Bug 2374337 - On boot SELinux denies certain actions of ostree & bootupctl
Summary: On boot SELinux denies certain actions of ostree & bootupctl
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 42
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-23 15:28 UTC by kimchidachi
Modified: 2025-12-11 04:25 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-42.5-1.fc42
Clone Of:
Environment:
Last Closed: 2025-08-12 00:57:10 UTC
Type: ---
Embargoed:
zpytela: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2815 0 None open Update policy for bootupd 2025-08-04 14:53:52 UTC
Red Hat Issue Tracker FC-1747 0 None None None 2025-06-25 07:01:44 UTC

Description kimchidachi 2025-06-23 15:28:25 UTC 
Essentially each time Fedora IoT is restarted SELinux will deny 'ostree' and 'bootupctl' with the following:

SELinux is preventing bootupctl from execute access on the file ostree.
SELinux is preventing bootupctl from 'read, open' accesses on the file /usr/bin/ostree.
SELinux is preventing bootupctl from execute_no_trans access on the file /usr/bin/ostree.
SELinux is preventing ostree from map access on the file /usr/bin/ostree.
SELinux is preventing ostree from write access on the directory objects.
SELinux is preventing ostree from getattr access on the file /run/ostree-booted.
SELinux is preventing ostree from remount access on the filesystem.



Reproducible: Always

Steps to Reproduce:
1. Install a fresh Fedora IoT 42 version via anaconda on x86_64
2. Install Cockpit via the official guide by the cockpit team (potentially optional)
3. Update to at least: 42.20250622.0
4. On reboot you should see SELinux denied entries in the log

Actual Results:

No actual issue but it does concern me that it's blocking certain ostree & bootupctl access.


Expected Results:
Should be no denies by SELinux on 'ostree' and 'bootupctl'.


Additional Information:
Here's each deny entry with it's respective log:

SELinux is preventing bootupctl from execute access on the file ostree.
-------
type=AVC msg=audit(1750690256.910:81): avc: denied { execute } for pid=892 comm="bootupctl" name="ostree" dev="overlay" ino=3797 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1
-------

SELinux is preventing bootupctl from 'read, open' accesses on the file /usr/bin/ostree.
-------
type=AVC msg=audit(1750690256.910:82): avc: denied { read open } for pid=892 comm="bootupctl" path="/usr/bin/ostree" dev="overlay" ino=3797 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1
--------

SELinux is preventing bootupctl from execute_no_trans access on the file /usr/bin/ostree.
--------
type=AVC msg=audit(1750690256.912:83): avc: denied { execute_no_trans } for pid=892 comm="bootupctl" path="/usr/bin/ostree" dev="overlay" ino=3797 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1
--------

SELinux is preventing ostree from map access on the file /usr/bin/ostree.
--------
type=AVC msg=audit(1750690256.913:84): avc: denied { map } for pid=892 comm="ostree" path="/usr/bin/ostree" dev="overlay" ino=3797 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1
--------

SELinux is preventing ostree from write access on the directory objects.
--------
type=AVC msg=audit(1750690256.926:85): avc: denied { write } for pid=892 comm="ostree" name="objects" dev="nvme0n1p3" ino=276 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
--------

SELinux is preventing ostree from getattr access on the file /run/ostree-booted.
--------
type=AVC msg=audit(1750690256.927:86): avc: denied { getattr } for pid=892 comm="ostree" path="/run/ostree-booted" dev="tmpfs" ino=983 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
--------

SELinux is preventing ostree from remount access on the filesystem.
--------
type=AVC msg=audit(1750690256.927:87): avc: denied { remount } for pid=892 comm="ostree" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 
--------
Comment 1 Zdenek Pytela 2025-08-04 14:53:53 UTC 
Hi,

Can you try scratchbuild from
https://github.com/fedora-selinux/selinux-policy/pull/2815
Checks -> rawhide?

So far /run/ostree-booted had a special label assigned only for a socket type, I've changed it now, but not sure if this is enough.
Comment 2 Fedora Update System 2025-08-10 20:19:30 UTC 
FEDORA-2025-dde3c4a0f1 (selinux-policy-42.5-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-dde3c4a0f1
Comment 3 Fedora Update System 2025-08-11 01:00:13 UTC 
FEDORA-2025-dde3c4a0f1 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-dde3c4a0f1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-dde3c4a0f1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2025-08-12 00:57:10 UTC 
FEDORA-2025-dde3c4a0f1 (selinux-policy-42.5-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 5 Red Hat Bugzilla 2025-12-11 04:25:05 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.