[Bug 1201015] New: transactional-update can't run with selinux=permissive under cloud-init
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1201015 Bug ID: 1201015 Summary: transactional-update can't run with selinux=permissive under cloud-init Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: fcrozat@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On openSUSE MicroOS, openstack flavor, I can't run transactional-updates from cloud-init when SELinux is in enforcing mode: type=USER_AVC msg=audit(1656516575.658:44): pid=565 uid=483 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.15 spid=1393 tpid=1392 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=483 hostname=? addr=? terminal=?' -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1201015 Frederic Crozat <fcrozat@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |iforster@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1201015 http://bugzilla.opensuse.org/show_bug.cgi?id=1201015#c1 --- Comment #1 from Frederic Crozat <fcrozat@suse.com> --- workaround: #============= snapperd_t ============== allow snapperd_t cloud_init_t:dbus send_msg; but I think the fix should be in cloudform.te, with allowing snapper_dbus_chat (but I'm not a selinux policy specialist). -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1201015 http://bugzilla.opensuse.org/show_bug.cgi?id=1201015#c10 Martin Loviska <mloviska@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mloviska@suse.com --- Comment #10 from Martin Loviska <mloviska@suse.com> --- Hello all, I have tried to verify the current state in MicroOS image. ### Tested image - openSUSE-MicroOS.x86_64-16.0.0-OpenStack-Cloud-Snapshot20221025.qcow2 ### Steps to reproduce
:~ # cloud-init --file /root/test init :~ # cloud-init -f /root/test modules --mode config :~ # cloud-init -f /root/test modules --mode final :~ # rpm -q cifs-utils k3s-install k3s-selinux cifs-utils-7.0-1.1.x86_64 k3s-install-1.24.3+k3s1-1.2.x86_64 k3s-selinux-1.2.stable.2-1.1.noarch
### cloud-init config
#cloud-config
runcmd: - /usr/sbin/transactional-update -n pkg in cifs-utils k3s-install k3s-selinux && reboot
Please let me know whether I have taken the correct steps (I faced the same problems as Johannes did), however packages have been installed successfully. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1201015 http://bugzilla.opensuse.org/show_bug.cgi?id=1201015#c11 --- Comment #11 from Frederic Crozat <fcrozat@suse.com> --- I can confirm the fix works perfectly with latest version of MicroOS. Thanks ! -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com