[ 2.368619] audit: type=1400 audit(1739221014.561:4): avc: denied { getattr } for pid=716 comm="bootc" path="/run/ostree-booted" dev="tmpfs" ino=725 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 I think we want generators to be able to read var_run by default. Also there's these AVCs from https://artifacts.dev.testing-farm.io/59b8cd94-1a4f-4282-a850-2b010e074547/ ---- type=AVC msg=audit(02/10/2025 19:45:58.237:805) : avc: denied { map } for pid=4083 comm=bootc-systemd-g path=/usr/bin/bash dev="nvme0n1p4" ino=3384 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(02/10/2025 19:45:58.237:806) : avc: denied { execute } for pid=4083 comm=bootc-systemd-g path=/usr/bin/bash dev="nvme0n1p4" ino=3384 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(02/10/2025 19:45:58.243:807) : avc: denied { read } for pid=4083 comm=bootc-systemd-g name=passwd dev="nvme0n1p4" ino=44197 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(02/10/2025 19:45:58.243:808) : avc: denied { open } for pid=4083 comm=bootc-systemd-g path=/etc/passwd dev="nvme0n1p4" ino=44197 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(02/10/2025 19:45:58.245:809) : avc: denied { getattr } for pid=4083 comm=bootc-systemd-g path=/etc/passwd dev="nvme0n1p4" ino=44197 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(02/10/2025 19:45:58.245:810) : avc: denied { getattr } for pid=4083 comm=bootc-systemd-g path=/usr/bin/bootc dev="nvme0n1p4" ino=54390 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(02/10/2025 19:45:58.245:811) : avc: denied { execute } for pid=4083 comm=bootc-systemd-g name=bootc dev="nvme0n1p4" ino=54390 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(02/10/2025 19:45:58.245:812) : avc: denied { read } for pid=4083 comm=bootc-systemd-g name=bootc dev="nvme0n1p4" ino=54390 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(02/10/2025 19:45:58.247:813) : avc: denied { open } for pid=4083 comm=bootc-systemd-g path=/usr/bin/bootc dev="nvme0n1p4" ino=54390 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(02/10/2025 19:45:58.247:814) : avc: denied { execute_no_trans } for pid=4083 comm=bootc-systemd-g path=/usr/bin/bootc dev="nvme0n1p4" ino=54390 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(02/10/2025 19:45:58.247:815) : avc: denied { map } for pid=4083 comm=bootc path=/usr/bin/bootc dev="nvme0n1p4" ino=54390 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 It looks like there's two problems; a generic issue with systemd generators being shell scripts (but shouldn't other things hit that?) and a specific issue with our generator running an install_exec_t binary. For that one I think we should allow it but not do a domain transition. Reproducible: Always
Would it be possible to prioritize this, or revert the bootc change, please? This bug is breaking the installability pipelines in Fedora CI for our packages in multiple Fedora releases for almost a month.
> or revert the bootc change https://github.com/containers/bootc/pull/1113 includes some argument to drop our use of a generator entirely; I'm somewhat sympathetic. But I'd reiterate again here that this current situation where we're experimenting with confining generators just in Fedora (but not e.g. C10S or below) is creating Fedora-specific bugs and I am not sure there's really sufficient value in confining generators like this and so I think the SELinux policy maintainers should consider backing it out (i.e. making the Fedora status quo == C10S and below).
FEDORA-2025-318eefdd77 (selinux-policy-41.35-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-318eefdd77
FEDORA-2025-318eefdd77 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-318eefdd77` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-318eefdd77 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-a63bd9d838 (selinux-policy-41.36-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.