Description of problem: While running xfstests for btrfs [1] we hit the following issue: type=AVC msg=audit(1650757878.704:9121): avc: denied { remount } for pid=448196 comm="(coredump)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:swapfile_t:s0 tclass=filesystem permissive=1 Version-Release number of selected component (if applicable): selinux-policy-36.7-1.fc37.noarch How reproducible: It seems easily reproducible with test [1] Steps to Reproduce: 1. Run test [1] for btrfs 2. Check for avc denial Additional info: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-36.7-1.fc37.noarch Full audit: ---- time->Mon Apr 25 04:07:19 2022 type=PROCTITLE msg=audit(1650874039.465:8427): proctitle="(coredump)" type=PATH msg=audit(1650874039.465:8427): item=0 name="/proc/self/fd/4" inode=256 dev=00:32 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:swapfile_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1650874039.465:8427): cwd="/" type=SYSCALL msg=audit(1650874039.465:8427): arch=c000003e syscall=165 success=yes exit=0 a0=0 a1=7ffeea790a00 a2=0 a3=1021 items=1 ppid=1 pid=208737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(coredump)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1650874039.465:8427): avc: denied { remount } for pid=208737 comm="(coredump)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:swapfile_t:s0 tclass=filesystem permissive=1 [1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/filesystems/xfs/xfstests
I believe this is because xfstests mount a filesystem with -o context=system_u:object_r:swapfile_t:s0 [1], then a process crashes because of [2] which then systemd coredump handler tries to remount as part of its business. `init_t` is already allowed to remount all filesystems of any `filesystem_type` type. However, with a context mount it is possible (for an unconfined process) to create a filesystem with a any type from `file_type`, so perhaps we should extend the policy to allow `init_t` remount also `file_type` filesystems. [1] https://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git/tree/common/rc#n2775 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2078147
This bug appears to have been reported against 'rawhide' during the Fedora Linux 37 development cycle. Changing version to 37.
FEDORA-2022-839f7bd62c has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-839f7bd62c
FEDORA-2022-839f7bd62c has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-839f7bd62c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-839f7bd62c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-839f7bd62c has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.