Bug ID 1232670
Summary [SELinux] importctl cannot write to /var/lib/extensions
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter kukuk@suse.com
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker --- 

Importing sysext images with importctl does not work, since SELinux blocks
writing in that directory:

node122:~ # importctl pull-raw --class=sysext
https://download.opensuse.org/repositories/home:/kukuk:/sysext/mkosi/gcc-20.2.x86-64.raw
--verify=no
Enqueued transfer job 1. Press C-c to continue download in background.
Pulling
'https://download.opensuse.org/repositories/home:/kukuk:/sysext/mkosi/gcc-20.2.x86-64.raw',
saving as 'gcc-20.2.x86-64'.
Operating on image directory '/var/lib/extensions'.
Failed to create /var/lib/extensions/.#verityebe0580e99f54026: Permission
denied
Verity integrity file could not be retrieved, proceeding without.
Failed to create /var/lib/extensions/.#roothash96cdb063d430dc58: Permission
denied
Root hash file could not be retrieved, proceeding without.
Failed to create /var/lib/extensions/.#roothash.p7s70c3902ea1954e95: Permission
denied
Root hash signature file could not be retrieved, proceeding without.
Downloading 241.2M for
https://download.opensuse.org/repositories/home:/kukuk:/sysext/mkosi/gcc-20.2.x86-64.raw.
Failed to create /var/lib/extensions/.#rawd292069b0f58e5ea: Permission denied
Failed to retrieve image file.
Exiting.

type=SERVICE_START msg=audit(1730372760.872:336): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
type=AVC msg=audit(1730372764.279:337): avc:  denied  { write } for  pid=2413
comm="systemd-pull" name="extensions" dev="dm-0" ino=143939
scontext=system_u:system_r:systemd_importd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1730372764.282:338): avc:  denied  { write } for  pid=2413
comm="systemd-pull" name="extensions" dev="dm-0" ino=143939
scontext=system_u:system_r:systemd_importd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1730372764.289:339): avc:  denied  { write } for  pid=2413
comm="systemd-pull" name="extensions" dev="dm-0" ino=143939
scontext=system_u:system_r:systemd_importd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1730372767.479:340): avc:  denied  { write } for  pid=2413
comm="systemd-pull" name="extensions" dev="dm-0" ino=143939
scontext=system_u:system_r:systemd_importd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
type=SERVICE_STOP msg=audit(1730372797.529:341): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'

You are receiving this mail because: