2270929 – systemd-pcrextend service is not able to create /run/log/systemd/tpm2-measure.log

Bug 2270929 - systemd-pcrextend service is not able to create /run/log/systemd/tpm2-measure.log

Summary: systemd-pcrextend service is not able to create /run/log/systemd/tpm2-measure...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	42
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-03-22 09:32 UTC by Vitaly Kuznetsov
Modified:	2025-02-26 13:00 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Vitaly Kuznetsov 2024-03-22 09:32:43 UTC

'systemd-pcrextend' is not able to create '/run/log/systemd/tpm2-measure.log' in initramfs (systemd-pcrphase-initrd.service):

Mar 22 09:26:01 vkuznets-f40.1-cvm audit[663]: AVC avc:  denied  { create } for  pid=663 comm="systemd-pcrexte" name="tpm2-measure.log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=0



Reproducible: Always

Steps to Reproduce:
1. Boot a UKI ('kernel-uki-virt') based Fedora image 
2. Observe AVC denial for systemd-pcrphase-initrd.service (/lib/systemd/systemd-pcrextend binary)
Actual Results:  
AVC denial to create /run/log/systemd/tpm2-measure.log

Expected Results:  
Log creation allowed.

Comment 1 Aoife Moloney 2025-02-26 13:00:20 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.

Note You need to log in before you can comment on or make changes to this bug.