Description of problem: Happened while running `rpm-ostree override replace https://koji.fedoraproject.org/koji/buildinfo?buildID=1745028` to test 5.12 kernel on Silverblue. It didn't seem to directly effect the transaction. SELinux is preventing dracut from using the nnp_transition, nosuid_transition access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dracut should be allowed nnp_transition nosuid_transition access on processes labeled setfiles_mac_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dracut' --raw | audit2allow -M my-dracut # semodule -X 300 -i my-dracut.pp Additional Information: Source Context system_u:system_r:install_t:s0 Target Context system_u:system_r:setfiles_mac_t:s0 Target Objects Unknown [ process2 ] Source dracut Source Path dracut Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.5-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.5-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.18-300.fc34.x86_64 #1 SMP Mon May 3 15:10:32 UTC 2021 x86_64 x86_64 Alert Count 1 First Seen 2021-05-09 20:18:10 EDT Last Seen 2021-05-09 20:18:10 EDT Local ID da4171a4-f3a9-42a0-91e4-d1330cea994b Raw Audit Messages type=AVC msg=audit(1620605890.404:644): avc: denied { nnp_transition nosuid_transition } for pid=26740 comm="dracut" scontext=system_u:system_r:install_t:s0 tcontext=system_u:system_r:setfiles_mac_t:s0 tclass=process2 permissive=0 Hash: dracut,install_t,setfiles_mac_t,process2,nnp_transition,nosuid_transition Version-Release number of selected component: selinux-policy-targeted-34.5-1.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.18-300.fc34.x86_64 type: libreport
(In reply to Andrew Thurman from comment #0) > Description of problem: > Happened while running `rpm-ostree override replace > https://koji.fedoraproject.org/koji/buildinfo?buildID=1745028` to test 5.12 > kernel on Silverblue. > It didn't seem to directly effect the transaction. > SELinux is preventing dracut from using the nnp_transition, > nosuid_transition access on a process. Was the command executed from a command line? Are you aware of some changes which could lead to triggering issues like this? For instance, enabling the nonewprivs item in limits.conf? Does a similar AVC appear when you run the same command for a different package? I suppose execution of restorecon or fixfiles will be necessary in some cases.
``` [andythurman@rockhopper ~]$ sudo ostree admin config-diff M adjtime M group M passwd M gshadow M shadow M machine-id M subgid M subuid M cups/printers.conf M cups/subscriptions.conf M udev/hwdb.bin D containers/storage.conf A NetworkManager/system-connections/enp3s0.nmconnection A NetworkManager/system-connections/my_expressvpn_switzerland_-_2_udp.nmconnection A NetworkManager/system-connections/my_expressvpn_usa_-_new_york_udp.nmconnection A X11/xorg.conf.d/00-keyboard.conf A bash_completion.d/tracer A chromium/policies/managed/00_gssapi.json A cni/net.d/cni.lock A cni/net.d/gitea-postgres_default.conflist A cni/net.d/traefik-golang_default.conflist A cni/net.d/nextcloud-redis-mariadb_redisnet.conflist A cni/net.d/nextcloud-redis-mariadb_dbnet.conflist A cni/net.d/nextcloudtest_default.conflist A cni/net.d/nextcloud_default.conflist A cni/net.d/wordpress-mysql_default.conflist A cni/net.d/velorendocker_default.conflist A cups/printers.conf.O A cups/subscriptions.conf.O A dbus-1/system.d/org.freedesktop.PackageKit.conf A dbus-1/system.d/teamd.conf A default/grub A dnf/plugins/copr.d A dnf/plugins/copr.conf A dnf/plugins/debuginfo-install.conf A issue.d/cockpit.issue A lvm/archive/fedora_fedora_00023-383629534.vg A lvm/archive/fedora_fedora_00024-1621666727.vg A lvm/archive/fedora_fedora_00025-526712641.vg A lvm/archive/fedora_fedora_00026-167264674.vg A lvm/archive/fedora_fedora_00027-834245101.vg A lvm/archive/fedora_fedora_00028-1269254440.vg A lvm/archive/fedora_fedora_00029-682989392.vg A lvm/archive/fedora_fedora_00030-1739699805.vg A lvm/archive/fedora_fedora_00031-1421313462.vg A lvm/archive/fedora_fedora_00032-578450004.vg A lvm/archive/fedora_fedora_00033-1615811680.vg A lvm/archive/fedora_fedora_00034-1853388030.vg A lvm/archive/fedora_fedora_00035-2138591304.vg A lvm/archive/fedora_fedora_00036-309567331.vg A lvm/archive/fedora_fedora_00037-1024230910.vg A lvm/archive/fedora_fedora_00038-1001854372.vg A lvm/backup/fedora_fedora A motd.d/cockpit A openvpn/pia-ca.rsa.4096.crt A opt/chrome/policies/managed/00_gssapi.json A opt/chrome/managed A pam.d/cockpit A pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020 A pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-34 A pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-35 A pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-36 A pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-latest A pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-rawhide A pulse/daemon.conf A pulse/default.pa A selinux/targeted/semanage.trans.LOCK A selinux/targeted/semanage.read.LOCK A selinux/final A sysconfig/anaconda A sysconfig/network A systemd/system/sockets.target.wants/multipathd.socket A systemd/system/sockets.target.wants/podman.socket A systemd/system/sysinit.target.wants/multipathd.service A systemd/system/default.target A systemd/system/packagekit.service A systemd/system.control A systemd/system.control/user.slice.d A systemd/system.control/user.slice.d/50-MemoryMin.conf A systemd/system.control/user.slice.d/50-MemoryLow.conf A systemd/system.control/user-979.slice.d A systemd/system.control/user-979.slice.d/50-MemoryMin.conf A systemd/system.control/user-979.slice.d/50-MemoryLow.conf A systemd/system.control/user-979.slice.d/50-CPUWeight.conf A systemd/system.control/user-979.slice.d/50-IOWeight.conf A systemd/system.control/user.d A systemd/system.control/user.d/50-MemoryMin.conf A systemd/system.control/user.d/50-MemoryLow.conf A systemd/system.control/user.d/50-CPUWeight.conf A systemd/system.control/user.d/50-IOWeight.conf A systemd/system.control/user-1000.slice.d A systemd/system.control/user-1000.slice.d/50-MemoryMin.conf A systemd/system.control/user-1000.slice.d/50-MemoryLow.conf A systemd/system.control/user-1000.slice.d/50-CPUWeight.conf A systemd/system.control/user-1000.slice.d/50-IOWeight.conf A systemd/system.control/user.d A systemd/system.control/user.d/50-MemoryMin.conf A systemd/system.control/user.d/50-MemoryLow.conf A systemd/system.control/user.d/50-CPUWeight.conf A systemd/system.control/user.d/50-IOWeight.conf A systemd/system.control/user-42.slice.d A systemd/system.control/user-42.slice.d/50-MemoryMin.conf A systemd/system.control/user-42.slice.d/50-MemoryLow.conf A systemd/system.control/user-42.slice.d/50-CPUWeight.conf A systemd/system.control/user-42.slice.d/50-IOWeight.conf A systemd/system.control/user.d A systemd/system.control/user.d/50-MemoryMin.conf A systemd/system.control/user.d/50-MemoryLow.conf A systemd/system.control/user.d/50-CPUWeight.conf A systemd/system.control/user.d/50-IOWeight.conf A yum.repos.d/rpmfusion-nonfree-updates-testing.repo A yum.repos.d/rpmfusion-nonfree-updates.repo A yum.repos.d/rpmfusion-nonfree.repo A cockpit A cockpit/ws-certs.d A cockpit/ws-certs.d/0-self-signed-ca.pem A cockpit/ws-certs.d/0-self-signed.cert A cockpit/ws-certs.d/0-self-signed.key A libvirt A libvirt/qemu A libvirt/qemu/networks A libvirt/qemu/networks/default.xml A libvirt/secrets A libvirt/storage A libvirt/storage/autostart A libvirt/storage/autostart/default.xml A libvirt/storage/autostart/Downloads.xml A libvirt/storage/default.xml A libvirt/storage/Downloads.xml A crypttab A localtime A locale.conf A vconsole.conf A .pwd.lock A passwd- A shadow- A subuid- A subgid- A machine-info A hostname A group- A gshadow- A fstab A resolv.conf A PackageKit A PackageKit/PackageKit.conf A PackageKit/Vendor.conf A multipath A .updated ``` I essentially have no changes to the policy. It sometimes happens on other commands, however I have not gotten the exact reproducibility down. Overriding packages seems to be the most reproducible way.
FEDORA-2021-558e78822f has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-558e78822f
FEDORA-2021-558e78822f has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-558e78822f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-558e78822f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-558e78822f has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.