After upgrading to the latest util-linux v2.41, the LiveCD is almost useless due to denied reads: May 22 09:42:37 localhost-live audit[1348]: AVC avc: denied { read } for pid=1348 comm="firewalld" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1 May 22 09:42:48 localhost-live audit[2484]: AVC avc: denied { read } for pid=2484 comm="sssd_kcm" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1 May 22 09:42:49 localhost-live audit[2515]: AVC avc: denied { read } for pid=2515 comm="systemd-localed" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1 May 22 09:42:50 localhost-live audit[2562]: AVC avc: denied { read } for pid=2562 comm="pkla-check-auth" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:policykit_auth_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1 May 22 09:42:50 localhost-live audit[2555]: AVC avc: denied { read } for pid=2555 comm="geoclue" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1 May 22 09:42:51 localhost-live audit[2555]: AVC avc: denied { read } for pid=2555 comm="geoclue" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1 May 22 09:42:54 localhost-live audit[2765]: AVC avc: denied { read } for pid=2765 comm="pkla-check-auth" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:policykit_auth_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1 May 22 09:43:01 localhost-live audit[2607]: AVC avc: denied { read } for pid=2607 comm="wpa_supplicant" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1 May 22 09:43:18 localhost-live audit[2270]: AVC avc: denied { read } for pid=2270 comm="cupsd" path="/LiveOS/squashfs.img" dev="sr0" ino=4294 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=file permissive=1 I believe the issue is related to https://bugzilla.redhat.com/show_bug.cgi?id=2367956. Reproducible: Always
Hi Karel, in the denials there is permissive=1 indicating the system was in permissive mode. Did you change it intentionally in order to get all denials?
Additional question: Do you happen to know what changed in util-linux v2.41 leading to these denials? I can't see anything at a first glance: https://www.kernel.org/pub/linux/utils/util-linux/v2.41/v2.41-ReleaseNotes
The log is from a system booted with enforcing=0 on the kernel command line. The only relevant thing in the update is that there is no loop device, but a directly mounted image. See #2367956.
Hey team, do you need more logs or anything else? The issue is with the block on the util-linux upgrade, and it's affecting other Rawhide plans like the migration to lastlog2.
No more logs, rather more insights and background. Reading files with iso9660_t directly just does not feel right.