Description of problem: SELinux is preventing systemd-cryptse from 'search' accesses on the directory dev-mapper-luks\x2d41cf8d65\x2daf41\x2d4e50\x2db651\x2dd73a2ce3abea.device.d. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-cryptse should be allowed search access on the dev-mapper-luks\x2d41cf8d65\x2daf41\x2d4e50\x2db651\x2dd73a2ce3abea.device.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-cryptse' --raw | audit2allow -M my-systemdcryptse # semodule -X 300 -i my-systemdcryptse.pp Additional Information: Source Context system_u:system_r:systemd_cryptsetup_generator_t:s 0 Target Context system_u:object_r:systemd_fstab_generator_unit_fil e_t:s0 Target Objects dev-mapper-luks\x2d41cf8d65\x2daf41\x2d4e50\x2db65 1\x2dd73a2ce3abea.device.d [ dir ] Source systemd-cryptse Source Path systemd-cryptse Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.8.11-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Mon May 27 14:53:33 UTC 2024 x86_64 Alert Count 2 First Seen 2024-06-14 14:11:15 CEST Last Seen 2024-06-14 14:11:15 CEST Local ID 9fc65896-de26-4157-a590-8801b09c9ca0 Raw Audit Messages type=AVC msg=audit(1718367075.364:523): avc: denied { search } for pid=15111 comm="systemd-cryptse" name="dev-mapper-luks\x2d41cf8d65\x2daf41\x2d4e50\x2db651\x2dd73a2ce3abea.device.d" dev="tmpfs" ino=3232 scontext=system_u:system_r:systemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:systemd_fstab_generator_unit_file_t:s0 tclass=dir permissive=0 Hash: systemd-cryptse,systemd_cryptsetup_generator_t,systemd_fstab_generator_unit_file_t,dir,search Version-Release number of selected component: selinux-policy-targeted-40.22-1.fc40.noarch Additional info: reporter: libreport-2.17.15 component: selinux-policy reason: SELinux is preventing systemd-cryptse from 'search' accesses on the directory dev-mapper-luks\x2d41cf8d65\x2daf41\x2d4e50\x2db651\x2dd73a2ce3abea.device.d. type: libreport hashmarkername: setroubleshoot package: selinux-policy-targeted-40.22-1.fc40.noarch kernel: 6.8.11-300.fc40.x86_64 component: selinux-policy
Created attachment 2037552 [details] File: description
Created attachment 2037553 [details] File: os_info
*** Bug 2292480 has been marked as a duplicate of this bug. ***
*** Bug 2293037 has been marked as a duplicate of this bug. ***
I believe this is fixed in selinux-policy-40.23-1.fc40
FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc
FEDORA-2024-f30b2bffdc has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f30b2bffdc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
Hi, I'm getting an almost identical error, except for write access. This is with 40.23 and 40.24. Please let me know if I should post this somewhere else. Thank you. Output from sealert follows: SELinux is preventing systemd-cryptse from write access on the directory dev-mapper-luks\x2dvol1.device.d. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-cryptse should be allowed write access on the dev-mapper-luks\x2dvol1.device.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-cryptse' --raw | audit2allow -M my-systemdcryptse # semodule -X 300 -i my-systemdcryptse.pp Additional Information: Source Context system_u:system_r:systemd_cryptsetup_generator_t:s 0 Target Context system_u:object_r:systemd_fstab_generator_unit_fil e_t:s0 Target Objects dev-mapper-luks\x2dvol1.device.d [ dir ] Source systemd-cryptse Source Path systemd-cryptse Port <Unknown> Host localhost Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.24-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.24-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost Platform Linux localhost 6.8.11-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Mon May 27 14:53:33 UTC 2024 x86_64 Alert Count 2 First Seen 2024-07-21 15:30:55 PDT Last Seen 2024-07-21 15:30:55 PDT Local ID d38e43ad-b9c7-4353-8be5-3281e9179feb Raw Audit Messages type=AVC msg=audit(1721601055.839:1348): avc: denied { write } for pid=89179 comm="systemd-cryptse" name="dev-mapper-luks\x2dvol1.device.d" dev="tmpfs" ino=4245 scontext=system_u:system_r:systemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:systemd_fstab_generator_unit_file_t:s0 tclass=dir permissive=0 Hash: systemd-cryptse,systemd_cryptsetup_generator_t,systemd_fstab_generator_unit_file_t,dir,write
(In reply to J Soko from comment #9) > Hi, I'm getting an almost identical error, except for write access. This is > with 40.23 and 40.24. I am no longer affected by this as of version 40.26. Thanks for fixing it.