Description of problem: on every boot since upgrade from F36 to F37 beta there is an error in dmesg logs: [ 6.766101] systemd-gpt-auto-generator[786]: Failed to dissect: Permission denied [ 6.766295] systemd[772]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. Version-Release number of selected component (if applicable): kernel-6.0.7-301.fc37.x86_64 systemd-251.8-586.fc37.x86_64 selinux-policy-37.14-1.fc37.noarch How reproducible: 100% Steps to Reproduce: 1. Boot the system 2. Check dmesg logs Actual results: [ 6.346458] systemd[1]: Detected architecture x86-64. [ 6.346885] Lockdown: systemd: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7 [ 6.708593] systemd[1]: bpf-lsm: LSM BPF program attached [ 6.766101] systemd-gpt-auto-generator[786]: Failed to dissect: Permission denied [ 6.766295] systemd[772]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. [ 6.774119] zram: Added device: zram0 Expected results: No errors present Additional info: Unlike https://bugzilla.redhat.com/show_bug.cgi?id=2134121 there are no nor there ever were selinux avc denied errors.
Could you run the following command as root and attach gpt-auto-generator.strace here? # strace -y -k -Z -o gpt-auto-generator.strace /usr/lib/systemd/system-generators/systemd-gpt-auto-generator /tmp /tmp /tmp
Created attachment 1924180 [details] strace desktop Please find strace from my desktop, I have same error on my laptop, let me know if strace from it would help
This is very likely caused by SELinux, moving to selinux-policy. In the meantime, please attach output of "ausearch -ts recent -m avc" after you boot up.
Hm, indeed looks like the selinux, but it's does not trigger notifications for some reasons, although I'm getting other selinux alerts. Your query didn't return anything, but there are following records in selinux troubleshooter: Source Context system_u:system_r:systemd_gpt_generator_t:s0 Target Context system_u:system_r:systemd_gpt_generator_t:s0 Target Objects Unknown [ capability ] Source systemd-gpt-aut Source Path systemd-gpt-aut Port <Unknown> Host wasp-blackquiet.hive Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.12-2.fc37.noarch Local Policy RPM selinux-policy-targeted-37.12-2.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name wasp-blackquiet.hive Platform Linux wasp-blackquiet.hive 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 Alert Count 18 First Seen 2022-10-27 13:26:39 CEST Last Seen 2022-11-13 19:52:00 CET Local ID e176615b-257c-484c-badf-ac55d4700fce Raw Audit Messages type=AVC msg=audit(1668365520.248:393): avc: denied { sys_admin } for pid=16141 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0 Hash: systemd-gpt-aut,systemd_gpt_generator_t,systemd_gpt_generator_t,capability,sys_admin
This broke auto creation of mount units for other file systems upon upgrade to Fedora 37 for me. Hopefully https://github.com/fedora-selinux/selinux-policy/pull/1468 will fix this.
Outcome of today's meeting with Michal Sekletar: An upstream systemd issue was created https://github.com/systemd/systemd/issues/25528 For the time being, selinux-policy will dontaudit the capability. It unfortunately means there will be errors in the journal logged. This is a captured traceback: ffffffffa860cf8d avc_audit_post_callback+0x1ed ([kernel.kallsyms]) ffffffffa860cf8d avc_audit_post_callback+0x1ed ([kernel.kallsyms]) ffffffffa8630ed5 common_lsm_audit+0x155 ([kernel.kallsyms]) ffffffffa860e06e slow_avc_audit+0x9e ([kernel.kallsyms]) ffffffffa8612796 cred_has_capability.isra.0+0x106 ([kernel.kallsyms]) ffffffffa860887d security_capable+0x3d ([kernel.kallsyms]) ffffffffa80fed7f capable+0x2f ([kernel.kallsyms]) ffffffffa869925e blkpg_do_ioctl+0x4e ([kernel.kallsyms]) ffffffffa8699ffb blkdev_ioctl+0x24b ([kernel.kallsyms]) ffffffffa83deccd __x64_sys_ioctl+0x8d ([kernel.kallsyms]) ffffffffa8ddf158 do_syscall_64+0x58 ([kernel.kallsyms]) ffffffffa8e0009b entry_SYSCALL_64_after_hwframe+0x63 ([kernel.kallsyms]) 1035cf __GI___ioctl+0x3f (/usr/lib64/libc.so.6) 8fee4 block_device_add_partition+0x114 (/usr/lib64/systemd/libsystemd-shared-25> d8c8a dissect_image.lto_priv.0+0xeaa (/usr/lib64/systemd/libsystemd-shared-252.> e1135 dissect_loop_device+0xa5 (/usr/lib64/systemd/libsystemd-shared-252.1-588.> 312c enumerate_partitions+0x8cc (inlined) 312c add_mounts+0x8cc (inlined) 312c run+0x8cc (inlined) 312c main+0x8cc (/usr/lib/systemd/system-generators/systemd-gpt-auto-generator) 27a8f __libc_start_call_main+0x7f (/usr/lib64/libc.so.6) 27b48 __libc_start_main_alias_2+0x88 (inlined) 3d24 _start+0x24 (/usr/lib/systemd/system-generators/systemd-gpt-auto-generato>
(In reply to Quintin Hill from comment #5) > This broke auto creation of mount units for other file systems upon upgrade > to Fedora 37 for me. Hopefully > https://github.com/fedora-selinux/selinux-policy/pull/1468 will fix this. This bz is about a systemd-gpt-generator issue requesting the sys_admin capability. How is a problem of mount units creation related? Do you have any AVC denials?
Well without this capability it is failing with a permission denied error: Nov 25 21:47:47 quintin audit[2769]: AVC avc: denied { sys_admin } for pid=2769 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=c> Nov 25 21:47:47 quintin systemd-gpt-auto-generator[2769]: Failed to dissect: Permission denied Nov 25 21:47:47 quintin systemd[2757]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. Mount units aren't generated for me presumably because of the "Failed to dissect: Permission denied".
The failure is for gpt-auto-generator, I expect mount units created by fstab-generator, that's why I asked for avc denials. # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
No systemd-gpt-auto-generator definitely creates mount units (as does systemd-fstab-generator). From the man page: systemd-gpt-auto-generator is a unit generator that automatically discovers root, /home/, /srv/, /var/, /var/tmp/, the EFI System Partition, the Extended Boot Loader Partition and swap partitions and creates mount and swap units for them, based on the partition type GUIDs of GUID partition tables (GPT) Anyway it looks like the real fix of this issue is a backport of https://github.com/systemd/systemd/pull/25580 to systemd 251 (the pull request is labelled for backport).
Also this is really the same bug as https://bugzilla.redhat.com/show_bug.cgi?id=2083900.
FEDORA-2022-76a7b9bf91 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-76a7b9bf91
FEDORA-2022-76a7b9bf91 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-76a7b9bf91` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-76a7b9bf91 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
I didn't get selinux alert during dnf update (although there were no "big" packages updated lately), but I still get error in a dmesg during boot: [ 6.845073] systemd-gpt-auto-generator[798]: Failed to dissect: Permission denied [ 6.845286] systemd[784]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. $ rpm -q selinux-policy selinux-policy-37.16-1.fc37.noarch
FEDORA-2022-76a7b9bf91 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
I'm not sure if the issue was supposed to be fixed. The SElinux alerts are gone, but the dmesg still has the original issue even with this morning systemd update: [ 5.856022] systemd[1]: bpf-lsm: Failed to load BPF object: No such process [ 5.882105] usb 5-4.5: new high-speed USB device number 7 using xhci_hcd [ 5.906216] systemd-gpt-auto-generator[789]: Failed to dissect: Permission denied [ 5.915611] zram: Added device: zram0 [ 5.915873] systemd[775]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. $ rpm -q selinux-policy selinux-policy-37.16-1.fc37.noarch $ rpm -q systemd systemd-251.9-587.fc37.x86_64
I'm still getting this error in the logs : Dec 17 12:45:37 fedora systemd-gpt-auto-generator[1927]: Failed to dissect: Permission denied Dec 17 12:45:37 fedora systemd[1913]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. $ rpm -q selinux-policy selinux-policy-37.16-1.fc37.noarch
Still present in: $ rpm -q selinux-policy selinux-policy-37.17-1.fc37.noarch
Still present for me too > rpm -q selinux-policy selinux-policy-37.17-1.fc37.noarch
It's present in the logs for me too systemd-gpt-auto-generator[704]: Failed to dissect: Permission denied systemd[690]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1.
Still present in my system: rpm -q selinux-policy selinux-policy-37.18-1.fc37.noarch Jan 30 18:18:53 fedora systemd-gpt-auto-generator[665]: Failed to dissect: Permission denied Jan 30 18:18:53 fedora kernel: zram: Added device: zram0 Jan 30 18:18:53 fedora systemd[651]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1.
*** This bug has been marked as a duplicate of bug 2083900 ***
Is this actually a dupe of 2083900? The error message appears to be different, this issue is "Failed to dissect: Permission denied" and that one is "SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities" I see the former message on my system quite frequently, but no trace of the latter (at least not within the last month).
I missed that it was closed, as I also disagree that it's a duplicate. SELinux issue was resolved, as there are no selinux errors, but the issue persists to this day with latest kernel 6.1.10, selinux-policy-37.19-1 and systemd-251.11-1
This message is a reminder that Fedora Linux 37 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '37'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 37 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 37 entered end-of-life (EOL) status on None. Fedora Linux 37 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.