8505

Surowe komunikaty audytu
type=AVC msg=audit(1614792275.801:2086): avc:  denied  { map } for  pid=1457161 comm="pesignd" path="/var/lib/mock/fedora-33-x86_64/root/builddir/build/BUILD/kernel-5.11.2/linux-5.11.2-200.s0ix04.fc33.x86_64/arch/x86/boot/bzImage" dev="dm-0" ino=5663890 scontext=system_u:system_r:pesign_t:s0 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=1


Hash: pesignd,pesign_t,mock_var_lib_t,file,map

Comment 2 Ben Cotton 2021-11-04 14:59:50 UTC

This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 3 Ben Cotton 2021-11-04 15:58:28 UTC

This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 4 Ben Cotton 2022-11-29 16:53:11 UTC

This message is a reminder that Fedora Linux 35 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '35'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 35 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 5 Ben Cotton 2023-02-07 14:51:48 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

Comment 6 Aoife Moloney 2024-05-07 15:43:12 UTC

This message is a reminder that Fedora Linux 38 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 38 on 2024-05-21.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '38'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 38 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 7 Aoife Moloney 2025-02-26 12:51:08 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.

Note You need to log in before you can comment on or make changes to this bug.