[Bug 1232527] New: [SELinux] "systemd-bless-boot good" fail during boot time
https://bugzilla.suse.com/show_bug.cgi?id=1232527 Bug ID: 1232527 Summary: [SELinux] "systemd-bless-boot good" fail during boot time Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: danilo.spinella@suse.com QA Contact: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- Operating System: openSUSE MicroOS SELinux status, mode and policy name: enabled, enforcing, targeted SELinux policy version and repository: 20241021-1.1, openSUSE-Tumbleweed-Oss The software (incl. version) that is affected by the SELinux issue and the error message: systemd 256.7, systemd-bless-boot, "Failed to rename '/loader/entries/opensuse-microos-6.11.5-1-default-1+2-1.conf' to '/loader/entries/opensuse-microos-6.11.5-1-default-1.conf': Permission Denied" SELinux Audit log: type=AVC msg=audit(1730195064.486:34): avc: denied { rename } for pid=1142 comm="systemd-bless-b" name="opensuse-microos-6.11.5-1-default-1+2-1.conf" dev="vda2" ino=11 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 Any other important details: N/A -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232527 https://bugzilla.suse.com/show_bug.cgi?id=1232527#c1 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |jsegitz@suse.com --- Comment #1 from Johannes Segitz <jsegitz@suse.com> --- I'll have a look -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232527 https://bugzilla.suse.com/show_bug.cgi?id=1232527#c2 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |danilo.spinella@suse.com Flags| |needinfo?(danilo.spinella@s | |use.com) --- Comment #2 from Johannes Segitz <jsegitz@suse.com> --- Are you using an UKI? Or did you otherwise modify the system so that systemd boot counting is active for you? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232527 https://bugzilla.suse.com/show_bug.cgi?id=1232527#c3 Danilo Spinella <danilo.spinella@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(danilo.spinella@s | |use.com) | --- Comment #3 from Danilo Spinella <danilo.spinella@suse.com> --- (In reply to Johannes Segitz from comment #2)
Are you using an UKI? Or did you otherwise modify the system so that systemd boot counting is active for you?
I enabled boot counting for MicroOS so that health-checker can make use of it. systemd-bless-boot was not called previously, hence the error was not happening. https://github.com/openSUSE/health-checker/pull/28 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232527 https://bugzilla.suse.com/show_bug.cgi?id=1232527#c4 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo? --- Comment #4 from Johannes Segitz <jsegitz@suse.com> --- do you have a package I can use to reproduce this? Or do I need to take the source from the PR? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232527 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo? |needinfo?(danilo.spinella@s | |use.com) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232527 https://bugzilla.suse.com/show_bug.cgi?id=1232527#c5 Danilo Spinella <danilo.spinella@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(danilo.spinella@s | |use.com) | --- Comment #5 from Danilo Spinella <danilo.spinella@suse.com> --- (In reply to Johannes Segitz from comment #4)
do you have a package I can use to reproduce this? Or do I need to take the source from the PR?
Yes, there is a package here: https://build.opensuse.org/package/show/home:dspinella:microos/health-checke... To reproduce it, I started MicroOS with systemd-boot enabled [1] and then installed the package through transactional-update (transactional-update pkg in ./health-checker.rpm). In the next boot, the service systemd-bless-boot.service fails. [1]: https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232527 https://bugzilla.suse.com/show_bug.cgi?id=1232527#c6 --- Comment #6 from Johannes Segitz <jsegitz@suse.com> --- Still have problems reproducing this. bootctl tells me boot counting is active, but the EFI variable isn't there. I'll try to spent more time on this tomorrow, today I have to finish something else -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232527 https://bugzilla.suse.com/show_bug.cgi?id=1232527#c7 --- Comment #7 from Johannes Segitz <jsegitz@suse.com> --- I can get boot counting to work with the image and then adding a boot loader entry like this: cp /boot/efi/loader/entries/opensuse-microos-6.11.8-1-default-2.conf /boot/efi/loader/entries/opensuse-microos-6.11.8-1-default-2+3.conf the "+3" activates boot counting for me when I boot this entry, but even then I don't see the denial. For me the service starts fine. But in the end the denial you see makes sense and init should be able to manage files there. Please give the policy in https://build.opensuse.org/package/show/home:jsegitz:branches:security:SELin... a try transactional-update shell zypper ar -p 80 https://download.opensuse.org/repositories/home:/jsegitz:/branches:/security... zypper in --allow-vendor-change selinux-policy-targeted exit reboot -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232527 https://bugzilla.suse.com/show_bug.cgi?id=1232527#c8 --- Comment #8 from Danilo Spinella <danilo.spinella@suse.com> --- (In reply to Johannes Segitz from comment #7)
I can get boot counting to work with the image and then adding a boot loader entry like this: cp /boot/efi/loader/entries/opensuse-microos-6.11.8-1-default-2.conf /boot/efi/loader/entries/opensuse-microos-6.11.8-1-default-2+3.conf the "+3" activates boot counting for me when I boot this entry, but even then I don't see the denial. For me the service starts fine.
Does the entry get renamed? With the provided image, the boot counting should be enabled after installing health-checker (because it provides /etc/kernel/tries); enabling it manually works but makes me wonder what have gone wrong. Also, I think that copying might confuse the boot counting, as there is an entry with boot counting and another entry marked as good.
But in the end the denial you see makes sense and init should be able to manage files there. Please give the policy in https://build.opensuse.org/package/show/home:jsegitz:branches:security: SELinux_bsc1232527/selinux-policy a try
transactional-update shell zypper ar -p 80 https://download.opensuse.org/repositories/home:/jsegitz:/branches:/security: /SELinux_bsc1232527/openSUSE_Factory/home:jsegitz:branches:security: SELinux_bsc1232527.repo zypper in --allow-vendor-change selinux-policy-targeted exit reboot
Thanks Johannes, I'll try it asap. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232527 https://bugzilla.suse.com/show_bug.cgi?id=1232527#c9 --- Comment #9 from Johannes Segitz <jsegitz@suse.com> --- ha, now it fails for me. I didn't change anything (TM). Perfect, so now I can test the fix mysself -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232527 https://bugzilla.suse.com/show_bug.cgi?id=1232527#c10 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #10 from Johannes Segitz <jsegitz@suse.com> --- Problem still happens with the changed policy, don't know why yet. You do not need to bother to test yet -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com