Description of problem: I believe that this was caused when I installed ffmpeg from RPMFusion, or when I subsequently attempted to uninstall openh264. SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-gpt-aut should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut # semodule -X 300 -i my-systemdgptaut.pp Additional Information: Source Context system_u:system_r:systemd_gpt_generator_t:s0 Target Context system_u:system_r:systemd_gpt_generator_t:s0 Target Objects Unknown [ capability ] Source systemd-gpt-aut Source Path systemd-gpt-aut Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.1-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.1-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.18.0- 0.rc5.20220506gitfe27d189e3f42e3.44.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri May 6 17:12:49 UTC 2022 x86_64 x86_64 Alert Count 3 First Seen 2022-05-10 00:36:48 UTC Last Seen 2022-05-11 00:58:49 UTC Local ID 86859449-20e7-49e3-bc7d-7a37b47da1c1 Raw Audit Messages type=AVC msg=audit(1652230729.251:500): avc: denied { sys_admin } for pid=48456 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 Hash: systemd-gpt-aut,systemd_gpt_generator_t,systemd_gpt_generator_t,capability,sys_admin Version-Release number of selected component: selinux-policy-targeted-37.1-1.fc37.noarch Additional info: component: selinux-policy reporter: libreport-2.17.1 hashmarkername: setroubleshoot kernel: 5.18.0-0.rc5.20220506gitfe27d189e3f42e3.44.fc37.x86_64 type: libreport
Hi, I cannot reproduce this problem, even after installing multiple packages. Could you find out what makes it to trigger this denial, and/or collect denials with full auditing enabled? How to enable full auditing in the audit daemon? 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
*** Bug 2083062 has been marked as a duplicate of this bug. ***
(In reply to Zdenek Pytela from comment #1) > Hi, > > I cannot reproduce this problem, even after installing multiple packages. > Could you find out what makes it to trigger this denial, and/or collect > denials with full auditing enabled? Zdenek, can you look at https://bugzilla.redhat.com/show_bug.cgi?id=2083062 for steps to reproduce this avc denial? (closed because it's lacking the abrt hash to avoid duplicates even if it's older but maybe I shouldn't have done that...)
Instruction completed. The consequence is the undermentioned log. [root@BEEDELLROKEJULIANLOCKHART /]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err ---- type=AVC msg=audit(10/05/22 00:36:42.028:185) : avc: denied { search } for pid=884 comm=rsyslogd name=net dev="proc" ino=16645 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(10/05/22 00:36:42.028:186) : avc: denied { search } for pid=884 comm=rsyslogd name=net dev="proc" ino=16645 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(10/05/22 00:36:48.627:235) : avc: denied { sys_admin } for pid=1289 comm=systemd-gpt-aut capability=sys_admin scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(10/05/22 00:36:52.868:286) : avc: denied { sys_admin } for pid=1374 comm=systemd-gpt-aut capability=sys_admin scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(10/05/22 12:18:09.904:164) : avc: denied { search } for pid=833 comm=rsyslogd name=net dev="proc" ino=17235 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(10/05/22 12:18:09.904:165) : avc: denied { search } for pid=833 comm=rsyslogd name=net dev="proc" ino=17235 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(11/05/22 00:58:49.251:500) : avc: denied { sys_admin } for pid=48456 comm=systemd-gpt-aut capability=sys_admin scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(11/05/22 13:44:55.091:163) : avc: denied { search } for pid=832 comm=rsyslogd name=net dev="proc" ino=15525 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(11/05/22 13:44:55.091:164) : avc: denied { search } for pid=832 comm=rsyslogd name=net dev="proc" ino=15525 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
Thank you, however, full auditing was not enabled, and these data are needed for assessing the sys_admin capability. The search permission seems to be clear.
I can reproduce this issue by installing ffmpeg from rpmfusion, it's triggered during the dnf transaction: $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today: type=PROCTITLE msg=audit(05/13/2022 16:23:17.861:592) : proctitle=/usr/lib/systemd/system-generators/systemd-gpt-auto-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/g type=SYSCALL msg=audit(05/13/2022 16:23:17.861:592) : arch=x86_64 syscall=ioctl success=no exit=EACCES(Permission denied) a0=0x4 a1=0x1269 a2=0x7ffe8a5e9dd0 a3=0x12c000 items=0 ppid=3872 pid=3890 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-gpt-aut exe=/usr/lib/systemd/system-generators/systemd-gpt-auto-generator subj=system_u:system_r:systemd_gpt_generator_t:s0 key=(null) type=AVC msg=audit(05/13/2022 16:23:17.861:592) : avc: denied { sys_admin } for pid=3890 comm=systemd-gpt-aut capability=sys_admin scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 journalctl: May 13 16:23:17 localhost-live systemd[1]: Started run-r31477c85d1514773848f604a7689ff8c.service - /usr/bin/systemctl start man-db-cache-update. May 13 16:23:17 localhost-live audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=run-r31477c85d1514773848f604a7689ff8c comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' May 13 16:23:17 localhost-live systemd[1]: Starting man-db-cache-update.service... May 13 16:23:17 localhost-live systemd[1]: Reloading. May 13 16:23:17 localhost-live systemd-sysv-generator[3897]: SysV service '/etc/rc.d/init.d/livesys' lacks a native systemd unit file. Automatically generating a unit file for compatibility. Please update package to include a native systemd unit file, in order to make it more safe and robust. May 13 16:23:17 localhost-live systemd-sysv-generator[3897]: SysV service '/etc/rc.d/init.d/livesys-late' lacks a native systemd unit file. Automatically generating a unit file for compatibility. Please update package to include a native systemd unit file, in order to make it more safe and robust. May 13 16:23:17 localhost-live systemd-gpt-auto-generator[3890]: Failed to dissect: Permission denied May 13 16:23:17 localhost-live audit[3890]: AVC avc: denied { sys_admin } for pid=3890 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 May 13 16:23:17 localhost-live audit[3890]: SYSCALL arch=c000003e syscall=16 success=no exit=-13 a0=4 a1=1269 a2=7ffe8a5e9dd0 a3=12c000 items=0 ppid=3872 pid=3890 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-gpt-aut" exe="/usr/lib/systemd/system-generators/systemd-gpt-auto-generator" subj=system_u:system_r:systemd_gpt_generator_t:s0 key=(null) May 13 16:23:17 localhost-live audit: PROCTITLE proctitle=2F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F73797374656D642D6770742D6175746F2D67656E657261746F72002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F73797374656D642F67 May 13 16:23:17 localhost-live systemd[3872]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. May 13 16:23:18 localhost-live audit: BPF prog-id=138 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=139 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=140 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=141 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=142 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=143 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=144 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=145 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=146 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=147 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=148 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=149 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=150 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=151 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=152 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=153 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=154 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=155 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=156 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=157 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=158 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=159 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=160 op=LOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live audit: BPF prog-id=0 op=UNLOAD May 13 16:23:18 localhost-live systemd[1]: Queuing reload/restart jobs for marked units… May 13 16:23:18 localhost-live systemd[1]: man-db-cache-update.service: Deactivated successfully. May 13 16:23:18 localhost-live systemd[1]: Finished man-db-cache-update.service. May 13 16:23:18 localhost-live audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=man-db-cache-update comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' May 13 16:23:18 localhost-live audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=man-db-cache-update comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' May 13 16:23:18 localhost-live systemd[1]: run-r31477c85d1514773848f604a7689ff8c.service: Deactivated successfully. May 13 16:23:18 localhost-live audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=run-r31477c85d1514773848f604a7689ff8c comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
How is "full auditing" able to be enabled? Please provide commands that I am able to unambiguously invoke to enable the feature if that is possible. If that is provided, I shall provide again the relevant records. I am thankful for your assistance, and apologetic for my incompetence.
The instructions were provided in #c1 and they need to be followed literally. In full auditing mode, additional records are audited, namely type=SYSCALL and type=PATH when available. I hope the content from the link from the dup bz will be sufficient for understanding now: ---- type=PROCTITLE msg=audit(05/09/2022 08:06:38.195:1288) : proctitle=systemd-notify --ready type=SOCKADDR msg=audit(05/09/2022 08:06:38.195:1288) : saddr={ saddr_fam=local path=/run/systemd/notify } type=SYSCALL msg=audit(05/09/2022 08:06:38.195:1288) : arch=x86_64 syscall=sendmsg success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x7ffc487d0230 a2=MSG_NOSIGNAL a3=0x7ffc487d01b4 items=0 ppid=3738 pid=5025 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) type=AVC msg=audit(05/09/2022 08:06:38.195:1288) : avc: denied { sys_admin } for pid=5025 comm=systemd-notify capability=sys_admin scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:systemd_notify_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(05/09/2022 08:06:38.195:1289) : proctitle=systemd-notify --ready type=PATH msg=audit(05/09/2022 08:06:38.195:1289) : item=0 name=/run/systemd/notify inode=36 dev=00:1a mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/09/2022 08:06:38.195:1289) : cwd=/var/ARTIFACTS/work-ciW1aKNu/plans/ci/discover/default/tests/selinux-policy/systemd-notify-and-similar type=SOCKADDR msg=audit(05/09/2022 08:06:38.195:1289) : saddr={ saddr_fam=local path=/run/systemd/notify } type=SYSCALL msg=audit(05/09/2022 08:06:38.195:1289) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffc487d0230 a2=MSG_NOSIGNAL a3=0x7ffc487d01b4 items=1 ppid=3738 pid=5025 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) type=AVC msg=audit(05/09/2022 08:06:38.195:1289) : avc: denied { sendto } for pid=5025 comm=systemd-notify path=/run/systemd/notify scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 ----
Actually the denials in #c8 are for an unrelated problem. As I cannot reproduce the issue, neither on my systems nor using any test, please check if it still appears on your systems. For considering a fix, it is needed either reproducing steps to trigger the issue or gather all details with full auditing enabled. 0) run setenforce 0 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario (install a package?) 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today 7) run setenforce 1
Bruno, Does this problem still appear in your tests using the latest rawhide packages?
(In reply to Zdenek Pytela from comment #10) > Bruno, > > Does this problem still appear in your tests using the latest rawhide > packages? Yes, looking at https://datawarehouse.cki-project.org/issue/1193 we continue to hit this problem. Here is an example of test that hit it: https://datawarehouse.cki-project.org/kcidb/tests/4558242 https://s3.us-east-1.amazonaws.com/arr-cki-prod-datawarehouse-public/datawarehouse-public/2022/07/27/redhat:598443816/build_aarch64_redhat:598443816_aarch64/tests/6/results_0001/job.01/recipes/12355005/tasks/64/results/1658947386/logs/avc.log
I was able to reproduce this and get a kernel trace: systemd-gpt-aut 1643 [001] 2150.459236: avc:selinux_audited: requested=0x200000 denied=0x200000 audited=0x200000 result=-13 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability ffffd0fe227d6b5c avc_audit_post_callback+0x21c (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe227d6b5c avc_audit_post_callback+0x21c (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe227fdad8 common_lsm_audit+0x74 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe227d6df4 slow_avc_audit+0x74 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe227dbef4 cred_has_capability.isra.0+0x114 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe227dbf68 selinux_capable+0x38 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe227cf7b8 security_capable+0x64 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe22231830 capable+0x40 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe2286ca04 blkpg_do_ioctl+0x34 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe2286dd50 blkdev_ioctl+0x50c (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe2254f26c __arm64_sys_ioctl+0xb8 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe221aaa38 invoke_syscall+0x78 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe221aab0c el0_svc_common.constprop.0+0x4c (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe221aabe4 do_el0_svc+0x30 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe23166864 el0_svc+0x34 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe23167bbc el0t_64_sync_handler+0x10c (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) ffffd0fe22191570 el0t_64_sync+0x190 (/usr/lib/debug/lib/modules/5.18.13-200.fc36.aarch64/vmlinux) e3e90 __GI___ioctl+0x10 (/usr/lib64/libc.so.6) b9a17 dissect_image+0x8f7 (/usr/lib/systemd/libsystemd-shared-251.3-1.fc37.so) 2d04 [unknown] (/usr/lib/systemd/system-generators/systemd-gpt-auto-generator) 276c8 __libc_start_call_main+0x78 (/usr/lib64/libc.so.6) 277a0 __libc_start_main@@GLIBC_2.34+0x9c (/usr/lib64/libc.so.6) 3a30 [unknown] (/usr/lib/systemd/system-generators/systemd-gpt-auto-generator) It hits the following capability check: https://elixir.bootlin.com/linux/v5.18/source/block/ioctl.c#L23 It seems systemd-gpt-auto-generator is trying to modify the partition table on some disk device (sounds legitimate given it's description in systemd-gpt-auto-generator(8)). What's weird, though, is that the denial only appears in enforcing mode, never in permissive. I haven't been able to figure out why that is.
Thank you, Ondrej, for your findings. Frankly I can't see why systemd-gpt-auto-generator would need modify gpt while it should just create a systemd unit file, specifically why it would add/delete/resize a partition. I'd be also grateful for the explanation why it appears only in enforcing mode as there seems to be no different code path.
(In reply to Zdenek Pytela from comment #13) > Thank you, Ondrej, for your findings. > Frankly I can't see why systemd-gpt-auto-generator would need modify gpt > while it should just create a systemd unit file, specifically why it would > add/delete/resize a partition. Hm... maybe you're right. I didn't have time to look into it deeper. > I'd be also grateful for the explanation why it appears only in enforcing > mode as there seems to be no different code path. I would have explained it if I knew the reason, but I don't :) I'd recommend asking systemd maintainers for input - they should be able to figure this out easier than me.
BTW, this seems to be easily reproducible in Beaker by reserving an aarch64 machine with Fedora (probably needs to be a HW one, not a VM) and running `setenforce 1; dnf reinstall -y chrony`.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 37 development cycle. Changing version to 37.
I have replaced Fedora Rawhide with Fedora 36 since this was reported, so I am unable to provide what "http://bugzilla.redhat.com/show_bug.cgi?id=2083900#c9" requests. However, @omosnace appears to be able to provide relevant information, so I ask that this report not be consequently disregarded.
Clearing my needinfo because there's nothing for me to provide.
We see this in our cockpit test VMs as well, after merely booting a Fedora 37 x86_64 cloud VM without doing anything else. I'm happy to run some debugging stuff, otherwise this is trivial to reproduce: git clone https://github.com/cockpit-project/bots bots/vm-run fedora-37 Log in as root:foobar, `journalctl -b | grep sys_admin` shows the violation.
Martin, In your case it is a different denial though: ---- type=PROCTITLE msg=audit(08/31/2022 13:10:27.678:197) : proctitle=mv /run/console-login-helper-messages/console-login-helper-messages.KH6oQ7NMQO.tmp /etc/issue.d/22_clhm_eth0.issue type=PATH msg=audit(08/31/2022 13:10:27.678:197) : item=0 name=(null) inode=1171 dev=00:1a mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:NetworkManager_dispatcher_console_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/31/2022 13:10:27.678:197) : cwd=/ type=SYSCALL msg=audit(08/31/2022 13:10:27.678:197) : arch=x86_64 syscall=flistxattr success=yes exit=17 a0=0x3 a1=0x7ffe81308900 a2=0x11 a3=0x7ffe813099c1 items=1 ppid=838 pid=847 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mv exe=/usr/bin/mv subj=system_u:system_r:NetworkManager_dispatcher_console_t:s0 key=(null) type=AVC msg=audit(08/31/2022 13:10:27.678:197) : avc: denied { sys_admin } for pid=847 comm=mv capability=sys_admin scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=capability permissive=0 Ondrej, CAP_SYS_ADMIN is needed for * perform operations on trusted and security extended attributes (see xattr(7)); Does flistxattr() really require this capability?
Zdenek, OOI, did you actually do the "vm-run fedora-37" bit? (As I didn't mention any particular message). We are seeing two issues. The one you mentioned we see as well, e.g. in [1], but I already filed as bug 2122888. We see this one as well (for systemd-gpt-aut), but indeed it may not (always) happen during boot. Sorry for the mix-up and confusing comment then! [1] https://cockpit-logs.us-east-1.linodeobjects.com/pull-17690-20220831-051933-cb3b0276-fedora-37/log.html
(In reply to Zdenek Pytela from comment #20) > Does flistxattr() really require this capability? Answered in https://bugzilla.redhat.com/show_bug.cgi?id=2122888#c2
systemd-gpt-auto-generator started to require CAP_SYS_ADMIN because it wanted to delete probed partitions. This was due to a bug that was recently introduced in systemd. I've reported the issue and now there is also a fix already merged. It should land in rawhide and F37 once we release new systemd version in couple of weeks. I don't think any fixes in the policy should be necessary, i.e. this bug should be probably reassigned or closed. https://github.com/systemd/systemd/issues/24431
Thank you, reassigning to systemd then, just in case.
https://github.com/systemd/systemd/pull/24530
*** Bug 2123930 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Logged into Xfce for the first time, Fedora 37 beta branch built with Fedora-Everything-netinst-x86_64-37_Beta-1.4.iso. hashmarkername: setroubleshoot kernel: 5.19.6-300.fc37.x86_64 package: selinux-policy-targeted-37.8-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
The issue occurs during the process of updating packages (sudo dnf upgrade). SELinux is preventing systemd-gpt-aut from using the sys_admin capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-gpt-aut should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut # semodule -X 300 -i my-systemdgptaut.pp Additional Information: Source Context system_u:system_r:systemd_gpt_generator_t:s0 Target Context system_u:system_r:systemd_gpt_generator_t:s0 Target Objects Unknown [ capability ] Source systemd-gpt-aut Source Path systemd-gpt-aut Port <Unknown> Host ******** Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.8-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.8-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ******** Platform Linux ******** 5.19.7-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Sep 5 15:09:01 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-09-08 11:51:37 CEST Last Seen 2022-09-08 11:51:37 CEST Local ID 17aa3c97-c3fb-40b1-864d-10aab07f9e8b Raw Audit Messages type=AVC msg=audit(1662630697.999:505): avc: denied { sys_admin } for pid=7303 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 Hash: systemd-gpt-aut,systemd_gpt_generator_t,systemd_gpt_generator_t,capability,sys_admin
Similar problem has been detected: fedora cinnamon kurulum sonrasında ve her uygulama yüklemesinden sonra ar ara uyarı veriyor. hashmarkername: setroubleshoot kernel: 5.19.8-300.fc37.x86_64 package: selinux-policy-targeted-37.8-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: It appeared during dnf upgrade hashmarkername: setroubleshoot kernel: 5.19.9-300.fc37.x86_64 package: selinux-policy-targeted-37.8-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: Booted and logged in to Xfce. hashmarkername: setroubleshoot kernel: 5.19.10-300.fc37.x86_64 package: selinux-policy-targeted-37.8-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
https://github.com/systemd/systemd/pull/24530 should be backported, but it's a lot of stuff, and also there were subsequent fixes for those patches. I punted on this for now.
Similar problem has been detected: This showed up during an sysetm update. hashmarkername: setroubleshoot kernel: 5.19.12-300.fc37.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: Opened gparted hashmarkername: setroubleshoot kernel: 5.16.20-200.fc36.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
*** Bug 2137324 has been marked as a duplicate of this bug. ***
Similar problem has been detected: I encounterd this issue when performing a dnf update. hashmarkername: setroubleshoot kernel: 5.19.14-300.fc37.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: This happens after installing cockpit hashmarkername: setroubleshoot kernel: 6.0.5-300.fc37.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: during a system upgrade hashmarkername: setroubleshoot kernel: 6.0.7-301.fc37.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Just to change the "same here" chain, is there a (In reply to Michal Sekletar from comment #23) > systemd-gpt-auto-generator started to require CAP_SYS_ADMIN because it > wanted to delete probed partitions. This was due to a bug that was recently > introduced in systemd. I've reported the issue and now there is also a fix > already merged. It should land in rawhide and F37 once we release new > systemd version in couple of weeks. I don't think any fixes in the policy > should be necessary, i.e. this bug should be probably reassigned or closed. > > https://github.com/systemd/systemd/issues/24431 I still see this with systemd-251.8-586.fc37 Any ETA on having a new build including the fix? "systemd-gpt-auto-generator started to require CAP_SYS_ADMIN because it wanted to delete probed partitions." sounds scary to me.
So what should users do when `dnf update` triggers this error? Ignore it, or follow the instructions that SELinux Alert Browser displays to "generate a local policy module to allow this access" (to modify my partition table?!). The instructions are predicated on > If you believe that systemd-gpt-aut should have the sys_admin capability by default. I've read every comment here and I'm not sure what to believe ;-) (In reply to Michal Sekletar from comment #23) > systemd-gpt-auto-generator started to require CAP_SYS_ADMIN because it > wanted to delete probed partitions. This was due to a bug that was recently > introduced in systemd.
Similar problem has been detected: This alert appeared after the Fedora 37 update hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: opened Virtual Machine Manager for KVM. Not sure if that's related. hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: Ich habe sudo dnf update -y gemacht hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: I update system after installing Fedora 37 and SELinux Alert show me this alert hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Raising severity to urgent. If I read it right, moving selinux to permissive or generating a policy as suggested by the tool may lead to data loss. Feel free to lower the severity if I got it wrong.
I'm havin the same problem, reinstall the Os two times fedora 37 cinnamon it did the same problem. this is what it say: SELinux is preventing systemd-gpt-aut from using the sys_admin capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-gpt-aut should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut # semodule -X 300 -i my-systemdgptaut.pp Additional Information: Source Context system_u:system_r:systemd_gpt_generator_t:s0 Target Context system_u:system_r:systemd_gpt_generator_t:s0 Target Objects Unknown [ capability ] Source systemd-gpt-aut Source Path systemd-gpt-aut Port <Unknown> Host localhost-live.socal.rr.com Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.14-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.14-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost-live.socal.rr.com Platform Linux localhost-live.socal.rr.com 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 Alert Count 10 First Seen 2022-11-16 19:32:49 PST Last Seen 2022-11-18 19:30:47 PST Local ID 92c0e3b7-db08-4b88-ae9b-7f5ffc26050c Raw Audit Messages type=AVC msg=audit(1668828647.986:756): avc: denied { sys_admin } for pid=26203 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 Hash: systemd-gpt-aut,systemd_gpt_generator_t,systemd_gpt_generator_t,capability,sys_admin It keeps poping wenever installing some programs not all programs do this error, last was don with this command: sudo dnf install fedora-workstation-repositories. have a different problem too most of the programs that I used wont show in the store or able to install via command, some rpm packets downloaded from the net won't install too the pop out appears , so if some wan now the fix it will be help full, thank you, I'm new to this too, thank you for your help
Similar problem has been detected: Upgraded to Fedora 37: performed 'dnf system-upgrade reboot' Nov 18 00:25:08 GMT Noted that there were some recent updates Nov 20 16:15 approx and ran 'dnf update'; this completed around 16:18 SELinux error appeared Nov 20 16:18:38 hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
I have the same problem, just opened gparted. SELinux is preventing systemd-gpt-aut from using the sys_admin capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-gpt-aut should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut # semodule -X 300 -i my-systemdgptaut.pp Additional Information: Source Context system_u:system_r:systemd_gpt_generator_t:s0 Target Context system_u:system_r:systemd_gpt_generator_t:s0 Target Objects Unknown [ capability ] Source systemd-gpt-aut Source Path systemd-gpt-aut Port <Unknown> Host Hera Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.14-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.14-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Hera Platform Linux Hera 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 Alert Count 17 First Seen 2022-10-26 22:31:39 CEST Last Seen 2022-11-21 00:07:06 CET Local ID 2e098e58-a23f-4559-b91f-fa5a942278a2 Raw Audit Messages type=AVC msg=audit(1668985626.68:491): avc: denied { sys_admin } for pid=13302 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 Hash: systemd-gpt-aut,systemd_gpt_generator_t,systemd_gpt_generator_t,capability,sys_admin
Similar problem has been detected: Tried to install and run vmwarre workstation pro 16 hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: I did "dnf up" some of these package scripts must have triggert SELinux: Ausgeführtes Scriptlet: grub2-common-1:2.06-63.fc37.noarch 362/362 Ausgeführtes Scriptlet: libwbclient-2:4.17.3-0.fc37.x86_64 362/362 Ausgeführtes Scriptlet: libreoffice-data-1:7.4.3.2-1.fc37.x86_64 362/362 Ausgeführtes Scriptlet: nss-3.85.0-1.fc37.x86_64 362/362 Ausgeführtes Scriptlet: nss-3.85.0-1.fc37.i686 362/362 Ausgeführtes Scriptlet: intel-gmmlib-22.1.7-1.fc37.x86_64 hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: Just started GNOME desktop as normal but after a F36 to F37 upgrade. hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: Just running dnf update hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem detected during qpdf CI run: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-38.1-1.fc38.noarch ---- time->Wed Nov 23 00:31:07 2022 type=PROCTITLE msg=audit(1669163467.174:225): proctitle=2F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F73797374656D642D6770742D6175746F2D67656E657261746F72002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F73797374656D642F67 type=SYSCALL msg=audit(1669163467.174:225): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=1269 a2=7ffd05ded780 a3=7ffd05ded5e7 items=0 ppid=1480 pid=1490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-gpt-aut" exe="/usr/lib/systemd/system-generators/systemd-gpt-auto-generator" subj=system_u:system_r:systemd_gpt_generator_t:s0 key=(null) type=AVC msg=audit(1669163467.174:225): avc: denied { sys_admin } for pid=1490 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0
Similar problem has been detected: The error occurs during automatic updates. hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
FWIW, I got this after installing Fedora-Xfce-Live-x86_64-37-1.7.iso on VirtualBox 6.1.40 running on Win10 Pro. I played with the live image, installed it on the virtual machine, rebooted, and logged in for the first time right after creating the first user. This didn't occur again after reboot.
Similar problem has been detected: - Boot the system. - Run sudo dnf --refresh upgrade -y - Some packages are updated. - At the end, this happens. hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Issue detected in a couple of different uses: Invoking gparted, installing software packages via dnf, dnf update, etc: SELinux is preventing systemd-gpt-aut from using the sys_admin capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-gpt-aut should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut # semodule -X 300 -i my-systemdgptaut.pp Additional Information: Source Context system_u:system_r:systemd_gpt_generator_t:s0 Target Context system_u:system_r:systemd_gpt_generator_t:s0 Target Objects Unknown [ capability ] Source systemd-gpt-aut Source Path systemd-gpt-aut Port <Unknown> Host --------------- Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.14-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.14-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ---------- Platform Linux --------- 6.0.9-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Nov 16 17:36:22 UTC 2022 x86_64 x86_64 Alert Count 7 First Seen 2022-11-21 02:56:11 NZDT Last Seen 2022-11-26 20:15:51 NZDT Local ID 7e95ae1d-e914-483b-b29f-c1eb4b6a4651 Raw Audit Messages type=AVC msg=audit(1669446951.672:656): avc: denied { sys_admin } for pid=23350 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 Hash: systemd-gpt-aut,systemd_gpt_generator_t,systemd_gpt_generator_t,capability,sys_admin
SELinux build 37.15-1.fc37 : Unfortunately nothing seems to have changed.
Similar problem has been detected: sudo dnf update hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: This happened right after Fedora upgrade from 36 to 37, and seems to appear at boot. hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: Boot the system after upgrade from Fedora 36 to Fedora 37. hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
On freshly-installed F37, modifying /etc/fstab by hand and running systemctl daemon-reload reproduces this problem.
Similar problem has been detected: It happens just after : # sudo systemctl stop ModemManager.service # sudo systemctl disable ModemManager.service hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: this bug after sudo dnf upgrade hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: Immediately after boot on a clean MATE default install. hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: after the update the SELinux troubleshooter with the message came up (update selinux-policy-37.14-1.fc37.noarch and selinux-policy-targeted-37.14-1.fc37.noarch to ...37.15-1) How to reproduce ? I suppose take a system with 37.14 and update to 37.15? hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: Do I need openssh... I removed and pruged openssh hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
@contact, the ability to utilize the SSH protocol (of which OpenSSH is the default implementation for most distributions of Linux) is solely “necessary” if you want to be able to remotely access the machine that it was installed onto before you purged it. It is not necessary to initialize the machine, or perform any additional basic operation.
Similar problem has been detected: Ran dnf upgrade hashmarkername: setroubleshoot kernel: 5.16.20-200.fc36.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: I was just finishing installing ffmpeg then this alert appeared. hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: I was trying to fresh install Fedora-i3 and this problem occured during the first system update (dnf upgrade). ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-gpt-aut should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut # semodule -X 300 -i my-systemdgptaut.pp Additional Information: Source Context system_u:system_r:systemd_gpt_generator_t:s0 Target Context system_u:system_r:systemd_gpt_generator_t:s0 Target Objects Unknown [ capability ] Source systemd-gpt-aut Source Path systemd-gpt-aut Port <Unknown> Host --------------- Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ---------- Platform Linux --------- 6.0.9-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Nov 16 17:36:22 UTC 2022 x86_64 x86_64 Alert Count 7 First Seen 2022-11-21 02:56:11 NZDT Last Seen 2022-11-26 20:15:51 NZDT Raw Audit Messages type=AVC msg=audit(1669446951.672:656): avc: denied { sys_admin } for pid=23350 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 Hash: systemd-gpt-aut,systemd_gpt_generator_t,systemd_gpt_generator_t,capability,sys_admin Is this problem related to this bug reported on github ? https://github.com/systemd/systemd/issues/25528
(In reply to cam_arman from comment #72) > Similar problem has been detected: > > I was trying to fresh install Fedora-i3 and this problem occured during the > first system update (dnf upgrade). > > ***** Plugin catchall (100. confidence) suggests > ************************** > > If you believe that systemd-gpt-aut should have the sys_admin capability by > default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut > # semodule -X 300 -i my-systemdgptaut.pp > > Additional Information: > Source Context system_u:system_r:systemd_gpt_generator_t:s0 > Target Context system_u:system_r:systemd_gpt_generator_t:s0 > Target Objects Unknown [ capability ] > Source systemd-gpt-aut > Source Path systemd-gpt-aut > Port <Unknown> > Host --------------- > Source RPM Packages > Target RPM Packages > SELinux Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch > Local Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Host Name ---------- > Platform Linux --------- 6.0.9-300.fc37.x86_64 #1 SMP > PREEMPT_DYNAMIC Wed Nov 16 17:36:22 UTC 2022 > x86_64 x86_64 > Alert Count 7 > First Seen 2022-11-21 02:56:11 NZDT > Last Seen 2022-11-26 20:15:51 NZDT > > Raw Audit Messages > type=AVC msg=audit(1669446951.672:656): avc: denied { sys_admin } for > pid=23350 comm="systemd-gpt-aut" capability=21 > scontext=system_u:system_r:systemd_gpt_generator_t:s0 > tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability > permissive=0 > > > Hash: > systemd-gpt-aut,systemd_gpt_generator_t,systemd_gpt_generator_t,capability, > sys_admin > > Is this problem related to this bug reported on github ? > > https://github.com/systemd/systemd/issues/25528 I accidently posted the wrong error message. Here is the true one SELinux is preventing systemd-gpt-aut from using the sys_admin capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-gpt-aut should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut # semodule -X 300 -i my-systemdgptaut.pp Additional Information: Source Context system_u:system_r:systemd_gpt_generator_t:s0 Target Context system_u:system_r:systemd_gpt_generator_t:s0 Target Objects Unknown [ capability ] Source systemd-gpt-aut Source Path systemd-gpt-aut Port <Unknown> Host fedora Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora Platform Linux fedora 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26 16:55:13 UTC 2022 x86_64 x86_64 Alert Count 5 First Seen 2022-12-01 00:10:20 +03 Last Seen 2022-12-01 12:50:20 +03 Local ID 70eaaa15-d172-4ee5-95b9-ff35770407af Raw Audit Messages type=AVC msg=audit(1669888220.383:344): avc: denied { sys_admin } for pid=7197 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 Hash: systemd-gpt-aut,systemd_gpt_generator_t,systemd_gpt_generator_t,capability,sys_admin
*** Bug 2144226 has been marked as a duplicate of this bug. ***
Similar problem has been detected: No lo sé no entiendo estos problemas (Fedora/KDE) con Workstation no aparecian hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: This instance while running dnf update; dnf upgrade. Received message upon initial install and intermittantly since. hashmarkername: setroubleshoot kernel: 6.0.10-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: [root@x ~] # dnf reinstall --refresh --allowerasing --best fedpkg fedora-packager rpmdevtools ncurses-devel pesign grubby hashmarkername: setroubleshoot kernel: 6.0.10-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Every update I do now in Fedora 37 triggers the same message. Here's today's error- SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-gpt-aut should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut # semodule -X 300 -i my-systemdgptaut.pp Additional Information: Source Context system_u:system_r:systemd_gpt_generator_t:s0 Target Context system_u:system_r:systemd_gpt_generator_t:s0 Target Objects Unknown [ capability ] Source systemd-gpt-aut Source Path systemd-gpt-aut Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26 16:55:13 UTC 2022 x86_64 x86_64 Alert Count 9 First Seen 2022-11-20 10:34:24 IST Last Seen 2022-12-05 17:58:53 IST Local ID 25233a48-cd25-4de7-aac4-7f9f4408e881 Raw Audit Messages type=AVC msg=audit(1670255933.482:488): avc: denied { sys_admin } for pid=29693 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 Hash: systemd-gpt-aut,systemd_gpt_generator_t,systemd_gpt_generator_t,capability,sys_admin
Similar problem has been detected: The issue occured during a dnf update. hashmarkername: setroubleshoot kernel: 6.0.10-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
FEDORA-2022-7f1889cc8c has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-7f1889cc8c
FEDORA-2022-7f1889cc8c has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
Similar problem has been detected: New installation of Fedors 37 on seperate root partition /home partition was pre-existing and used before with Fedors 36 This Bug seems to be documented in https://bugzilla.redhat.com/show_bug.cgi?id=2083900 hashmarkername: setroubleshoot kernel: 6.0.11-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
(In reply to Fedora Update System from comment #81) > FEDORA-2022-7f1889cc8c has been pushed to the Fedora 38 stable repository. > If problem still persists, please make note of it in this bug report. Will this bug also be fixed in Fedora 37?
Similar problem has been detected: Installed an update and received the SELinux alert. hashmarkername: setroubleshoot kernel: 6.0.12-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: It happened after I installed gpsd with dnf. hashmarkername: setroubleshoot kernel: 6.0.12-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: execute: 'sudo dnf upgrade' hashmarkername: setroubleshoot kernel: 6.0.12-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
I have installed and tested SELinux builds 37.17-1.fc37 and 37.17-1.fc37 and with both versions the issue did not appear ... so, it seems to be resolved.
(In reply to Christian Labisch from comment #87) > I have installed and tested SELinux builds 37.17-1.fc37 and 37.17-1.fc37 and > with both versions the issue did not appear ... so, it seems to be resolved. Typo : I meant versions 37.16-1.fc37 and 37.17-1.fc37 of course ... Sorry, guys !
Similar problem has been detected: I entered "sudo systemctl enable cockpit.socket" hashmarkername: setroubleshoot kernel: 6.0.7-301.fc37.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Similar problem has been detected: dont know what happened fairly new to linux hashmarkername: setroubleshoot kernel: 6.0.7-301.fc37.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
The problem is still there with a clean install of fedora 37. Package and version : selinux-policy-targeted-37.18-1.fc37.noarch Logs : [ 6.875141] systemd-gpt-auto-generator[515]: Failed to dissect: Permission denied [ 6.921211] systemd[501]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. Kernel version : 6.1.6-200.fc37.x86_64
*** Bug 2164078 has been marked as a duplicate of this bug. ***
I think I am also seeing this at boot time... 6.1.7-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jan 18 17:11:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux systemd-gpt-auto-generator[630]: Failed to dissect: Permission denied systemd[620]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. Then whenever systemd reloads (each night around 1am?)... systemd-gpt-auto-generator[179813]: Failed to dissect: Permission denied systemd[179801]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. next night... systemd-gpt-auto-generator[355754]: Failed to dissect: Permission denied systemd[355742]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. I do not see this on other similar machines. I'll try to work out the differences, but as far as I'm aware there are none.
*** Bug 2141998 has been marked as a duplicate of this bug. ***
I must be asleep! The machine this shows up on is the only one with GPT/EFI boot.
There are no selinux errors/denials when systemd reloads & this error occurs.
Can someone please confirm what package versions (for f37) these fixes are included?
Similar problem has been detected: Unclear. This is a fresh install of Fedora, with barely any use. hashmarkername: setroubleshoot kernel: 6.0.7-301.fc37.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
Ths has not been fixed yet. The problem still occurs with: selinux-policy-37.19-1.fc37.noarch
Sorry. The upstream bug pointed to policy. This problem is still not fixed as of: systemd-251.13-5.fc37.x86_64
Similar problem has been detected: I know nothing. SELinux alerted me that there was a problem, but I don't know the kind of problem. I was installing LibreOffice with dnfdragora and suddenly I received this notifaction. I'm sorry that I cannot give you other information. Excuse my English but I'm not a native speaker... hashmarkername: setroubleshoot kernel: 6.0.7-301.fc37.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
It is not a selinux problem anymore, even if systemd is still making errors in the dmesg. The packages - kernel-6.0.7-301.fc37.x86_64 - selinux-policy-targeted-37.12-2.fc37 are the packages versions at the state at the time of the release of fedora 37. Please update your system and check again before filling bug reports :)
(In reply to naguam from comment #103) > It is not a selinux problem anymore, even if systemd is still making errors > in the dmesg. Kernel: kernel-6.1.13-200.fc37.x86_64 SELinux: selinux-policy-targeted-37.19-1.fc37.noarch [Tue Mar 7 15:21:44 2023] systemd-gpt-auto-generator[731785]: Failed to dissect: Permission denied This is obviously still an issue. As end-users, we do our best to choose the correct component, and then component owners are free to reassign as appropriate. But since I'm not a systemd, selinux, or kernel developer, I think this is the best information I can provide at this time.
> This is obviously still an issue. As end-users, we do our best to choose the correct component, and then component owners are free to reassign as appropriate. But since I'm not a > systemd, selinux, or kernel developer, I think this is the best information I can provide at this time. Your report is good. I just wanted to point that some of the recent previous reports were not on an up to date system as the problem is already known on them. I never said there were no problem anymore (and this message is already patched in systemd 252 that will be present in fedora 38, if it is fixed in fedora 37, it did not came back downstream yet). And I am an end user as well, it was only an advice to the last reports (and it is a good practice to keep systems up to date for security reasons).
Everything works as expected on Fedora Linux 38 Workstation (Beta) with kernel 6.2.3-300.fc38 / selinux-policy 38.8-2.fc38 / systemd 253-6.fc38 installed.
So at least a month till it gets to, https://getfedora.org/en/workstation/download/ as a stable release? Is this release of systemd likely to shed some light on or get rid of the incredibly obtuse low information systemd log messages like, systemd[1]: Started run-uNNNN.service - systemd-stdio-bridge and others or will the writer never realise it looks like "user" NNNN is having a process run for them by systemd? & scares people or is that the systemd intention?
(In reply to Ondrej Mosnacek from comment #15) > BTW, this seems to be easily reproducible in Beaker by reserving an aarch64 > machine with Fedora (probably needs to be a HW one, not a VM) and running > `setenforce 1; dnf reinstall -y chrony`. I can confirm the SE troubleshooter behavior can be reproduced by reinstalling chrony. This bug is for the SE Troubleshooter behavior that catches user's attention because it's an SE Linux gui error! It would seem that some timing issue is causing a chain of events leading to correct behavior from SE Troubleshooter, the problem is not with SE Linux, it is related to systemd behaviors but is it really a systemd misbehavior? Tracing the logs leads back to "systemd-sysv-generator "creates wrapper .service units for SysV init scripts in /etc/init.d/* at boot and when configuration of the system manager is reloaded." So the system manager is going to be reloaded?! We see systemd-sysv-generator logs messages about /etc/rc.d/init.d/livesys lacking a "systemd unit file". That file exists on my machine, looking at the file it does some interesting things! Logs to /var/log/messages: ==> /var/log/messages <== Apr 9 15:37:35 fedora systemd-sysv-generator[45405]: SysV service '/etc/rc.d/init.d/livesys' lacks a native systemd unit file. Automatically generating a unit file for compatibility. Please update package to include a native systemd unit file, in order to make it more safe and robust. Apr 9 15:37:35 fedora systemd-sysv-generator[45405]: SysV service '/etc/rc.d/init.d/livesys-late' lacks a native systemd unit file. Automatically generating a unit file for compatibility. Please update package to include a native systemd unit file, in order to make it more safe and robust. Apr 9 15:37:35 fedora audit[45394]: AVC avc: denied { sys_admin } for pid=45394 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 Apr 9 15:37:35 fedora systemd-gpt-auto-generator[45394]: Failed to dissect: Permission denied Apr 9 15:37:35 fedora systemd[45379]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. Apr 9 15:37:39 fedora setroubleshoot[45425]: SELinux is preventing systemd-gpt-aut from using the sys_admin capability. For complete SELinux messages run: sealert -l 07b86680-b133-49cb-85b9-7c47b833100b Apr 9 15:37:39 fedora setroubleshoot[45425]: SELinux is preventing systemd-gpt-aut from using the sys_admin capability.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that systemd-gpt-aut should have the sys_admin capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut#012# semodule -X 300 -i my-systemdgptaut.pp#012 ---- The 'systemd-gpt-auto-generator' is a "unit generator that discovers partitions" but why is it being denied for trying to use 'sys_admin' capability, and what is it trying to do with that capability and why? I am not sure what systemd-sysv-generator was doing right before that but it was looking for "a native systemd unit file" in /etc/rc.d/init.d/livesys and that file had a few interesting things though I don't know if any of them would lead to the "Permission denied" failure for 'systemd-gpt-auto-generator' to dissect. Apparently that triggers expected behavior for SETroubleshoot and this "bug": Apr 9 15:37:37 fedora systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs. Apr 9 15:37:37 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' From /etc/rc.d/init.d/livesys: ---- 101 # add liveuser user with no passwd 102 action "Adding live user" useradd $USERADDARGS -c "Live System User" liveuser 103 passwd -d liveuser > /dev/null 104 usermod -aG wheel liveuser > /dev/null 105 106 # Remove root password lock 108 107 passwd -d root > /dev/null 109 # turn off firstboot for livecd boots 110 systemctl --no-reload disable firstboot-text.service 2> /dev/null || : 111 systemctl --no-reload disable firstboot-graphical.service 2> /dev/null || : 112 systemctl stop firstboot-text.service 2> /dev/null || : 113 systemctl stop firstboot-graphical.service 2> /dev/null || : 114 115 # don't use prelink on a running live image 116 sed -i 's/PRELINKING=yes/PRELINKING=no/' /etc/sysconfig/prelink &>/dev/null || : 117 118 # turn off mdmonitor by default 119 systemctl --no-reload disable mdmonitor.service 2> /dev/null || : 120 systemctl --no-reload disable mdmonitor-takeover.service 2> /dev/null || : 121 systemctl stop mdmonitor.service 2> /dev/null || : 122 systemctl stop mdmonitor-takeover.service 2> /dev/null || : 123 124 # don't start cron/at as they tend to spawn things which are 125 # disk intensive that are painful on a live image 126 systemctl --no-reload disable crond.service 2> /dev/null || : 127 systemctl --no-reload disable atd.service 2> /dev/null || : 128 systemctl stop crond.service 2> /dev/null || : 129 systemctl stop atd.service 2> /dev/null || : 130 131 # turn off abrtd on a live image 132 systemctl --no-reload disable abrtd.service 2> /dev/null || : 133 systemctl stop abrtd.service 2> /dev/null || : 134 135 # Don't sync the system clock when running live (RHBZ #1018162) 136 sed -i 's/rtcsync//' /etc/chrony.conf And: 225 # make sure to set the right permissions and selinux contexts 226 chown -R liveuser:liveuser /home/liveuser/ 227 restorecon -R /home/liveuser/ ----
Similar problem has been detected: fresh fedora 37 install hashmarkername: setroubleshoot kernel: 6.0.7-301.fc37.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities. type: libreport
This message is a reminder that Fedora Linux 37 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '37'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 37 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 37 entered end-of-life (EOL) status on None. Fedora Linux 37 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.