https://bugzilla.suse.com/show_bug.cgi?id=1224120
https://bugzilla.suse.com/show_bug.cgi?id=1224120#c3
--- Comment #3 from Andrei Borzenkov ---
There are more snapper denials related to using systemd-pcrlock. They do not
cause failures, but they do mean stale pcrlock definitions are left cluttering
the policy. I use local policy override for earlier reported dosfs_t.
Operating System: openSUSE MicroOS
10:~ # sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
10:~ # zypper info selinux-policy
Loading repository data...
Reading installed packages...
Information for package selinux-policy:
---------------------------------------
Repository : openSUSE-Tumbleweed-Oss
Name : selinux-policy
Version : 20240321-1.2
Arch : noarch
Vendor : openSUSE
Installed Size : 24.8 KiB
Installed : Yes (automatically)
Status : up-to-date
Source package : selinux-policy-20240321-1.2.src
Upstream URL : https://github.com/fedora-selinux/selinux-policy.git
Summary : SELinux policy configuration
Description :
SELinux Reference Policy. A complete SELinux policy that can be used
as the system policy for a variety of systems and used as the basis for
creating other policies.
10:~ # rpm -q sdbootutil
sdbootutil-1+git20240506.573a6a4-1.1.x86_64
10:~ # rpm -qf /usr/lib/systemd/systemd-pcrlock
systemd-experimental-255.4-3.1.x86_64
10:~ # ls -l /etc/systemd/tpm2-pcr-public-key.pem
/etc/systemd/tpm2-pcr-private-key.pem
ls: cannot access '/etc/systemd/tpm2-pcr-public-key.pem': No such file or
directory
ls: cannot access '/etc/systemd/tpm2-pcr-private-key.pem': No such file or
directory
10:~ #
sdbootutil defaults to systemd-pcrlock if is is present and no previous keypair
for the signed policy is present.
10:~ # systemctl start snapper-cleanup.service
10:~ # semodule -B
10:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:137): avc: denied { unlink } for pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62896
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:138): avc: denied { unlink } for pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62888
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:139): avc: denied { unlink } for pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62892
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:140): avc: denied { unlink } for pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62890
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:141): avc: denied { unlink } for pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62894
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:142): avc: denied { unlink } for pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62900
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:143): avc: denied { unlink } for pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62898
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:144): avc: denied { unlink } for pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62902
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:145): avc: denied { unlink } for pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62904
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:146): avc: denied { unlink } for pid=1436
comm="rm" name="641-sdboot-loader-conf.pcrlock" dev="dm-0" ino=62905
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:147): avc: denied { unlink } for pid=1436
comm="rm" name="linux-1.pcrlock" dev="dm-0" ino=62907
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:148): avc: denied { unlink } for pid=1436
comm="rm" name="cmdline-1.pcrlock" dev="dm-0" ino=62911
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:149): avc: denied { unlink } for pid=1436
comm="rm" name="cmdline-2.pcrlock" dev="dm-0" ino=62913
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:150): avc: denied { unlink } for pid=1436
comm="rm" name="cmdline-initrd-1.pcrlock" dev="dm-0" ino=62909
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:151): avc: denied { unlink } for pid=1436
comm="rm" name="cmdline-initrd-2.pcrlock" dev="dm-0" ino=62912
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
10:~ # systemctl status --no-pager --full snapper-cleanup.service
○ snapper-cleanup.service - Daily Cleanup of Snapper Snapshots
Loaded: loaded (/usr/lib/systemd/system/snapper-cleanup.service; static)
Active: inactive (dead) since Sun 2024-05-12 08:27:24 MSK; 1min 24s ago
Duration: 4.244s
TriggeredBy: ● snapper-cleanup.timer
Docs: man:snapper(8)
man:snapper-configs(5)
Process: 1405 ExecStart=/usr/lib/snapper/systemd-helper --cleanup
(code=exited, status=0/SUCCESS)
Main PID: 1405 (code=exited, status=0/SUCCESS)
CPU: 47ms
May 12 08:27:20 10.0.2.15 systemd[1]: Started Daily Cleanup of Snapper
Snapshots.
May 12 08:27:20 10.0.2.15 systemd-helper[1405]: running cleanup for 'root'.
May 12 08:27:20 10.0.2.15 systemd-helper[1405]: running number cleanup for
'root'.
May 12 08:27:24 10.0.2.15 systemd-helper[1405]: running timeline cleanup for
'root'.
May 12 08:27:24 10.0.2.15 systemd-helper[1405]: running empty-pre-post cleanup
for 'root'.
May 12 08:27:24 10.0.2.15 systemd[1]: snapper-cleanup.service: Deactivated
successfully.
10:~ #
--
You are receiving this mail because:
You are on the CC list for the bug.