[Bug 1224120] New: [SELinux] AVC denial systemd-fstab-g on MicroOS

newer
[Bug 1225809] [Build 20240531]...

bugzilla_noreply＠suse.com

10 May 2024 10 May '24

12:01

https://bugzilla.suse.com/show_bug.cgi?id=1224120 Bug ID: 1224120 Summary: [SELinux] AVC denial systemd-fstab-g on MicroOS Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mcepl@suse.com QA Contact: qa-bugs@suse.de CC: arvidjaar@gmail.com Target Milestone: --- Found By: --- Blocker: --- mitmanek:~ # ausearch -m AVC -ts boot ---- time->Fri May 10 00:24:35 2024 type=AVC msg=audit(1715293475.979:21): avc: denied { map_read map_write } for pid=1237 comm="systemd-fstab-g" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=1 ---- time->Fri May 10 00:24:35 2024 type=AVC msg=audit(1715293475.979:22): avc: denied { map_read map_write } for pid=1245 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=1 ---- time->Fri May 10 00:34:38 2024 type=AVC msg=audit(1715294078.083:118): avc: denied { unlink } for pid=1894 comm="bootctl" name="bfb41e21a4f34f10958f75adb1378666-6.8.7-1-default-75.conf" dev="nvme0n1p2" ino=43 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 mitmanek:~ # I don’t see any actual negative effects. Also mentioned on https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/2... -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.html (text/html — 3.5 KB)

Show replies by date

bugzilla_noreply＠suse.com

10 May 10 May

12:39

New subject: [Bug 1224120] [SELinux] AVC denial systemd-fstab-g on MicroOS

https://bugzilla.suse.com/show_bug.cgi?id=1224120 https://bugzilla.suse.com/show_bug.cgi?id=1224120#c1 --- Comment #1 from Andrei Borzenkov --- (In reply to Matej Cepl from comment #0)

...

I don’t see any actual negative effects.

For snapper it means stale systemd-boot loader entries are not removed. 10:~ # systemctl --no-pager --full status snapper-cleanup.service ○ snapper-cleanup.service - Daily Cleanup of Snapper Snapshots Loaded: loaded (/usr/lib/systemd/system/snapper-cleanup.service; static) Active: inactive (dead) since Fri 2024-05-10 15:26:13 MSK; 2min 57s ago Duration: 5.210s TriggeredBy: ● snapper-cleanup.timer Docs: man:snapper(8) man:snapper-configs(5) Process: 1558 ExecStart=/usr/lib/snapper/systemd-helper --cleanup (code=exited, status=0/SUCCESS) Main PID: 1558 (code=exited, status=0/SUCCESS) CPU: 40ms May 10 15:26:08 10.0.2.15 systemd[1]: Started Daily Cleanup of Snapper Snapshots. May 10 15:26:08 10.0.2.15 systemd-helper[1558]: running cleanup for 'root'. May 10 15:26:08 10.0.2.15 systemd-helper[1558]: running number cleanup for 'root'. May 10 15:26:13 10.0.2.15 systemd-helper[1558]: running timeline cleanup for 'root'. May 10 15:26:13 10.0.2.15 systemd-helper[1558]: running empty-pre-post cleanup for 'root'. May 10 15:26:13 10.0.2.15 systemd[1]: snapper-cleanup.service: Deactivated successfully. 10:~ # 10:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.102:141): avc: denied { unlink } for pid=1583 comm="bootctl" name="opensuse-microos-6.8.1-1-default-1.conf" dev="sda2" ino=49 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.222:142): avc: denied { unlink } for pid=1609 comm="bootctl" name="opensuse-microos-6.8.1-1-default-2.conf" dev="sda2" ino=50 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.369:143): avc: denied { unlink } for pid=1635 comm="bootctl" name="initrd-25524e3baa37a82db7896897867f56db6e135865" dev="sda2" ino=92 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.369:144): avc: denied { unlink } for pid=1635 comm="bootctl" name="opensuse-microos-6.8.1-1-default-3.conf" dev="sda2" ino=51 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.709:145): avc: denied { unlink } for pid=1661 comm="bootctl" name="linux-9c7dfa521c0156cccc5a09ea48b102e3a6b41a90" dev="sda2" ino=98 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.709:146): avc: denied { unlink } for pid=1661 comm="bootctl" name="initrd-e996573948a97ab30a6649fefe16d96b7f678b2e" dev="sda2" ino=99 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 ---- time->Fri May 10 15:26:09 2024 type=AVC msg=audit(1715343969.709:147): avc: denied { unlink } for pid=1661 comm="bootctl" name="opensuse-microos-6.8.2-1-default-4.conf" dev="sda2" ino=52 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 10:~ # 10:~ # snapper list # | Type | Pre # | Date | User | Used Space | Cleanup | Description | Userdata ----+--------+-------+--------------------------+------+------------+---------+------------------------+-------------- 0 | single | | | root | | | current | 5 | single | | Mon Apr 8 20:54:02 2024 | root | 62.62 MiB | number | Snapshot Update of #4 | important=yes 6 | single | | Wed Apr 10 21:46:26 2024 | root | 35.80 MiB | number | Snapshot Update of #5 | important=yes 7 | single | | Fri Apr 12 21:12:14 2024 | root | 35.04 MiB | number | Snapshot Update of #6 | important=yes 8 | single | | Sat Apr 13 18:58:13 2024 | root | 194.71 MiB | number | Snapshot Update of #7 | important=yes 9 | single | | Thu Apr 18 20:58:06 2024 | root | 226.73 MiB | number | Snapshot Update of #8 | important=yes 10 | single | | Sun Apr 28 11:36:26 2024 | root | 1.19 MiB | number | Snapshot Update of #9 | important=yes 11 | single | | Mon May 6 20:29:57 2024 | root | 852.00 KiB | number | Snapshot Update of #10 | important=yes 12 | single | | Tue May 7 17:17:04 2024 | root | 836.00 KiB | number | Snapshot Update of #11 | important=yes 13 | single | | Tue May 7 17:57:34 2024 | root | 612.00 KiB | number | Snapshot Update of #12 | important=yes 14 | single | | Thu May 9 08:19:23 2024 | root | 1.05 MiB | number | Snapshot Update of #13 | important=yes 15* | single | | Thu May 9 09:51:28 2024 | root | 334.57 MiB | number | Snapshot Update of #14 | 10:~ # So the earliest snapshot remaining is from Apr 8. 10:~ # ll /boot/efi/loader/entries total 128 -rwxr-xr-x. 1 root root 588 Mar 31 15:45 opensuse-microos-6.8.1-1-default-1.conf -rwxr-xr-x. 1 root root 588 Mar 31 15:49 opensuse-microos-6.8.1-1-default-2.conf -rwxr-xr-x. 1 root root 588 Mar 31 15:57 opensuse-microos-6.8.1-1-default-3.conf -rwxr-xr-x. 1 root root 588 Apr 6 06:59 opensuse-microos-6.8.2-1-default-4.conf -rwxr-xr-x. 1 root root 600 Apr 8 20:56 opensuse-microos-6.8.4-rc1-1-default-5.conf -rwxr-xr-x. 1 root root 600 Apr 10 21:47 opensuse-microos-6.8.4-rc1-1-default-6.conf -rwxr-xr-x. 1 root root 600 Apr 12 21:13 opensuse-microos-6.8.4-rc1-1-default-7.conf -rwxr-xr-x. 1 root root 588 Apr 13 19:05 opensuse-microos-6.8.5-1-default-8.conf -rwxr-xr-x. 1 root root 590 Apr 26 21:28 opensuse-microos-6.8.6-1-default-10.conf -rwxr-xr-x. 1 root root 588 Apr 26 21:31 opensuse-microos-6.8.6-1-default-9.conf -rwxr-xr-x. 1 root root 590 Apr 28 11:40 opensuse-microos-6.8.7-1-default-10.conf -rwxr-xr-x. 1 root root 590 May 6 20:33 opensuse-microos-6.8.7-1-default-11.conf -rwxr-xr-x. 1 root root 590 May 7 17:18 opensuse-microos-6.8.7-1-default-12.conf -rwxr-xr-x. 1 root root 590 May 7 17:58 opensuse-microos-6.8.7-1-default-13.conf -rwxr-xr-x. 1 root root 590 May 9 08:19 opensuse-microos-6.8.7-1-default-14.conf -rwxr-xr-x. 1 root root 590 May 9 09:55 opensuse-microos-6.8.8-1-default-15.conf 10:~ # But 10:~ # ll /.snapshots/5/snapshot/usr/lib/modules total 0 drwxr-xr-x. 1 root root 600 Apr 8 20:55 6.8.4-rc1-1-default 10:~ # The snapper denials come from /usr/lib/snapper/plugins/10-sdbootutil.snapper which tries to remove kernel entries. 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(SystemCmd):48 - constructor SystemCmd: /usr/lib/snapper/plugins/10-sdbootutil.snapper delete-snapshot-pre / btrfs 4 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(addLine):394 - Adding Line 1 "Failed to remove "/opensuse-microos/6.8.2-1-default/linux-9c7dfa521c0156cccc5a09ea48b102e3a6b41a90", ignoring: Permission denied" 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(addLine):394 - Adding Line 2 "Failed to remove "/opensuse-microos/6.8.2-1-default/initrd-e996573948a97ab30a6649fefe16d96b7f678b2e", ignoring: Permission denied" 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(addLine):394 - Adding Line 3 "Failed to remove "/boot/efi/loader/entries/opensuse-microos-6.8.2-1-default-4.conf": Permission denied" 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(getUntilEOF):358 - pid:1639 added lines:3 stderr:true 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(execute):180 - stopwatch 0.329812s for "/usr/lib/snapper/plugins/10-sdbootutil.snapper delete-snapshot-pre / btrfs 4" 2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(execute):194 - system() Returns:0 For systemd generators the likely consequence is incomplete sandbox. Not sure how important it is with active SELinux, but having those errors on a clean installation is certainly confusing. -- You are receiving this mail because: You are on the CC list for the bug.