[Bug 1233358] New: [SELinux] AVC denial for sdbootutil during snapper cleanup
https://bugzilla.suse.com/show_bug.cgi?id=1233358 Bug ID: 1233358 Summary: [SELinux] AVC denial for sdbootutil during snapper cleanup Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: fvogt@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- On my Tumbleweed system with systemd-boot + TPM backed FDE and the SELinux targeted policy in enforcing mode, I found some AVC denials which were triggered by snapper-cleanup.service. snapper cleanup runs sdbootutil which in turn executes systemd-pcrlock: type=AVC msg=audit(14.11.2024 10:13:13.145:227) : avc: denied { execute } for pid=6038 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:13.145:228) : avc: denied { execute } for pid=6038 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:13.319:229) : avc: denied { execute } for pid=6082 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:13.319:230) : avc: denied { execute } for pid=6082 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:13.482:231) : avc: denied { execute } for pid=6126 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:13.482:232) : avc: denied { execute } for pid=6126 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:13.652:233) : avc: denied { execute } for pid=6170 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:13.652:234) : avc: denied { execute } for pid=6170 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:13.829:235) : avc: denied { execute } for pid=6214 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:13.829:236) : avc: denied { execute } for pid=6214 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:13.999:237) : avc: denied { execute } for pid=6258 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:13.999:238) : avc: denied { execute } for pid=6258 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:14.175:239) : avc: denied { execute } for pid=6302 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(14.11.2024 10:13:14.175:240) : avc: denied { execute } for pid=6302 comm=sdbootutil name=systemd-pcrlock dev="dm-0" ino=659797 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_pcrlock_exec_t:s0 tclass=file permissive=0 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c1 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |jsegitz@suse.com --- Comment #1 from Johannes Segitz <jsegitz@suse.com> --- I'll have a look -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c2 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fvogt@suse.com) CC| |fvogt@suse.com --- Comment #2 from Johannes Segitz <jsegitz@suse.com> --- ATM I can't reproduce, but the fix is (probably) straight forward. Can you please test https://build.opensuse.org/package/show/home:jsegitz:branches:security:SELin... Thank you -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c3 Fabian Vogt <fvogt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fvogt@suse.com) | --- Comment #3 from Fabian Vogt <fvogt@suse.com> --- (In reply to Johannes Segitz from comment #2)
ATM I can't reproduce, but the fix is (probably) straight forward. Can you please test https://build.opensuse.org/package/show/home:jsegitz:branches:security: SELinux_bsc1233358/selinux-policy
Thank you
FWICT it works - no denial after snapper-cleanup.service ran on boot. I do see some related denials after running zypper though: type=AVC msg=audit(1733321321.426:322): avc: denied { unlink } for pid=11294 comm="rm" name="generated.pcrlock" dev="dm-0" ino=998938 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1733321321.426:323): avc: denied { unlink } for pid=11294 comm="rm" name="generated.pcrlock" dev="dm-0" ino=998940 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1733321321.426:324): avc: denied { unlink } for pid=11294 comm="rm" name="generated.pcrlock" dev="dm-0" ino=998942 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 ... type=AVC msg=audit(1733321321.426:330): avc: denied { unlink } for pid=11294 comm="rm" name="641-sdboot-loader-conf.pcrlock" dev="dm-0" ino=998953 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1733321321.426:331): avc: denied { unlink } for pid=11294 comm="rm" name="linux-1.pcrlock" dev="dm-0" ino=998955 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1733321321.426:332): avc: denied { unlink } for pid=11294 comm="rm" name="linux-2.pcrlock" dev="dm-0" ino=998956 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1733321321.426:333): avc: denied { unlink } for pid=11294 comm="rm" name="linux-3.pcrlock" dev="dm-0" ino=998957 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=AVC msg=audit(1733321321.426:334): avc: denied { unlink } for pid=11294 comm="rm" name="cmdline-initrd-1.pcrlock" dev="dm-0" ino=998959 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 ... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c4 --- Comment #4 from Johannes Segitz <jsegitz@suse.com> --- thanks for testing. I'll have a look at the other denials. if you still have the system: Can you please check the inode for the denials? E.g. last one: find / -inum 998959 Thanks -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c5 --- Comment #5 from Fabian Vogt <fvogt@suse.com> --- (In reply to Johannes Segitz from comment #4)
thanks for testing. I'll have a look at the other denials.
if you still have the system:
Yup, it's my main work machine ;-)
Can you please check the inode for the denials? E.g. last one: find / -inum 998959
Thanks
That's easy to find, it's all in pcrlock.d:
find /var/lib/pcrlock.d/ -inum 998959 /var/lib/pcrlock.d/710-kernel-cmdline-initrd-entry.pcrlock.d/cmdline-initrd-1.pcrlock
All files in /var/lib/pcrlock.d/ are system_u:object_r:var_lib_t:s0. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c6 --- Comment #6 from Johannes Segitz <jsegitz@suse.com> --- I can reproduce, never mind. I also see: type=AVC msg=audit(1733314904.393:825): avc: denied { read write } for pid=21263 comm="systemd-pcrlock" name="tpmrm0" dev="devtmpfs" ino=125 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=0 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c8 --- Comment #8 from Johannes Segitz <jsegitz@suse.com> --- There were quite a number of additional AVCs with my recent change. Current version is in build.opensuse.org/package/show/home:jsegitz:branches:security:SELinux_bsc1233358/selinux-policy This ATM doesn't throw any AVCs for me. Can you please check? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c9 --- Comment #9 from Fabian Vogt <fvogt@suse.com> --- (In reply to Johannes Segitz from comment #8)
There were quite a number of additional AVCs with my recent change. Current version is in build.opensuse.org/package/show/home:jsegitz:branches:security: SELinux_bsc1233358/selinux-policy
This ATM doesn't throw any AVCs for me. Can you please check?
I still get two: time->Mon Dec 9 09:52:44 2024 type=AVC msg=audit(1733734364.286:222): avc: denied { rmdir } for pid=9278 comm="systemd-pcrlock" name="pcrlock.d" dev="dm-0" ino=1018215 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 ---- time->Mon Dec 9 09:52:44 2024 type=AVC msg=audit(1733734364.466:223): avc: denied { create } for pid=9286 comm="mkdir" name="710-kernel-cmdline-initrd-entry.pcrlock.d" scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 ---- (No idea why pcrlock tries to rmdir /var/lib/pcrlock.d, maybe just to check whether it's empty?) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c10 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #10 from Johannes Segitz <jsegitz@suse.com> --- That's caused by unlink_pcrlock. From a SELinux POV we should dontaudit this, but that will cause issues going forward, because I'm sure we'll see similar denials (or will not see them anymore once we dontaudit them). IMO this needs to be changed in systemd. src/pcrlock/pcrlock.c 2894 (void) rmdir_parents(p, "/var/lib"); the last parameter specifies where the rmdir stops. This needs to be at least one level deeper. For now I'll submit the current state as it fixes the bug and adding dontaudit rules would hurt more than it helps -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c11 --- Comment #11 from Fabian Vogt <fvogt@suse.com> --- (In reply to Johannes Segitz from comment #10)
IMO this needs to be changed in systemd. src/pcrlock/pcrlock.c 2894 (void) rmdir_parents(p, "/var/lib"); the last parameter specifies where the rmdir stops. This needs to be at least one level deeper.
FWICT this might be intentional. If pcrlock.d turns empty after deleting the requested component, it is deleted. In turn, it also creates /var/lib/pcrlock.d/ again when needed. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c12 --- Comment #12 from Johannes Segitz <jsegitz@suse.com> --- okay then I'll introduce a private type for the subdirectory -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c13 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fvogt@suse.com) --- Comment #13 from Johannes Segitz <jsegitz@suse.com> --- Please give home:jsegitz:branches:security:SELinux_bsc1233358/selinux-policy another try. The denials for the rmdir should now be gone. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c14 Fabian Vogt <fvogt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fvogt@suse.com) | --- Comment #14 from Fabian Vogt <fvogt@suse.com> --- (In reply to Johannes Segitz from comment #13)
Please give home:jsegitz:branches:security:SELinux_bsc1233358/selinux-policy another try. The denials for the rmdir should now be gone. Thanks
Now I see some different ones: time->Tue Dec 17 14:32:50 2024 type=AVC msg=audit(1734442370.490:596): avc: denied { remove_name } for pid=31535 comm="systemd-pcrlock" name="pcrlock.d" dev="dm-0" ino=1018215 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 ---- time->Tue Dec 17 14:32:50 2024 type=AVC msg=audit(1734442370.734:597): avc: denied { write } for pid=31547 comm="sdbootutil" name="cmdline-initrd-1.pcrlock" dev="dm-0" ino=1052268 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:systemd_pcrlock_var_lib_t:s0 tclass=file permissive=0 ---- time->Tue Dec 17 14:32:50 2024 type=AVC msg=audit(1734442370.734:598): avc: denied { write } for pid=31547 comm="sdbootutil" name="cmdline-initrd-1.pcrlock" dev="dm-0" ino=1052268 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:systemd_pcrlock_var_lib_t:s0 tclass=file permissive=0 ---- time->Tue Dec 17 14:32:54 2024 type=AVC msg=audit(1734442374.000:599): avc: denied { write } for pid=31741 comm="sdbootutil" name="cmdline-initrd-1.pcrlock" dev="dm-0" ino=1052268 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:systemd_pcrlock_var_lib_t:s0 tclass=file permissive=0 ---- time->Tue Dec 17 14:32:54 2024 type=AVC msg=audit(1734442374.000:600): avc: denied { write } for pid=31741 comm="sdbootutil" name="cmdline-initrd-1.pcrlock" dev="dm-0" ino=1052268 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:systemd_pcrlock_var_lib_t:s0 tclass=file permissive=0 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c15 --- Comment #15 from Johannes Segitz <jsegitz@suse.com> --- The first one is weird. A relabel after the policy update should have fixed this. Can you please show the context of /var/lib/pcrlock.d The others I don't see because snapper doesn't trigger for me, but they make sense. I added the necessary permissions. Can you please try again? Thanks -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c16 --- Comment #16 from Fabian Vogt <fvogt@suse.com> --- (In reply to Johannes Segitz from comment #15)
The first one is weird. A relabel after the policy update should have fixed this. Can you please show the context of /var/lib/pcrlock.d
/var/lib/pcrlock.d has system_u:object_r:systemd_pcrlock_var_lib_t:s0. I suspect it's about /var/lib/, as attempted removal of /var/lib/pcrlock.d needs write permissions in /var/lib/.
The others I don't see because snapper doesn't trigger for me, but they make sense. I added the necessary permissions. Can you please try again? Thanks
Looks like they're gone now, just remove_name + write remain: ---- time->Wed Dec 18 10:32:11 2024 type=AVC msg=audit(1734514331.265:273): avc: denied { write } for pid=15828 comm="systemd-pcrlock" name="lib" dev="dm-0" ino=259 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 ---- time->Wed Dec 18 10:32:11 2024 type=AVC msg=audit(1734514331.265:274): avc: denied { remove_name } for pid=15828 comm="systemd-pcrlock" name="pcrlock.d" dev="dm-0" ino=1018215 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 ---- time->Wed Dec 18 10:32:14 2024 type=AVC msg=audit(1734514334.835:275): avc: denied { write } for pid=16080 comm="systemd-pcrlock" name="lib" dev="dm-0" ino=259 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 ---- time->Wed Dec 18 10:32:14 2024 type=AVC msg=audit(1734514334.835:276): avc: denied { remove_name } for pid=16080 comm="systemd-pcrlock" name="pcrlock.d" dev="dm-0" ino=1018215 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c17 --- Comment #17 from Johannes Segitz <jsegitz@suse.com> --- Next try. Again no denials for me, but didn't have those that you reported anyway ;) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c18 --- Comment #18 from Fabian Vogt <fvogt@suse.com> --- (In reply to Johannes Segitz from comment #17)
Next try. Again no denials for me, but didn't have those that you reported anyway ;)
Now I'm having even more different errors... Initially for some reason, /var/lib/pcrlock.d was var_lib_t and I had to run restorecon -Rv on the directory to restore it. Not sure why, maybe something I did recently, let's ignore that for now. After the restorecon I get some new errors, this time for /var/lib/systemd/{,pcrlock.json} and /boot/efi contents: time->Thu Dec 19 13:20:25 2024 type=AVC msg=audit(1734610825.446:411): avc: denied { read } for pid=21554 comm="systemd-pcrlock" name="pcrlock.json" dev="dm-0" ino=1078048 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:25 2024 type=AVC msg=audit(1734610825.446:412): avc: denied { open } for pid=21554 comm="systemd-pcrlock" path="/var/lib/systemd/pcrlock.json" dev="dm-0" ino=1078048 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:25 2024 type=AVC msg=audit(1734610825.446:413): avc: denied { getattr } for pid=21554 comm="systemd-pcrlock" path="/var/lib/systemd/pcrlock.json" dev="dm-0" ino=1078048 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.863:414): avc: denied { write } for pid=21554 comm="systemd-pcrlock" name="systemd" dev="dm-0" ino=3502 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.863:415): avc: denied { add_name } for pid=21554 comm="systemd-pcrlock" name=".#pcrlock.json1aa86ac669d36746" scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.863:416): avc: denied { create } for pid=21554 comm="systemd-pcrlock" name=".#pcrlock.json1aa86ac669d36746" scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.863:417): avc: denied { write } for pid=21554 comm="systemd-pcrlock" path="/var/lib/systemd/.#pcrlock.json1aa86ac669d36746" dev="dm-0" ino=1078111 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.876:418): avc: denied { read } for pid=21554 comm="systemd-pcrlock" name="systemd" dev="dm-0" ino=3502 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.883:419): avc: denied { setattr } for pid=21554 comm="systemd-pcrlock" name=".#pcrlock.json1aa86ac669d36746" dev="dm-0" ino=1078111 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.883:420): avc: denied { remove_name } for pid=21554 comm="systemd-pcrlock" name=".#pcrlock.json1aa86ac669d36746" dev="dm-0" ino=1078111 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.883:421): avc: denied { rename } for pid=21554 comm="systemd-pcrlock" name=".#pcrlock.json1aa86ac669d36746" dev="dm-0" ino=1078111 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.883:422): avc: denied { unlink } for pid=21554 comm="systemd-pcrlock" name="pcrlock.json" dev="dm-0" ino=1078048 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.893:423): avc: denied { write } for pid=21554 comm="systemd-pcrlock" name="credentials" dev="nvme0n1p1" ino=166 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.893:424): avc: denied { add_name } for pid=21554 comm="systemd-pcrlock" name=".#pcrlock.opensuse-tumbleweed.cred70cf5bc2b56da0e2" scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1 ---- fvogt@fvogt-thinkpad:~> ls -Z /var/lib/systemd/pcrlock.json system_u:object_r:init_var_lib_t:s0 /var/lib/systemd/pcrlock.json fvogt@fvogt-thinkpad:~> /sbin/restorecon -nv /var/lib/systemd/pcrlock.json (no output) time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.893:425): avc: denied { create } for pid=21554 comm="systemd-pcrlock" name=".#pcrlock.opensuse-tumbleweed.cred70cf5bc2b56da0e2" scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(1734610828.893:426): avc: denied { write } for pid=21554 comm="systemd-pcrlock" path="/boot/efi/loader/credentials/.#pcrlock.opensuse-tumbleweed.cred70cf5bc2b56da0e2" dev="nvme0n1p1" ino=277 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.896:427): avc: denied { read } for pid=21554 comm="systemd-pcrlock" name="credentials" dev="nvme0n1p1" ino=166 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.896:428): avc: denied { setattr } for pid=21554 comm="systemd-pcrlock" name=".#pcrlock.opensuse-tumbleweed.cred70cf5bc2b56da0e2" dev="nvme0n1p1" ino=277 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.896:429): avc: denied { remove_name } for pid=21554 comm="systemd-pcrlock" name=".#pcrlock.opensuse-tumbleweed.cred70cf5bc2b56da0e2" dev="nvme0n1p1" ino=277 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.896:430): avc: denied { rename } for pid=21554 comm="systemd-pcrlock" name=".#pcrlock.opensuse-tumbleweed.cred70cf5bc2b56da0e2" dev="nvme0n1p1" ino=277 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:28 2024 type=AVC msg=audit(1734610828.896:431): avc: denied { unlink } for pid=21554 comm="systemd-pcrlock" name="pcrlock.opensuse-tumbleweed.cred" dev="nvme0n1p1" ino=250 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:35 2024 type=AVC msg=audit(1734610835.223:432): avc: denied { create } for pid=21852 comm="systemd-pcrlock" name=".#pcrlock.opensuse-tumbleweed.cred43b289ab83103b41" scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:35 2024 type=AVC msg=audit(1734610835.223:433): avc: denied { write } for pid=21852 comm="systemd-pcrlock" path="/boot/efi/loader/credentials/.#pcrlock.opensuse-tumbleweed.cred43b289ab83103b41" dev="nvme0n1p1" ino=304 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:35 2024 type=AVC msg=audit(1734610835.226:434): avc: denied { setattr } for pid=21852 comm="systemd-pcrlock" name=".#pcrlock.opensuse-tumbleweed.cred43b289ab83103b41" dev="nvme0n1p1" ino=304 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:35 2024 type=AVC msg=audit(1734610835.226:435): avc: denied { rename } for pid=21852 comm="systemd-pcrlock" name=".#pcrlock.opensuse-tumbleweed.cred43b289ab83103b41" dev="nvme0n1p1" ino=304 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 ---- time->Thu Dec 19 13:20:35 2024 type=AVC msg=audit(1734610835.226:436): avc: denied { unlink } for pid=21852 comm="systemd-pcrlock" name="pcrlock.opensuse-tumbleweed.cred" dev="nvme0n1p1" ino=277 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c19 --- Comment #19 from Johannes Segitz <jsegitz@suse.com> --- I probably depends on what the update does and what kind of changes pcrlock has to do. I didn't see any of those before. I'm currently working on a different bug that has some similar denials for a systemd component and will see if there's a chance to deal with this on a higher abstraction level -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c20 --- Comment #20 from Johannes Segitz <jsegitz@suse.com> --- so, next try. /var/lib/systemd/pcrlock.json should now get the proper type and dos files can be managed. Can't test myself as it doesn't happen on my system -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c21 --- Comment #21 from Fabian Vogt <fvogt@suse.com> --- (In reply to Johannes Segitz from comment #20)
so, next try. /var/lib/systemd/pcrlock.json should now get the proper type and dos files can be managed. Can't test myself as it doesn't happen on my system
Tested. The denials for /boot/efi are gone, but the ones for pcrlock.json remain. I see that the label did not get applied: fvogt@fvogt-thinkpad:~> ls -Z /var/lib/systemd/pcrlock.json system_u:object_r:init_var_lib_t:s0 /var/lib/systemd/pcrlock.json fvogt@fvogt-thinkpad:~> sudo /sbin/restorecon -v /var/lib/systemd/pcrlock.json Relabeled /var/lib/systemd/pcrlock.json from system_u:object_r:init_var_lib_t:s0 to system_u:object_r:lib_t:s0 fvogt@fvogt-thinkpad:~> ls -Z /var/lib/systemd/pcrlock.json system_u:object_r:lib_t:s0 /var/lib/systemd/pcrlock.json I ran zypper again, but got the same denials. The label was reset again: fvogt@fvogt-thinkpad:~> ls -Z /var/lib/systemd/pcrlock.json system_u:object_r:init_var_lib_t:s0 /var/lib/systemd/pcrlock.json -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c22 --- Comment #22 from Johannes Segitz <jsegitz@suse.com> --- I can finally reproduce myself and have a fix. Please test again, maybe we can get this done in 2024 :) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c23 --- Comment #23 from Fabian Vogt <fvogt@suse.com> --- (In reply to Johannes Segitz from comment #22)
I can finally reproduce myself and have a fix. Please test again, maybe we can get this done in 2024 :)
Unfortunately the same issue: After installation of selinux-policy-{,targeted-}20241220-326.1, I got some denials because of the wrong label again. After using restorecon to set the expected label on pcrlock.json, I ran zypper and it was reset to the wrong one again. Output identical to comment 21. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c24 --- Comment #24 from Johannes Segitz <jsegitz@suse.com> --- weird. Okay I'll look into it again if I can reproduce it. Thanks for testing -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c25 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fvogt@suse.com) --- Comment #25 from Johannes Segitz <jsegitz@suse.com> --- so I think I figured it out. The file is not created where I expected it, but is only moved there later. Please give the current version a try -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c26 Fabian Vogt <fvogt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fvogt@suse.com) | --- Comment #26 from Fabian Vogt <fvogt@suse.com> --- (In reply to Johannes Segitz from comment #25)
so I think I figured it out. The file is not created where I expected it, but is only moved there later. Please give the current version a try
I installed the new policy packages and (without rebooting) did a zypper dup to the latest snapshot. I got some denials: time->Thu Jan 9 14:57:02 2025 type=AVC msg=audit(1736431022.145:574): avc: denied { write } for pid=73676 comm="systemd-pcrlock" name="generated.pcrlock" dev="dm-0" ino=1101542 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 9 14:57:02 2025 type=AVC msg=audit(1736431022.145:575): avc: denied { open } for pid=73676 comm="systemd-pcrlock" path="/var/lib/pcrlock.d/250-firmware-code-early.pcrlock.d/generated.pcrlock" dev="dm-0" ino=1101542 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 9 14:57:02 2025 type=AVC msg=audit(1736431022.145:576): avc: denied { getattr } for pid=73676 comm="systemd-pcrlock" path="/var/lib/pcrlock.d/250-firmware-code-early.pcrlock.d/generated.pcrlock" dev="dm-0" ino=1101542 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 9 14:57:02 2025 type=AVC msg=audit(1736431022.188:577): avc: denied { rmdir } for pid=73679 comm="systemd-pcrlock" name="pcrlock.d" dev="dm-0" ino=1101540 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=1 ---- time->Thu Jan 9 14:57:03 2025 type=AVC msg=audit(1736431023.182:578): avc: denied { read } for pid=73748 comm="systemd-pcrlock" name="generated.pcrlock" dev="dm-0" ino=1101550 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 9 14:57:03 2025 type=AVC msg=audit(1736431023.185:579): avc: denied { read } for pid=73748 comm="systemd-pcrlock" name="pcrlock.json" dev="dm-0" ino=1101576 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=unconfined_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 9 14:57:03 2025 type=AVC msg=audit(1736431023.185:580): avc: denied { open } for pid=73748 comm="systemd-pcrlock" path="/var/lib/systemd/pcrlock.json" dev="dm-0" ino=1101576 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=unconfined_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 9 14:57:03 2025 type=AVC msg=audit(1736431023.185:581): avc: denied { getattr } for pid=73748 comm="systemd-pcrlock" path="/var/lib/systemd/pcrlock.json" dev="dm-0" ino=1101576 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=unconfined_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 9 14:57:07 2025 type=AVC msg=audit(1736431027.558:582): avc: denied { unlink } for pid=73893 comm="systemd-pcrlock" name="pcrlock.json" dev="dm-0" ino=1101576 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=unconfined_u:object_r:init_var_lib_t:s0 tclass=file permissive=1 I did /sbin/restorecon -vR /var/lib/pcrlock.d which fixed up some labels from var_lib_t to systemd_pcrlock_var_lib_t and now zypper does not complain anymore. I do wonder if there's still an issue lingering though, as this should've worked I think. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c27 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo? --- Comment #27 from Johannes Segitz <jsegitz@suse.com> --- It probably didn't work for you as the file labeling rules were already present, so it didn't relabel the (wrongly labeled) files. If you didn't get denials after that then we should be good now. Users that didn't went through this whole journey will get the files relabeled and shouldn't see the problems. Thank you very much for you patience! I'll now clean this up and submit it to Factory and sent a PR upstream -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo? | -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c28 --- Comment #28 from Fabian Vogt <fvogt@suse.com> --- I got some more denials today: time->Fri Jan 10 10:13:17 2025 type=AVC msg=audit(1736500397.089:206): avc: denied { unlink } for pid=12506 comm="systemd-pcrlock" name="pcrlock.json" dev="tmpfs" ino=1214 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 ---- time->Fri Jan 10 10:14:57 2025 type=AVC msg=audit(1736500497.552:263): avc: denied { create } for pid=29879 comm="systemd-pcrlock" name="generated.pcrlock" scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Fri Jan 10 10:14:57 2025 type=AVC msg=audit(1736500497.552:264): avc: denied { write open } for pid=29879 comm="systemd-pcrlock" path="/var/lib/pcrlock.d/250-firmware-code-early.pcrlock.d/generated.pcrlock" dev="dm-0" ino=1125347 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Fri Jan 10 10:14:57 2025 type=AVC msg=audit(1736500497.552:265): avc: denied { getattr } for pid=29879 comm="systemd-pcrlock" path="/var/lib/pcrlock.d/250-firmware-code-early.pcrlock.d/generated.pcrlock" dev="dm-0" ino=1125347 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Fri Jan 10 10:14:57 2025 type=AVC msg=audit(1736500497.595:266): avc: denied { rmdir } for pid=29882 comm="systemd-pcrlock" name="pcrlock.d" dev="dm-0" ino=1125345 scontext=system_u:system_r:systemd_pcrlock_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 ---- time->Fri Jan 10 10:14:57 2025 type=AVC msg=audit(1736500497.785:267): avc: denied { create } for pid=29891 comm="mkdir" name="710-kernel-cmdline-initrd-entry.pcrlock.d" scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 For some reason all of /var/lib/pcrlock.d is system_u:object_r:var_lib_t:s0 instead of system_u:object_r:systemd_pcrlock_var_lib_t:s0 again. Maybe because I ran "sdbootutil remove-all-kernels" and "bash -x sdbootutil add-all-kernels"? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c29 --- Comment #29 from Johannes Segitz <jsegitz@suse.com> --- noooo :( Okay, I just screwed up my VM, will give the sdbutils command a try to see if I can reproduce once I got it back to working -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c30 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fvogt@suse.com) --- Comment #30 from Johannes Segitz <jsegitz@suse.com> --- So, next try. I can now enroll the system as unconfined user and get proper labels. Please give the policy another try, maybe this is the one. I have a good feeling about it now -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233358 https://bugzilla.suse.com/show_bug.cgi?id=1233358#c31 Fabian Vogt <fvogt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fvogt@suse.com) | --- Comment #31 from Fabian Vogt <fvogt@suse.com> --- (In reply to Johannes Segitz from comment #30)
So, next try. I can now enroll the system as unconfined user and get proper labels. Please give the policy another try, maybe this is the one. I have a good feeling about it now
Works! I tried various kinds of torture tests and didn't get any wrong labels or denials! -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com