2298844 – SELinux is preventing systemd-cryptse from read, write, open access on the file /run/systemd/generator/dev-mapper-luks\x2d8f513d23\x2d9730\x2d4bfd\x2db813\x2dda5455b029fa.device.d/.#40-device-timeout.conff6799cfd5a438c63.

Bug 2298844 - SELinux is preventing systemd-cryptse from read, write, open access on the file /run/systemd/generator/dev-mapper-luks\x2d8f513d23\x2d9730\x2d4bfd\x2db813\x2dda5455b029fa.device.d/.#40-device-timeout.conff6799cfd5a438c63.

Summary: SELinux is preventing systemd-cryptse from read, write, open access on the fi...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	40
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:2cae692da644ffbcc441f7d8add...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-19 12:40 UTC by Radek Valasek
Modified:	2024-07-30 01:32 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-40.26-1.fc40
Clone Of:
Environment:
Last Closed:	2024-07-30 01:32:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (3.27 KB, text/plain) 2024-07-19 12:40 UTC, Radek Valasek	no flags	Details
File: os_info (734 bytes, text/plain) 2024-07-19 12:40 UTC, Radek Valasek	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 2242	0	None	open	generators update 8	2024-07-19 17:23:56 UTC

Description Radek Valasek 2024-07-19 12:40:43 UTC

Description of problem:
After latest update of packages (not sure what exactly cause it)
SELinux is preventing systemd-cryptse from read, write, open access on the file /run/systemd/generator/dev-mapper-luks\x2d8f513d23\x2d9730\x2d4bfd\x2db813\x2dda5455b029fa.device.d/.#40-device-timeout.conff6799cfd5a438c63.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/run/systemd/generator/dev-mapper-luks\x2d8f513d23\x2d9730\x2d4bfd\x2db813\x2dda5455b029fa.device.d/.#40-device-timeout.conff6799cfd5a438c63 default label should be systemd_unit_file_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /run/systemd/generator/dev-mapper-luks\x2d8f513d23\x2d9730\x2d4bfd\x2db813\x2dda5455b029fa.device.d/.#40-device-timeout.conff6799cfd5a438c63

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that systemd-cryptse should be allowed read write open access on the .#40-device-timeout.conff6799cfd5a438c63 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-cryptse' --raw | audit2allow -M my-systemdcryptse
# semodule -X 300 -i my-systemdcryptse.pp

Additional Information:
Source Context                system_u:system_r:systemd_cryptsetup_generator_t:s
                              0
Target Context                system_u:object_r:systemd_fstab_generator_unit_fil
                              e_t:s0
Target Objects                /run/systemd/generator/dev-mapper-luks\x2d8f513d23
                              \x2d9730\x2d4bfd\x2db813\x2dda5455b029fa.device.d/
                              .#40-device-timeout.conff6799cfd5a438c63 [ file ]
Source                        systemd-cryptse
Source Path                   systemd-cryptse
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.24-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.24-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.9.9-200.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Jul 11 19:29:01 UTC 2024
                              x86_64
Alert Count                   1
First Seen                    2024-07-19 14:34:38 CEST
Last Seen                     2024-07-19 14:34:38 CEST
Local ID                      22d41e06-02c7-4c34-9164-fa719704e75c

Raw Audit Messages
type=AVC msg=audit(1721392478.179:117): avc:  denied  { read write open } for  pid=7973 comm="systemd-cryptse" path="/run/systemd/generator/dev-mapper-luks\x2d8f513d23\x2d9730\x2d4bfd\x2db813\x2dda5455b029fa.device.d/.#40-device-timeout.conff6799cfd5a438c63" dev="tmpfs" ino=3264 scontext=system_u:system_r:systemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:systemd_fstab_generator_unit_file_t:s0 tclass=file permissive=0


Hash: systemd-cryptse,systemd_cryptsetup_generator_t,systemd_fstab_generator_unit_file_t,file,read,write,open

Version-Release number of selected component:
selinux-policy-targeted-40.24-1.fc40.noarch

Additional info:
reporter:       libreport-2.17.15
type:           libreport
package:        selinux-policy-targeted-40.24-1.fc40.noarch
hashmarkername: setroubleshoot
kernel:         6.9.9-200.fc40.x86_64
reason:         SELinux is preventing systemd-cryptse from read, write, open access on the file /run/systemd/generator/dev-mapper-luks\x2d8f513d23\x2d9730\x2d4bfd\x2db813\x2dda5455b029fa.device.d/.#40-device-timeout.conff6799cfd5a438c63.
comment:        After latest update of packages (not sure what exactly cause it)
component:      selinux-policy
component:      selinux-policy

Comment 1 Radek Valasek 2024-07-19 12:40:46 UTC

Created attachment 2039959 [details]
File: description

Comment 2 Radek Valasek 2024-07-19 12:40:47 UTC

Created attachment 2039960 [details]
File: os_info

Comment 3 Fedora Update System 2024-07-23 14:44:10 UTC

FEDORA-2024-391cfa58c2 (selinux-policy-40.25-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-391cfa58c2

Comment 4 Fedora Update System 2024-07-24 03:51:19 UTC

FEDORA-2024-391cfa58c2 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-391cfa58c2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-391cfa58c2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2024-07-26 01:58:58 UTC

FEDORA-2024-f6d12d5c36 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f6d12d5c36`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-f6d12d5c36

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2024-07-30 01:32:44 UTC

FEDORA-2024-f6d12d5c36 (selinux-policy-40.26-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.