[Bug 1224120] New: [SELinux] AVC denial systemd-fstab-g on MicroOS
https://bugzilla.suse.com/show_bug.cgi?id=1224120 Bug ID: 1224120 Summary: [SELinux] AVC denial systemd-fstab-g on MicroOS Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mcepl@suse.com QA Contact: qa-bugs@suse.de CC: arvidjaar@gmail.com Target Milestone: --- Found By: --- Blocker: --- mitmanek:~ # ausearch -m AVC -ts boot ---- time->Fri May 10 00:24:35 2024 type=AVC msg=audit(1715293475.979:21): avc: denied { map_read map_write } for pid=1237 comm="systemd-fstab-g" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=1 ---- time->Fri May 10 00:24:35 2024 type=AVC msg=audit(1715293475.979:22): avc: denied { map_read map_write } for pid=1245 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=1 ---- time->Fri May 10 00:34:38 2024 type=AVC msg=audit(1715294078.083:118): avc: denied { unlink } for pid=1894 comm="bootctl" name="bfb41e21a4f34f10958f75adb1378666-6.8.7-1-default-75.conf" dev="nvme0n1p2" ino=43 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 mitmanek:~ # I don’t see any actual negative effects. Also mentioned on https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/2... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 https://bugzilla.suse.com/show_bug.cgi?id=1224120#c1 --- Comment #1 from Andrei Borzenkov <arvidjaar@gmail.com> --- (In reply to Matej Cepl from comment #0)
I don’t see any actual negative effects.
For snapper it means stale systemd-boot loader entries are not removed. 10:~ # systemctl --no-pager --full status snapper-cleanup.service ○ snapper-cleanup.service - Daily Cleanup of Snapper Snapshots Loaded: loaded (/usr/lib/systemd/system/snapper-cleanup.service; static) Active: inactive (dead) since Fri 2024-05-10 15:26:13 MSK; 2min 57s ago Duration: 5.210s TriggeredBy: ● snapper-cleanup.timer Docs: man:snapper(8) man:snapper-configs(5) Process: 1558 ExecStart=/usr/lib/snapper/systemd-helper --cleanup (code=exited, status=0/SUCCESS) Main PID: 1558 (code=exited, status=0/SUCCESS) CPU: 40ms May 10 15:26:08 10.0.2.15 systemd[1]: Started Daily Cleanup of Snapper Snapshots. May 10 15:26:08 10.0.2.15 systemd-helper[1558]: running cleanup for 'root'. May 10 15:26:08 10.0.2.15 systemd-helper[1558]: running number cleanup for 'root'. May 10 15:26:13 10.0.2.15 systemd-helper[1558]: running timeline cleanup for 'root'. May 10 15:26:13 10.0.2.15 systemd-helper[1558]: running empty-pre-post cleanup for 'root'. May 10 15:26:13 10.0.2.15 systemd[1]: snapper-cleanup.service: Deactivated successfully. 10:~ # 10:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.102:141): avc: denied { unlink } for pid=1583 comm="bootctl" name="opensuse-microos-6.8.1-1-default-1.conf" dev="sda2" ino=49 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.222:142): avc: denied { unlink } for pid=1609 comm="bootctl" name="opensuse-microos-6.8.1-1-default-2.conf" dev="sda2" ino=50 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.369:143): avc: denied { unlink } for pid=1635 comm="bootctl" name="initrd-25524e3baa37a82db7896897867f56db6e135865" dev="sda2" ino=92 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.369:144): avc: denied { unlink } for pid=1635 comm="bootctl" name="opensuse-microos-6.8.1-1-default-3.conf" dev="sda2" ino=51 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.709:145): avc: denied { unlink } for pid=1661 comm="bootctl" name="linux-9c7dfa521c0156cccc5a09ea48b102e3a6b41a90" dev="sda2" ino=98 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.709:146): avc: denied { unlink } for pid=1661 comm="bootctl" name="initrd-e996573948a97ab30a6649fefe16d96b7f678b2e" dev="sda2" ino=99 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.709:147): avc: denied { unlink } for pid=1661 comm="bootctl" name="opensuse-microos-6.8.2-1-default-4.conf" dev="sda2" ino=52 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 10:~ # 10:~ # snapper list # | Type | Pre # | Date | User | Used Space | Cleanup | Description | Userdata ----+--------+-------+--------------------------+------+------------+---------+------------------------+-------------- 0 | single | | | root | | | current | 5 | single | | Mon Apr 8 20:54:02 2024 | root | 62.62 MiB | number | Snapshot Update of #4 | important=yes 6 | single | | Wed Apr 10 21:46:26 2024 | root | 35.80 MiB | number | Snapshot Update of #5 | important=yes 7 | single | | Fri Apr 12 21:12:14 2024 | root | 35.04 MiB | number | Snapshot Update of #6 | important=yes 8 | single | | Sat Apr 13 18:58:13 2024 | root | 194.71 MiB | number | Snapshot Update of #7 | important=yes 9 | single | | Thu Apr 18 20:58:06 2024 | root | 226.73 MiB | number | Snapshot Update of #8 | important=yes 10 | single | | Sun Apr 28 11:36:26 2024 | root | 1.19 MiB | number | Snapshot Update of #9 | important=yes 11 | single | | Mon May 6 20:29:57 2024 | root | 852.00 KiB | number | Snapshot Update of #10 | important=yes 12 | single | | Tue May 7 17:17:04 2024 | root | 836.00 KiB | number | Snapshot Update of #11 | important=yes 13 | single | | Tue May 7 17:57:34 2024 | root | 612.00 KiB | number | Snapshot Update of #12 | important=yes 14 | single | | Thu May 9 08:19:23 2024 | root | 1.05 MiB | number | Snapshot Update of #13 | important=yes 15* | single | | Thu May 9 09:51:28 2024 | root | 334.57 MiB | number | Snapshot Update of #14 | 10:~ # So the earliest snapshot remaining is from Apr 8. 10:~ # ll /boot/efi/loader/entries total 128 -rwxr-xr-x. 1 root root 588 Mar 31 15:45 opensuse-microos-6.8.1-1-default-1.conf -rwxr-xr-x. 1 root root 588 Mar 31 15:49 opensuse-microos-6.8.1-1-default-2.conf -rwxr-xr-x. 1 root root 588 Mar 31 15:57 opensuse-microos-6.8.1-1-default-3.conf -rwxr-xr-x. 1 root root 588 Apr 6 06:59 opensuse-microos-6.8.2-1-default-4.conf -rwxr-xr-x. 1 root root 600 Apr 8 20:56 opensuse-microos-6.8.4-rc1-1-default-5.conf -rwxr-xr-x. 1 root root 600 Apr 10 21:47 opensuse-microos-6.8.4-rc1-1-default-6.conf -rwxr-xr-x. 1 root root 600 Apr 12 21:13 opensuse-microos-6.8.4-rc1-1-default-7.conf -rwxr-xr-x. 1 root root 588 Apr 13 19:05 opensuse-microos-6.8.5-1-default-8.conf -rwxr-xr-x. 1 root root 590 Apr 26 21:28 opensuse-microos-6.8.6-1-default-10.conf -rwxr-xr-x. 1 root root 588 Apr 26 21:31 opensuse-microos-6.8.6-1-default-9.conf -rwxr-xr-x. 1 root root 590 Apr 28 11:40 opensuse-microos-6.8.7-1-default-10.conf -rwxr-xr-x. 1 root root 590 May 6 20:33 opensuse-microos-6.8.7-1-default-11.conf -rwxr-xr-x. 1 root root 590 May 7 17:18 opensuse-microos-6.8.7-1-default-12.conf -rwxr-xr-x. 1 root root 590 May 7 17:58 opensuse-microos-6.8.7-1-default-13.conf -rwxr-xr-x. 1 root root 590 May 9 08:19 opensuse-microos-6.8.7-1-default-14.conf -rwxr-xr-x. 1 root root 590 May 9 09:55 opensuse-microos-6.8.8-1-default-15.conf 10:~ # But 10:~ # ll /.snapshots/5/snapshot/usr/lib/modules total 0 drwxr-xr-x. 1 root root 600 Apr 8 20:55 6.8.4-rc1-1-default 10:~ # The snapper denials come from /usr/lib/snapper/plugins/10-sdbootutil.snapper which tries to remove kernel entries. 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(SystemCmd):48 - constructor SystemCmd: /usr/lib/snapper/plugins/10-sdbootutil.snapper delete-snapshot-pre / btrfs 4 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(addLine):394 - Adding Line 1 "Failed to remove "/opensuse-microos/6.8.2-1-default/linux-9c7dfa521c0156cccc5a09ea48b102e3a6b41a90", ignoring: Permission denied" 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(addLine):394 - Adding Line 2 "Failed to remove "/opensuse-microos/6.8.2-1-default/initrd-e996573948a97ab30a6649fefe16d96b7f678b2e", ignoring: Permission denied" 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(addLine):394 - Adding Line 3 "Failed to remove "/boot/efi/loader/entries/opensuse-microos-6.8.2-1-default-4.conf": Permission denied" 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(getUntilEOF):358 - pid:1639 added lines:3 stderr:true 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(execute):180 - stopwatch 0.329812s for "/usr/lib/snapper/plugins/10-sdbootutil.snapper delete-snapshot-pre / btrfs 4" 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(execute):194 - system() Returns:0 For systemd generators the likely consequence is incomplete sandbox. Not sure how important it is with active SELinux, but having those errors on a clean installation is certainly confusing. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 Johannes Kastl <opensuse_buildservice@ojkastl.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |opensuse_buildservice@ojkas | |tl.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 https://bugzilla.suse.com/show_bug.cgi?id=1224120#c2 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |filippo.bonazzi@suse.com --- Comment #2 from Filippo Bonazzi <filippo.bonazzi@suse.com> --- The first two AVCs seem to have been already reported and fixed in bug 1222736. We have this and another couple of changes in the devel project which have not made their way to Factory yet ATM, we are still testing some large changes and Cathy was away for a couple of weeks. We hope to submit soon. The snapper AVC seems to be a new one, renaming this bug to keep track of it. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|[SELinux] AVC denial |[SELinux] MicroOS: bootctl |systemd-fstab-g on MicroOS |(snapperd_t) denied unlink | |for dosfs_t -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.suse.com/s | |how_bug.cgi?id=1222736 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 https://bugzilla.suse.com/show_bug.cgi?id=1224120#c3 --- Comment #3 from Andrei Borzenkov <arvidjaar@gmail.com> --- There are more snapper denials related to using systemd-pcrlock. They do not cause failures, but they do mean stale pcrlock definitions are left cluttering the policy. I use local policy override for earlier reported dosfs_t. Operating System: openSUSE MicroOS 10:~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 10:~ # zypper info selinux-policy Loading repository data... Reading installed packages... Information for package selinux-policy: --------------------------------------- Repository : openSUSE-Tumbleweed-Oss Name : selinux-policy Version : 20240321-1.2 Arch : noarch Vendor : openSUSE Installed Size : 24.8 KiB Installed : Yes (automatically) Status : up-to-date Source package : selinux-policy-20240321-1.2.src Upstream URL : https://github.com/fedora-selinux/selinux-policy.git Summary : SELinux policy configuration Description : SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. 10:~ # rpm -q sdbootutil sdbootutil-1+git20240506.573a6a4-1.1.x86_64 10:~ # rpm -qf /usr/lib/systemd/systemd-pcrlock systemd-experimental-255.4-3.1.x86_64 10:~ # ls -l /etc/systemd/tpm2-pcr-public-key.pem /etc/systemd/tpm2-pcr-private-key.pem ls: cannot access '/etc/systemd/tpm2-pcr-public-key.pem': No such file or directory ls: cannot access '/etc/systemd/tpm2-pcr-private-key.pem': No such file or directory 10:~ # sdbootutil defaults to systemd-pcrlock if is is present and no previous keypair for the signed policy is present. 10:~ # systemctl start snapper-cleanup.service 10:~ # semodule -B 10:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:137): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62896 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:138): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62888 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:139): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62892 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:140): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62890 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:141): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62894 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:142): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62900 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:143): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62898 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:144): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62902 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:145): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62904 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:146): avc: denied { unlink } for pid=1436 comm="rm" name="641-sdboot-loader-conf.pcrlock" dev="dm-0" ino=62905 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:147): avc: denied { unlink } for pid=1436 comm="rm" name="linux-1.pcrlock" dev="dm-0" ino=62907 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:148): avc: denied { unlink } for pid=1436 comm="rm" name="cmdline-1.pcrlock" dev="dm-0" ino=62911 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:149): avc: denied { unlink } for pid=1436 comm="rm" name="cmdline-2.pcrlock" dev="dm-0" ino=62913 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:150): avc: denied { unlink } for pid=1436 comm="rm" name="cmdline-initrd-1.pcrlock" dev="dm-0" ino=62909 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:151): avc: denied { unlink } for pid=1436 comm="rm" name="cmdline-initrd-2.pcrlock" dev="dm-0" ino=62912 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 10:~ # systemctl status --no-pager --full snapper-cleanup.service ○ snapper-cleanup.service - Daily Cleanup of Snapper Snapshots Loaded: loaded (/usr/lib/systemd/system/snapper-cleanup.service; static) Active: inactive (dead) since Sun 2024-05-12 08:27:24 MSK; 1min 24s ago Duration: 4.244s TriggeredBy: ● snapper-cleanup.timer Docs: man:snapper(8) man:snapper-configs(5) Process: 1405 ExecStart=/usr/lib/snapper/systemd-helper --cleanup (code=exited, status=0/SUCCESS) Main PID: 1405 (code=exited, status=0/SUCCESS) CPU: 47ms May 12 08:27:20 10.0.2.15 systemd[1]: Started Daily Cleanup of Snapper Snapshots. May 12 08:27:20 10.0.2.15 systemd-helper[1405]: running cleanup for 'root'. May 12 08:27:20 10.0.2.15 systemd-helper[1405]: running number cleanup for 'root'. May 12 08:27:24 10.0.2.15 systemd-helper[1405]: running timeline cleanup for 'root'. May 12 08:27:24 10.0.2.15 systemd-helper[1405]: running empty-pre-post cleanup for 'root'. May 12 08:27:24 10.0.2.15 systemd[1]: snapper-cleanup.service: Deactivated successfully. 10:~ # -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 Andrei Borzenkov <arvidjaar@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.suse.com/s | |how_bug.cgi?id=1224149 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 Zdenek Kubala <zkubala@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zkubala@suse.com Assignee|security-team@suse.de |zkubala@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 https://bugzilla.suse.com/show_bug.cgi?id=1224120#c4 --- Comment #4 from Zdenek Kubala <zkubala@suse.com> --- I tried to reproduce snapper AVCs on clean MicroOS but so far without success. localhost:~ # snapper list # │ Type │ Pre # │ Date │ User │ Used Space │ Cleanup │ Description │ Userdata ───┼────────┼───────┼──────────────────────────┼──────┼────────────┼─────────┼───────────────────────┼───────── 0 │ single │ │ │ root │ │ │ current │ 1 │ single │ │ Fri May 24 09:24:42 2024 │ root │ 113.16 MiB │ │ first root filesystem │ 2* │ single │ │ Mon May 27 10:41:03 2024 │ root │ 129.81 MiB │ number │ Snapshot Update of #1 │ localhost:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot <no matches> localhost:~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 localhost:~ # zypper info selinux-policy Loading repository data... Reading installed packages... Information for package selinux-policy: --------------------------------------- Repository : openSUSE-Tumbleweed-Oss Name : selinux-policy Version : 20240321-1.2 Arch : noarch Vendor : openSUSE Installed Size : 24.8 KiB Installed : Yes (automatically) Status : up-to-date Source package : selinux-policy-20240321-1.2.src Upstream URL : https://github.com/fedora-selinux/selinux-policy.git Summary : SELinux policy configuration Description : SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. localhost:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot <no matches> -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 https://bugzilla.suse.com/show_bug.cgi?id=1224120#c5 --- Comment #5 from Zdenek Kubala <zkubala@suse.com> --- BTW, just make things clear here. Reported AVCs from Andrei Borzenkov are handled in https://bugzilla.suse.com/show_bug.cgi?id=1224149. As Filippo mentioned first two initial AVs from Matej Cept have been solved in https://bugzilla.suse.com/show_bug.cgi?id=1222736. So we have the last one here to resolve. ---- time->Fri May 10 00:34:38 2024 type=AVC msg=audit(1715294078.083:118): avc: denied { unlink } for pid=1894 comm="bootctl" name="bfb41e21a4f34f10958f75adb1378666-6.8.7-1-default-75.conf" dev="nvme0n1p2" ino=43 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 mitmanek:~ # -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 https://bugzilla.suse.com/show_bug.cgi?id=1224120#c6 --- Comment #6 from Andrei Borzenkov <arvidjaar@gmail.com> --- (In reply to Zdenek Kubala from comment #4)
I tried to reproduce snapper AVCs on clean MicroOS but so far without success.
See https://bugzilla.suse.com/show_bug.cgi?id=1224149#c5 You need to have snapshoes eligible for removal and of course you need to use LUKS encrypted root with TPM2 protection using systemd-pcrlock. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 https://bugzilla.suse.com/show_bug.cgi?id=1224120#c7 Zdenek Kubala <zkubala@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED --- Comment #7 from Zdenek Kubala <zkubala@suse.com> --- I have been able to reproduce this AVC when populating snapper list enough to trigger cleanup service. localhost:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot | grep snapper type=AVC msg=audit(1717492383.628:155): avc: denied { unlink } for pid=3832 comm="bootctl" name="opensuse-microos-6.9.1-1-default-4.conf" dev="vda2" ino=39 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 Also it can be triggered as Alberto posted in bug 1224149, comment 6
transactional-update pkg in emacs-nox snapper ls btrfs subvolume list -o /.snapshots btrfs subvolume set-default 258 /.snapshots snapper rm 2 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 Alberto Planas Dominguez <aplanas@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aplanas@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 https://bugzilla.suse.com/show_bug.cgi?id=1224120#c8 --- Comment #8 from Alberto Planas Dominguez <aplanas@suse.com> --- bsc#1224149 and this has the same root cause: the snapper plugin make calls to sdbootutil, that also calls bootclt and pcr-oracle / pcrlock. By itself (sdbootutil) also will remove and create certain files in the ESP, /etc, and /var. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 https://bugzilla.suse.com/show_bug.cgi?id=1224120#c9 --- Comment #9 from Zdenek Kubala <zkubala@suse.com> --- I have created a patch which should allow snapperd to modify files to efi partition. I m testing it now and I will also try setup to test it against bsc#1224149. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224120 https://bugzilla.suse.com/show_bug.cgi?id=1224120#c11 Zdenek Kubala <zkubala@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #11 from Zdenek Kubala <zkubala@suse.com> --- Fixed in factory. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com