Bug ID 1224149
Summary [SELinux] sdbootutil (snapperd_t) failes to execute systemd-pcrlock (init_exec_t)
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter arvidjaar@gmail.com
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker --- 

Operating System: openSUSE MicroOS
10:~ # sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
10:~ # zypper info selinux-policy
Loading repository data...
Reading installed packages...


Information for package selinux-policy:
---------------------------------------
Repository     : openSUSE-Tumbleweed-Oss
Name           : selinux-policy
Version        : 20240321-1.2
Arch           : noarch
Vendor         : openSUSE
Installed Size : 24.8 KiB
Installed      : Yes (automatically)
Status         : up-to-date
Source package : selinux-policy-20240321-1.2.src
Upstream URL   : https://github.com/fedora-selinux/selinux-policy.git
Summary        : SELinux policy configuration
Description    : 
    SELinux Reference Policy. A complete SELinux policy that can be used
    as the system policy for a variety of systems and used as the basis for
    creating other policies.

10:~ # rpm -q sdbootutil
sdbootutil-1+git20240506.573a6a4-1.1.x86_64
10:~ # rpm -qf /usr/lib/systemd/systemd-pcrlock 
systemd-experimental-255.4-3.1.x86_64
10:~ # ls -l /etc/systemd/tpm2-pcr-public-key.pem
/etc/systemd/tpm2-pcr-private-key.pem
ls: cannot access '/etc/systemd/tpm2-pcr-public-key.pem': No such file or
directory
ls: cannot access '/etc/systemd/tpm2-pcr-private-key.pem': No such file or
directory
10:~ # 

sdbootutil defaults to systemd-pcrlock if is is present and no previous keypair
for the signed policy is present.

10:~ # semodule -DB
10:~ # systemctl start snapper-cleanup.service
10:~ # semodule -B
10:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot 
----
time->Sun May 12 08:54:27 2024
type=AVC msg=audit(1715493267.232:132): avc:  denied  { execute } for  pid=1325
comm="sdbootutil" name="systemd-pcrlock" dev="dm-0" ino=57169
scontext=system_u:system_r:snapperd_t:s0
tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:54:27 2024
type=AVC msg=audit(1715493267.232:133): avc:  denied  { execute } for  pid=1325
comm="sdbootutil" name="systemd-pcrlock" dev="dm-0" ino=57169
scontext=system_u:system_r:snapperd_t:s0
tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
10:~ # 

Other denials for snapper_t are list in boo#1224120 for which I have local
policy override.

You are receiving this mail because: