https://bugzilla.suse.com/show_bug.cgi?id=1224149 Bug ID: 1224149 Summary: [SELinux] sdbootutil (snapperd_t) failes to execute systemd-pcrlock (init_exec_t) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: arvidjaar@gmail.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Operating System: openSUSE MicroOS 10:~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 10:~ # zypper info selinux-policy Loading repository data... Reading installed packages... Information for package selinux-policy: --------------------------------------- Repository : openSUSE-Tumbleweed-Oss Name : selinux-policy Version : 20240321-1.2 Arch : noarch Vendor : openSUSE Installed Size : 24.8 KiB Installed : Yes (automatically) Status : up-to-date Source package : selinux-policy-20240321-1.2.src Upstream URL : https://github.com/fedora-selinux/selinux-policy.git Summary : SELinux policy configuration Description : SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. 10:~ # rpm -q sdbootutil sdbootutil-1+git20240506.573a6a4-1.1.x86_64 10:~ # rpm -qf /usr/lib/systemd/systemd-pcrlock systemd-experimental-255.4-3.1.x86_64 10:~ # ls -l /etc/systemd/tpm2-pcr-public-key.pem /etc/systemd/tpm2-pcr-private-key.pem ls: cannot access '/etc/systemd/tpm2-pcr-public-key.pem': No such file or directory ls: cannot access '/etc/systemd/tpm2-pcr-private-key.pem': No such file or directory 10:~ # sdbootutil defaults to systemd-pcrlock if is is present and no previous keypair for the signed policy is present. 10:~ # semodule -DB 10:~ # systemctl start snapper-cleanup.service 10:~ # semodule -B 10:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot ---- time->Sun May 12 08:54:27 2024 type=AVC msg=audit(1715493267.232:132): avc: denied { execute } for pid=1325 comm="sdbootutil" name="systemd-pcrlock" dev="dm-0" ino=57169 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:54:27 2024 type=AVC msg=audit(1715493267.232:133): avc: denied { execute } for pid=1325 comm="sdbootutil" name="systemd-pcrlock" dev="dm-0" ino=57169 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0 10:~ # Other denials for snapper_t are list in boo#1224120 for which I have local policy override. -- You are receiving this mail because: You are on the CC list for the bug.