https://bugzilla.suse.com/show_bug.cgi?id=1232670 Bug ID: 1232670 Summary: [SELinux] importctl cannot write to /var/lib/extensions Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: kukuk@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Importing sysext images with importctl does not work, since SELinux blocks writing in that directory: node122:~ # importctl pull-raw --class=sysext https://download.opensuse.org/repositories/home:/kukuk:/sysext/mkosi/gcc-20.... --verify=no Enqueued transfer job 1. Press C-c to continue download in background. Pulling 'https://download.opensuse.org/repositories/home:/kukuk:/sysext/mkosi/gcc-20....', saving as 'gcc-20.2.x86-64'. Operating on image directory '/var/lib/extensions'. Failed to create /var/lib/extensions/.#verityebe0580e99f54026: Permission denied Verity integrity file could not be retrieved, proceeding without. Failed to create /var/lib/extensions/.#roothash96cdb063d430dc58: Permission denied Root hash file could not be retrieved, proceeding without. Failed to create /var/lib/extensions/.#roothash.p7s70c3902ea1954e95: Permission denied Root hash signature file could not be retrieved, proceeding without. Downloading 241.2M for https://download.opensuse.org/repositories/home:/kukuk:/sysext/mkosi/gcc-20..... Failed to create /var/lib/extensions/.#rawd292069b0f58e5ea: Permission denied Failed to retrieve image file. Exiting. type=SERVICE_START msg=audit(1730372760.872:336): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1730372764.279:337): avc: denied { write } for pid=2413 comm="systemd-pull" name="extensions" dev="dm-0" ino=143939 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1730372764.282:338): avc: denied { write } for pid=2413 comm="systemd-pull" name="extensions" dev="dm-0" ino=143939 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1730372764.289:339): avc: denied { write } for pid=2413 comm="systemd-pull" name="extensions" dev="dm-0" ino=143939 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1730372767.479:340): avc: denied { write } for pid=2413 comm="systemd-pull" name="extensions" dev="dm-0" ino=143939 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=SERVICE_STOP msg=audit(1730372797.529:341): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' -- You are receiving this mail because: You are on the CC list for the bug.