https://bugzilla.suse.com/show_bug.cgi?id=1232670 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |cathy.hu@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1232670 https://bugzilla.suse.com/show_bug.cgi?id=1232670#c1 --- Comment #1 from Thorsten Kukuk <kukuk@suse.com> --- importctl is also not allowed to download portable images. Means create /var/lib/portables if it does not exit and writing into it if it exists: type=AVC msg=audit(1730732931.911:259): avc: denied { write } for pid=10839 comm="systemd-pull" name="lib" dev="dm-1" ino=259 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1730732931.914:260): avc: denied { write } for pid=10839 comm="systemd-pull" name="lib" dev="dm-1" ino=259 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1730732931.918:261): avc: denied { write } for pid=10839 comm="systemd-pull" name="lib" dev="dm-1" ino=259 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1730732932.484:262): avc: denied { write } for pid=10839 comm="systemd-pull" name="lib" dev="dm-1" ino=259 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1730732952.661:263): avc: denied { write } for pid=10854 comm="systemd-pull" name="portables" dev="dm-1" ino=217616 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1730732952.668:264): avc: denied { write } for pid=10854 comm="systemd-pull" name="portables" dev="dm-1" ino=217616 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1730732952.671:265): avc: denied { write } for pid=10854 comm="systemd-pull" name="portables" dev="dm-1" ino=217616 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1730732953.231:266): avc: denied { write } for pid=10854 comm="systemd-pull" name="portables" dev="dm-1" ino=217616 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0 # importctl pull-raw https://download.opensuse.org/repositories/home:/kukuk:/sysext/mkosi/strace-... --verify=no --class=portable -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1232670 https://bugzilla.suse.com/show_bug.cgi?id=1232670#c3 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kukuk@suse.com Status|NEW |IN_PROGRESS Flags| |needinfo?(kukuk@suse.com) --- Comment #3 from Filippo Bonazzi <filippo.bonazzi@suse.com> --- Sorry for taking so long. Can you try with the policy in https://build.opensuse.org/package/show/home:fbonazzi:branches:security:SELi... ? Can you also test that everything you want to do with these images then works? -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1232670 https://bugzilla.suse.com/show_bug.cgi?id=1232670#c5 --- Comment #5 from Filippo Bonazzi <filippo.bonazzi@suse.com> --- Ok thanks, I will consider the fix validated for now. Of course if anything further comes up we can fix it (I imagine much quicker). We will send the fix to Factory soon. -- You are receiving this mail because: You are on the CC list for the bug.