Running `fdo-client` on an F38 IoT system fails to make configured changes due to selinux denials: type=AVC msg=audit(1689703785.900:181): avc: denied { getattr } for pid=1279 comm="fdo-client-linu" path="/boot/device-credentials" dev="vda2" ino=24 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 type=AVC msg=audit(1689704283.118:192): avc: denied { getattr } for pid=1522 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Changing to Permissive allows the fdo-client to make the configured changes, sample AVC's listed below(full list attached): type=AVC msg=audit(1689704302.214:197): avc: denied { getattr } for pid=1534 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.214:198): avc: denied { read } for pid=1534 comm="fdo-client-linu" name="device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.214:199): avc: denied { open } for pid=1534 comm="fdo-client-linu" path="/etc/device-credentials" dev="dm-1" ino=40315 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.286:200): avc: denied { write } for pid=1534 comm="fdo-client-linu" name="hosts" dev="dm-1" ino=37021 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.286:201): avc: denied { setattr } for pid=1534 comm="fdo-client-linu" name="hosts" dev="dm-1" ino=37021 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.288:202): avc: denied { read } for pid=1534 comm="fdo-client-linu" name="passwd" dev="dm-1" ino=37071 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1689704302.288:203): avc: denied { open } for pid=1534 comm="fdo-client-linu" path="/etc/passwd" dev="dm-1" ino=37071 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 Reproducible: Always Steps to Reproduce: 1. Start the fdo-client-linuxapp.service on a host with selinux in enforcing 2. FDO client fails to make configuration changes Expected Results: Configuration changes to the running system.
Created attachment 1976962 [details] fdo-client-avcs
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21. Fedora Linux 38 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.