Bug 2192059 - systemd was denied map access on /etc/selinux/targeted/policy/policy.33 when upgrading glibc-2.37-4.fc38.x86_64
Summary: systemd was denied map access on /etc/selinux/targeted/policy/policy.33 when ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 38
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2192172 2192201 2192206 2192333 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-04-29 05:54 UTC by Matt Fagnani
Modified: 2023-07-17 14:40 UTC (History)
22 users (show)

Fixed In Version: systemd-253.5-1.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-17 14:40:30 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2186821 0 unspecified CLOSED systemd tries to load SELinux policy when reexecuting 2023-07-17 13:59:54 UTC

Description Matt Fagnani 2023-04-29 05:54:00 UTC 
I was using Plasma 5.27.4 in a Fedora 38 KDE Plasma installation. I ran sudo dnf offline-upgrade download with updates-testing enabled in Konsole then sudo dnf offline-upgrade reboot. systemd was denied map access on /etc/selinux/targeted/policy/policy.33 when upgrading glibc-2.37-4.fc38.x86_64 during the offline upgrade. The SELinux policy failed to load according to a message in the journal. 

Apr 29 01:20:41 dnf[787]:   Running scriptlet: java-17-openjdk-headless-1:17.0.7.0.7-1.fc38.x86_64    1/1
Apr 29 01:20:45 dnf[787]:   Preparing        :                                                        1/1
Apr 29 01:20:45 dnf[787]:   Upgrading        : glibc-all-langpacks-2.37-4.fc38.x86_64                1/55
Apr 29 01:20:46 dnf[787]:   Upgrading        : glibc-common-2.37-4.fc38.x86_64                       2/55
Apr 29 01:20:46 dnf[787]:   Upgrading        : glibc-gconv-extra-2.37-4.fc38.x86_64                  3/55
Apr 29 01:20:47 dnf[787]:   Running scriptlet: glibc-gconv-extra-2.37-4.fc38.x86_64                  3/55
Apr 29 01:20:47 dnf[787]:   Upgrading        : glibc-langpack-en-2.37-4.fc38.x86_64                  4/55
Apr 29 01:20:47 dnf[787]:   Running scriptlet: glibc-2.37-4.fc38.x86_64                              5/55
Apr 29 01:20:47 dnf[787]:   Upgrading        : glibc-2.37-4.fc38.x86_64                              5/55
Apr 29 01:20:47 systemd[1]: Reexecuting requested from client PID 875 (unit dnf-system-upgrade.service)...
Apr 29 01:20:48 systemd[1]: Reexecuting.
Apr 29 01:20:48 audit: BPF prog-id=45 op=UNLOAD
Apr 29 01:20:48 kernel: audit: type=1334 audit(1682745648.695:73): prog-id=45 op=UNLOAD
Apr 29 01:20:48 audit[1]: AVC avc:  denied  { map } for  pid=1 comm="systemd" path="/etc/selinux/targeted/policy/policy.33" dev="dm-0" ino=3409808 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=file permissive=0
Apr 29 01:20:48 kernel: audit: type=1400 audit(1682745648.712:74): avc:  denied  { map } for  pid=1 comm="systemd" path="/etc/selinux/targeted/policy/policy.33" dev="dm-0" ino=3409808 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=file permissive=0
Apr 29 01:20:48 systemd[1]: Failed to load new SELinux policy. Continuing with old policy.
Apr 29 01:20:48 systemd[1]: systemd 253.2-1.fc38 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)


Reproducible: Didn't try

Steps to Reproduce:
1. Boot a Fedora 38 KDE Plasma installation
2. Log in to Plasma on Wayland
3. Start Konsole
4. sudo dnf offline-upgrade download (with updates-testing enabled)
5. sudo dnf offline-upgrade reboot
Actual Results:  
systemd was denied map access on /etc/selinux/targeted/policy/policy.33 when upgrading glibc-2.37-4.fc38.x86_64

Expected Results:  
No denials should have happened.

I'm using the targeted policy in enforcing mode. The versions were as follows.
selinux-policy-38.12-1.fc38.noarch
glibc-2.37-4.fc38.x86_64
systemd-253.2-1.fc38.x86_64
kernel-6.2.13-300.fc38.x86_64
Comment 1 Ondrej Mosnáček 2023-04-29 20:00:39 UTC 
This is the same as 2186821, but for F38 (which has the same upstream systemd version).
Comment 2 Ondrej Mosnáček 2023-04-30 08:53:30 UTC 
*** Bug 2192172 has been marked as a duplicate of this bug. ***
Comment 3 Ondrej Mosnáček 2023-04-30 17:04:38 UTC 
*** Bug 2192201 has been marked as a duplicate of this bug. ***
Comment 4 Ondrej Mosnáček 2023-04-30 17:05:23 UTC 
*** Bug 2192206 has been marked as a duplicate of this bug. ***
Comment 5 Zdenek Pytela 2023-05-02 17:21:41 UTC 
*** Bug 2192333 has been marked as a duplicate of this bug. ***
Comment 6 Zbigniew Jędrzejewski-Szmek 2023-07-17 13:59:55 UTC 
#2186821 was reported as fixed. Maybe this is fixed in F38 too?
Comment 7 Zdenek Pytela 2023-07-17 14:24:28 UTC 
(In reply to Zbigniew Jędrzejewski-Szmek from comment #6)
> #2186821 was reported as fixed. Maybe this is fixed in F38 too?

    f38# systemctl daemon-reexec

does not trigger a denial any longer, so I believe the answer is yes.

  f38# rpm -q systemd
systemd-253.5-1.fc38.x86_64
Comment 8 Zbigniew Jędrzejewski-Szmek 2023-07-17 14:40:30 UTC 
I'll close this then. Thanks for testing.
Note You need to log in before you can comment on or make changes to this bug.