Created attachment 1811731 [details] journalctl Description of problem: Getting an AVC denial and subsequent systemd-gpt-auto-generator failure. Version-Release number of selected component (if applicable): systemd-249.2-1.fc35.x86_64 selinux-policy-34.14-2.fc35.noarch How reproducible: Transient but often Steps to Reproduce: 1. Boot 2. 3. Actual results: Aug 06 22:51:41 fmac.local audit[3083]: AVC avc: denied { read } for pid=3083 comm="systemd-gpt-aut" name="b8:1" dev="tmpfs" ino=1047 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 Aug 06 22:51:41 fmac.local systemd-gpt-auto-generator[3083]: Failed to dissect: Permission denied Aug 06 22:51:41 fmac.local systemd[3067]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. Expected results: It probably should be allowed Additional info:
Ordinarily this release criterion's "notification" is considered to be a desktop notification. https://fedoraproject.org/wiki/Fedora_35_Final_Release_Criteria#SELinux_and_crash_notifications However, I think Fedora CoreOS makes use of Discoverable Partitions Spec? Or intends to? If so then this could be argued to be a blocker, since in that case the mechanism of notification is such an AVC denial appearing in the journal. For everything else, as far as I know, we're not using discoverable partition spec (yet).
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle. Changing version to 35.
This bz has been fixed in F35.