We've been seeing the following AVC denials in the CI tests of Fedora CoreOS. These denials are affecting multiple installation methods, including PXE and ISO installs, both online and offline, in BIOS and UEFI modes. The AVC denials occur even when SELinux is set to permissive mode (enforcing=0). ``` AVC avc: denied { write } for pid=1056 comm="mkdir" name="etc" dev="loop0" ino=131 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 AVC avc: denied { getattr } for pid=1201 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4263 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0 AVC avc: denied { getattr } for pid=1201 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4263 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0 ``` The denials have been observed in the following CoreOS installation configurations: ``` iso-install.bios iso-offline-install.bios iso-offline-install.mpath.bios iso-offline-install-fromram.4k.uefi miniso-install.bios miniso-install.nm.bios miniso-install.4k.nm.uefi pxe-offline-install.bios pxe-offline-install.4k.uefi pxe-online-install.bios pxe-online-install.4k.uefi ``` Reproducible: Always Steps to Reproduce: 1. Attempt a Fedora CoreOS install with any of the following methods: PXE Online Install (BIOS or UEFI) PXE Offline Install (BIOS or UEFI) ISO Install (BIOS or UEFI) ISO Offline Install (various configurations) Minimal ISO Install (various configurations) Actual Results: AVC denials block CoreOS Installer from creating directories under /etc as well as it's ability to interact with udevadm. Expected Results: SELinux should allow necessary operations during the installation process. Heres's a full list of the avc denials seen in during one of these CI tests ``` Aug 16 18:51:40 localhost kernel: audit: type=1400 audit(1723834300.097:4): avc: denied { getattr } for pid=990 comm="coreos-liveiso-" path="/run/ostree-live" dev="tmpfs" ino=31 scontext=system_u:system_r:coreos_liveiso_autologin_generator_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 Aug 16 18:51:40 localhost kernel: audit: type=1400 audit(1723834300.104:5): avc: denied { execute } for pid=990 comm="coreos-liveiso-" name="jq" dev="loop1" ino=3810 scontext=system_u:system_r:coreos_liveiso_autologin_generator_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Aug 16 18:51:40 localhost kernel: audit: type=1400 audit(1723834300.106:6): avc: denied { execute_no_trans } for pid=1020 comm="coreos-liveiso-" path="/usr/bin/jq" dev="loop1" ino=3810 scontext=system_u:system_r:coreos_liveiso_autologin_generator_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Aug 16 18:51:40 localhost kernel: audit: type=1400 audit(1723834300.110:7): avc: denied { map } for pid=1020 comm="jq" path="/usr/bin/jq" dev="loop1" ino=3810 scontext=system_u:system_r:coreos_liveiso_autologin_generator_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Aug 16 18:51:40 localhost kernel: audit: type=1400 audit(1723834300.121:8): avc: denied { write } for pid=1023 comm="ln" name="generator" dev="tmpfs" ino=600 scontext=system_u:system_r:coreos_installer_generator_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1 Aug 16 18:51:40 localhost kernel: audit: type=1400 audit(1723834300.121:9): avc: denied { add_name } for pid=1023 comm="ln" name="default.target" scontext=system_u:system_r:coreos_installer_generator_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1 Aug 16 18:51:40 localhost kernel: audit: type=1400 audit(1723834300.121:10): avc: denied { create } for pid=1023 comm="ln" name="default.target" scontext=system_u:system_r:coreos_installer_generator_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=lnk_file permissive=1 Aug 16 18:51:40 localhost audit[1056]: AVC avc: denied { write } for pid=1056 comm="mkdir" name="etc" dev="loop0" ino=131 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Aug 16 18:51:41 localhost.localdomain audit[1201]: AVC avc: denied { getattr } for pid=1201 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4263 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0 Aug 16 18:51:41 localhost.localdomain audit[1201]: AVC avc: denied { getattr } for pid=1201 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4263 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0 ``` I also ran these tests using the `encforcing=0` karg, but the list of avc denials seems way too large. I'll add it as an attachment to this bug. I'll also add some attachments for the full journal log of two of these tests. xref to the CoreOS internal tracker for this: https://github.com/coreos/fedora-coreos-tracker/issues/1779
I forgot to mention that this was seen in selinux-policy-41.14-1.fc41
With selinux-policy-41.15-1.fc42.noarch I still see some denials with `permissive=0` in the log message: ``` Sep 02 13:51:25 localhost audit[1153]: AVC avc: denied { write } for pid=1153 comm="mkdir" name="etc" dev="loop0" ino=131 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Sep 02 13:51:28 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1343]: AVC avc: denied { getattr } for pid=1343 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4271 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0 Sep 02 13:51:28 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com kernel: audit: type=1400 audit(1725285088.645:81): avc: denied { getattr } for pid=1343 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4271 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0 Sep 02 13:51:28 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1343]: AVC avc: denied { getattr } for pid=1343 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4271 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0 Sep 02 13:51:28 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com kernel: audit: type=1400 audit(1725285088.647:82): avc: denied { getattr } for pid=1343 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4271 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0 ~ ``` and some with `permissive=1` in the log message: ``` Sep 02 13:51:25 localhost kernel: audit: type=1400 audit(1725285083.666:4): avc: denied { getattr } for pid=1080 comm="coreos-liveiso-" path="/run/ostree-live" dev="tmpfs" ino=31 scontext=system_u:system_r:coreos_liveiso_autologin_generator_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 Sep 02 13:51:25 localhost kernel: audit: type=1400 audit(1725285083.698:5): avc: denied { execute } for pid=1080 comm="coreos-liveiso-" name="jq" dev="loop1" ino=3815 scontext=system_u:system_r:coreos_liveiso_autologin_generator_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Sep 02 13:51:25 localhost kernel: audit: type=1400 audit(1725285083.702:6): avc: denied { execute_no_trans } for pid=1112 comm="coreos-liveiso-" path="/usr/bin/jq" dev="loop1" ino=3815 scontext=system_u:system_r:coreos_liveiso_autologin_generator_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Sep 02 13:51:25 localhost kernel: audit: type=1400 audit(1725285083.713:7): avc: denied { map } for pid=1112 comm="jq" path="/usr/bin/jq" dev="loop1" ino=3815 scontext=system_u:system_r:coreos_liveiso_autologin_generator_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Sep 02 13:51:25 localhost kernel: audit: type=1400 audit(1725285083.738:8): avc: denied { write } for pid=1115 comm="ln" name="generator" dev="tmpfs" ino=801 scontext=system_u:system_r:coreos_installer_generator_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1 Sep 02 13:51:25 localhost kernel: audit: type=1400 audit(1725285083.745:9): avc: denied { add_name } for pid=1115 comm="ln" name="default.target" scontext=system_u:system_r:coreos_installer_generator_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1 Sep 02 13:51:25 localhost kernel: audit: type=1400 audit(1725285083.749:10): avc: denied { create } for pid=1115 comm="ln" name="default.target" scontext=system_u:system_r:coreos_installer_generator_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=lnk_file permissive=1 Sep 02 13:51:25 localhost kernel: audit: type=1400 audit(1725285083.768:11): avc: denied { write } for pid=1117 comm="touch" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:coreos_installer_generator_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 ``` The ones related to `udevadm` prevent us from running. We get an error like this: ``` [ 13.759788] coreos-installer-service[1362]: /usr/libexec/coreos-installer-service: line 133: udevadm: command not found^M [^[[0;1;31mFAILED^[[0m] Failed to start ^[[0;1;39mcoreos-installer.service ```
Created attachment 2045531 [details] 42-20240902-91-0-iso-install-bios-journal.txt
Hi! Just following up to see if there are any updates on this issue. Please let me know if anything is needed from me to help move it forward. Thanks!
selinux-policy-41.15-1.fc42.noarch is way too old, please try the latest package where some of these issues are fixed and the domain is even permissive so all commands will be executable or the coprbuild in https://github.com/fedora-selinux/selinux-policy/pull/2645 checks -> rpmbuild -> rawhide regarding /run/ostree-live, I need some information like which services are expected to create it and which ones should have other than read access this one also requires additional information: which directory is to be created? Sep 02 13:51:25 localhost audit[1153]: AVC avc: denied { write } for pid=1153 comm="mkdir" name="etc" dev="loop0" ino=131 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
There is commit with a partial fix, will be included in the next build. Additional information is needed for the other reported issues.
FEDORA-2025-36084ab074 (selinux-policy-41.38-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-36084ab074
FEDORA-2025-36084ab074 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-36084ab074` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-36084ab074 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-36084ab074 (selinux-policy-41.38-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days