Description of problem: I ran a dnf offline upgrade in a Fedora 41 KDE installation. The update contained selinux-policy-41.16-2.fc41. While the posttransaction scriplets ran and the SELinux policy reloaded, restorecon was denied relabelling /etc/mdevctl.d/scripts.d. Sep 10 22:42:46 kernel: SELinux: Converting 379 SID table entries... Sep 10 22:42:46 kernel: SELinux: policy capability network_peer_controls=1 Sep 10 22:42:46 kernel: SELinux: policy capability open_perms=1 Sep 10 22:42:46 kernel: SELinux: policy capability extended_socket_class=1 Sep 10 22:42:46 kernel: SELinux: policy capability always_check_network=0 Sep 10 22:42:46 kernel: SELinux: policy capability cgroup_seclabel=1 Sep 10 22:42:46 kernel: SELinux: policy capability nnp_nosuid_transition=1 Sep 10 22:42:46 kernel: SELinux: policy capability genfs_seclabel_symlinks=1 Sep 10 22:42:46 kernel: SELinux: policy capability ioctl_skip_cloexec=0 Sep 10 22:42:46 kernel: SELinux: policy capability userspace_initial_context=0 Sep 10 22:42:46 kernel: audit: type=1403 audit(1726022566.426:73): auid=4294967295 ses=4294967295 lsm=selinux res=1 Sep 10 22:42:46 kernel: audit: type=1300 audit(1726022566.426:73): arch=c000003e syscall=1 success=yes exit=3786467 a0=4 a1=7fa2d4000000 a2=39c6e3 a3=0 items=0 ppid=1162 pid=1177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="load_policy" exe="/usr/sbin/load_policy" subj=system_u:system_r:load_policy_t:s0 key=(null) Sep 10 22:42:46 kernel: audit: type=1327 audit(1726022566.426:73): proctitle="load_policy" Sep 10 22:42:46 audit: MAC_POLICY_LOAD auid=4294967295 ses=4294967295 lsm=selinux res=1 Sep 10 22:42:46 audit[1177]: SYSCALL arch=c000003e syscall=1 success=yes exit=3786467 a0=4 a1=7fa2d4000000 a2=39c6e3 a3=0 items=0 ppid=1162 pid=1177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="load_policy" exe="/usr/sbin/load_policy" subj=system_u:system_r:load_policy_t:s0 key=(null) Sep 10 22:42:46 audit: PROCTITLE proctitle="load_policy" Sep 10 22:42:47 audit[1668]: AVC avc: denied { relabelto } for pid=1668 comm="restorecon" name="scripts.d" dev="dm-0" ino=3409842 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:mdevctl_conf_t:s0 tclass=dir permissive=0 Sep 10 22:42:47 audit[1668]: SYSCALL arch=c000003e syscall=189 success=no exit=-13 a0=7ffcf7fdabe0 a1=7f5e7a851197 a2=555cb5fc89b0 a3=24 items=0 ppid=1179 pid=1668 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:setfiles_t:s0 key=(null) Sep 10 22:42:47 audit: PROCTITLE proctitle=2F7362696E2F726573746F7265636F6E002D65002F737973002D65002F70726F63002D65002F6D6E74002D65002F7661722F746D70002D65002F686F6D65002D65002F726F6F74002D65002F746D70002D69002D52002D66002D Sep 10 22:42:47 kernel: audit: type=1400 audit(1726022567.457:74): avc: denied { relabelto } for pid=1668 comm="restorecon" name="scripts.d" dev="dm-0" ino=3409842 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:mdevctl_conf_t:s0 tclass=dir permissive=0 Sep 10 22:42:47 kernel: audit: type=1300 audit(1726022567.457:74): arch=c000003e syscall=189 success=no exit=-13 a0=7ffcf7fdabe0 a1=7f5e7a851197 a2=555cb5fc89b0 a3=24 items=0 ppid=1179 pid=1668 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:setfiles_t:s0 key=(null) Sep 10 22:42:47 kernel: audit: type=1327 audit(1726022567.457:74): proctitle=2F7362696E2F726573746F7265636F6E002D65002F737973002D65002F70726F63002D65002F6D6E74002D65002F7661722F746D70002D65002F686F6D65002D65002F726F6F74002D65002F746D70002D69002D52002D66002D On the boot after the update, /etc/mdevctl.d/scripts.d was labelled etc_t ls -laZ /etc/mdevctl.d/scripts.d total 8 drwxr-xr-x. 2 root root system_u:object_r:etc_t:s0 4096 Jan 13 2024 . drwxr-xr-x. 3 root root system_u:object_r:etc_t:s0 4096 Jul 17 20:00 .. I reproduced the denial with restorecon as follows. sudo restorecon -v /etc/mdevctl.d/scripts.d restorecon: Could not set context for /etc/mdevctl.d/scripts.d: Permission denied restorecon was trying to relabel /etc/mdevctl.d/scripts.d to mdevctl_conf_t which doesn't appear to be a valid label according to seinfo -afile_type -x selinux-policy-41.16-1 has "- Label /etc/mdevctl.d with mdevctl_conf_t" in its changelog https://koji.fedoraproject.org/koji/buildinfo?buildID=2543757 The upstream change looks like https://github.com/fedora-selinux/selinux-policy/commit/1d355565fafbf2a4534fb34a9de6a270f9822b96 SELinux is preventing restorecon from 'relabelto' accesses on the directory /etc/mdevctl.d/scripts.d. ***** Plugin associate (99.5 confidence) suggests ************************* If you want to change the label of /etc/mdevctl.d/scripts.d to mdevctl_conf_t, you are not allowed to since it is not a valid file type. Then you must pick a valid file label. Do select a valid file type. List valid file labels by executing: # seinfo -afile_type -x ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that restorecon should be allowed relabelto access on the scripts.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'restorecon' --raw | audit2allow -M my-restorecon # semodule -X 300 -i my-restorecon.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Target Context system_u:object_r:mdevctl_conf_t:s0 Target Objects /etc/mdevctl.d/scripts.d [ dir ] Source restorecon Source Path restorecon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-41.16-2.fc41.noarch Local Policy RPM selinux-policy-targeted-41.16-2.fc41.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.11.0-0.rc7.56.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Sep 9 14:38:40 UTC 2024 x86_64 Alert Count 1 First Seen 2024-09-10 22:54:59 EDT Last Seen 2024-09-10 22:54:59 EDT Local ID 922976b2-7388-42cb-9756-7f9da1b367c0 Raw Audit Messages type=AVC msg=audit(1726023299.927:398): avc: denied { relabelto } for pid=3771 comm="restorecon" name="scripts.d" dev="dm-0" ino=3409842 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mdevctl_conf_t:s0 tclass=dir permissive=0 Hash: restorecon,unconfined_t,mdevctl_conf_t,dir,relabelto Version-Release number of selected component: selinux-policy-targeted-41.16-2.fc41.noarch Additional info: reporter: libreport-2.17.15 hashmarkername: setroubleshoot type: libreport kernel: 6.11.0-0.rc7.56.fc41.x86_64 component: selinux-policy package: selinux-policy-targeted-41.16-2.fc41.noarch reason: SELinux is preventing restorecon from 'relabelto' accesses on the directory /etc/mdevctl.d/scripts.d. component: selinux-policy
Created attachment 2046224 [details] File: os_info
Created attachment 2046225 [details] File: description
I updated to selinux-policy-41.17-1.fc41 from https://koji.fedoraproject.org/koji/buildinfo?buildID=2545219 which has the patch Make mdevctl_conf_t member of the files_type attribute https://github.com/fedora-selinux/selinux-policy/pull/2348 /etc/mdevctl.d/scripts.d was still labelled etc_t after updating selinux-policy-41.17-1.fc41. restorecon relabelled /etc/mdevctl.d/scripts.d to mdevctl_conf_t without the denial. sudo restorecon -v /etc/mdevctl.d/scripts.d Relabeled /etc/mdevctl.d/scripts.d from system_u:object_r:etc_t:s0 to system_u:object_r:mdevctl_conf_t:s0
(In reply to Matt Fagnani from comment #3) > I updated to selinux-policy-41.17-1.fc41 from > https://koji.fedoraproject.org/koji/buildinfo?buildID=2545219 which has the > patch Make mdevctl_conf_t member of the files_type attribute > https://github.com/fedora-selinux/selinux-policy/pull/2348 > /etc/mdevctl.d/scripts.d was still labelled etc_t after updating > selinux-policy-41.17-1.fc41. restorecon relabelled /etc/mdevctl.d/scripts.d > to mdevctl_conf_t without the denial. > > sudo restorecon -v /etc/mdevctl.d/scripts.d > Relabeled /etc/mdevctl.d/scripts.d from system_u:object_r:etc_t:s0 to > system_u:object_r:mdevctl_conf_t:s0 This can happen is some of update paths, so I forced a restorecon on this dir temporarily.
FEDORA-2024-c412f251f5 (selinux-policy-41.19-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-c412f251f5
FEDORA-2024-c412f251f5 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c412f251f5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-c412f251f5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-c412f251f5 (selinux-policy-41.19-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.