Bug 2385046 - SELinux is preventing anaconda-genera from 'getattr' accesses on the filesystem /.
Summary: SELinux is preventing anaconda-genera from 'getattr' accesses on the filesyst...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 42
Hardware: x86_64
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:2649cb4b187221056220f7db0f0...
: 2385051 2385055 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-30 14:33 UTC by marek77
Modified: 2025-08-07 00:53 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-42.4-1.fc42
Clone Of:
Environment:
Last Closed: 2025-08-07 00:53:49 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: os_info (645 bytes, text/plain)
2025-07-30 14:33 UTC, marek77 		no flags Details
File: description (1.95 KB, text/plain)
2025-07-30 14:33 UTC, marek77 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2805 0 None open Allow anaconda-generator get attributes of all filesystems 2025-07-31 09:06:53 UTC

Description marek77 2025-07-30 14:33:54 UTC 
Description of problem:
SELinux is preventing anaconda-genera from 'getattr' accesses on the filesystem /.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that anaconda-genera should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'anaconda-genera' --raw | audit2allow -M my-anacondagenera
# semodule -X 300 -i my-anacondagenera.pp

Additional Information:
Source Context                system_u:system_r:anaconda_generator_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                / [ filesystem ]
Source                        anaconda-genera
Source Path                   anaconda-genera
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.2-1.fc42.noarch
Local Policy RPM              selinux-policy-targeted-42.2-1.fc42.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.15.7-200.fc42.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Jul 17 17:57:16 UTC 2025
                              x86_64
Alert Count                   7
First Seen                    2025-07-30 16:03:38 CEST
Last Seen                     2025-07-30 16:31:00 CEST
Local ID                      b935389b-dfca-4f03-8f20-1b6c023c84bc

Raw Audit Messages
type=AVC msg=audit(1753885860.737:102326): avc:  denied  { getattr } for  pid=18379 comm="anaconda-genera" name="/" dev="nvme0n1p3" ino=2 scontext=system_u:system_r:anaconda_generator_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1


Hash: anaconda-genera,anaconda_generator_t,fs_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-targeted-42.2-1.fc42.noarch

Additional info:
reporter:       libreport-2.17.15
component:      selinux-policy
type:           libreport
hashmarkername: setroubleshoot
package:        selinux-policy-targeted-42.2-1.fc42.noarch
kernel:         6.15.7-200.fc42.x86_64
reason:         SELinux is preventing anaconda-genera from 'getattr' accesses on the filesystem /.
component:      selinux-policy
Comment 1 marek77 2025-07-30 14:33:57 UTC 
Created attachment 2100477 [details]
File: os_info
Comment 2 marek77 2025-07-30 14:33:59 UTC 
Created attachment 2100478 [details]
File: description
Comment 3 Zdenek Pytela 2025-07-30 16:39:40 UTC 
Hi,

What filesystem is on nvme0n1p3 at your system?
Comment 4 Zdenek Pytela 2025-07-30 16:39:48 UTC 
*** Bug 2385051 has been marked as a duplicate of this bug. ***
Comment 5 Zdenek Pytela 2025-07-30 16:40:01 UTC 
*** Bug 2385055 has been marked as a duplicate of this bug. ***
Comment 6 marek77 2025-07-31 06:21:39 UTC 
Hi, it's ext4:

❯ lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sda           8:0    1     0B  0 disk
sdb           8:16   1     0B  0 disk
zram0       251:0    0     8G  0 disk [SWAP]
nvme0n1     259:0    0 953.9G  0 disk
├─nvme0n1p1 259:1    0   879M  0 part /boot/efi
├─nvme0n1p2 259:2    0     4G  0 part
└─nvme0n1p3 259:3    0   949G  0 part /

❯ mount | grep ' / '
/dev/nvme0n1p3 on / type ext4 (rw,relatime,seclabel)

❯ grep ' / ' /etc/fstab
UUID=06c811f0-65e4-49e8-b581-151343735186 /                       ext4    defaults        1 1
Comment 7 Fedora Update System 2025-08-05 07:56:04 UTC 
FEDORA-2025-d93e219f23 (selinux-policy-42.4-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-d93e219f23
Comment 8 Fedora Update System 2025-08-06 02:36:19 UTC 
FEDORA-2025-d93e219f23 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-d93e219f23`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d93e219f23

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2025-08-07 00:53:49 UTC 
FEDORA-2025-d93e219f23 (selinux-policy-42.4-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.