Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2123765 - avc: denied { read } for pid=388 comm="systemd-gpt-aut" name="home" (also name="var") dev="sda2"
Summary: avc: denied { read } for pid=388 comm="systemd-gpt-aut" name="home" (also ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: x86_64
OS: Linux
medium
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-02 14:53 UTC by Quintin Hill
Modified: 2022-09-22 01:17 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-36.15-1.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-22 01:17:27 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1361 0 None open Allow sytemd-gpt-auto-generator to check for empty directories 2022-09-02 15:45:43 UTC
Red Hat Bugzilla 1991077 0 medium CLOSED AVC avc: denied { read } for pid=3083 comm="systemd-gpt-aut" name="b8:1" dev="tmpfs" 2022-09-12 15:18:59 UTC

Description Quintin Hill 2022-09-02 14:53:28 UTC
Description of problem:
SELinux prevents normal operation of systemd-gpt-auto-generator
It should be allowed to read system_u:object_r:home_root_t and system_u:object_r:var_t.  Checking that these directories are empty seems to be a legitimate activity.

Version-Release number of selected component (if applicable):
selinux-policy.noarch  36.14-1.fc36                                                                                              
selinux-policy-targeted.noarch 36.14-1.fc36                                                                                              
systemd.x86_64 250.8-1.fc36       

How reproducible:
Every boot

Steps to Reproduce:
1. Have separate home and var partitions with appropriate partition UUIDs
2. Boot system.
3.

Actual results:

systemd-gpt-auto-generator fails due to SELinux denials.  Log messages are as follows.

Sep 02 12:30:00 quintin systemd-gpt-auto-generator[388]: Cannot check if "/home" is empty: Permission denied
Sep 02 12:30:00 quintin kernel: kauditd_printk_skb: 69 callbacks suppressed
Sep 02 12:30:00 quintin kernel: audit: type=1400 audit(1662118200.418:80): avc:  denied  { read } for  pid=388 comm="systemd-gpt-aut" name="home" dev="sda2" ino=3180 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=0
Sep 02 12:30:00 quintin kernel: audit: type=1300 audit(1662118200.418:80): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=56441296f012 a2=90000 a3=0 items=0 ppid=376 pid=388 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-gpt-aut" exe="/usr/lib/systemd/system-generators/systemd-gpt-auto-generator" subj=system_u:system_r:systemd_gpt_generator_t:s0 key=(null)
Sep 02 12:30:00 quintin kernel: audit: type=1327 audit(1662118200.418:80): proctitle=2F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F73797374656D642D6770742D6175746F2D67656E657261746F72002F72756E2F73797374656D642F67>
Sep 02 12:30:00 quintin kernel: audit: type=1400 audit(1662118200.418:81): avc:  denied  { read } for  pid=388 comm="systemd-gpt-aut" name="var" dev="sda2" ino=362569 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
Sep 02 12:30:00 quintin kernel: audit: type=1300 audit(1662118200.418:81): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=56441296f04b a2=90000 a3=0 items=0 ppid=376 pid=388 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-gpt-aut" exe="/usr/lib/systemd/system-generators/systemd-gpt-auto-generator" subj=system_u:system_r:systemd_gpt_generator_t:s0 key=(null)
Sep 02 12:30:00 quintin kernel: audit: type=1327 audit(1662118200.418:81): proctitle=2F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F73797374656D642D6770742D6175746F2D67656E657261746F72002F72756E2F73797374656D642F67>
Sep 02 12:30:00 quintin systemd-gpt-auto-generator[388]: Cannot check if "/var" is empty: Permission denied
Sep 02 12:30:00 quintin systemd[376]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1.



Expected results:
No denials.  systemd-gpt-auto-generator suceeds.


Additional info:

Comment 1 Fedora Update System 2022-09-14 16:33:08 UTC
FEDORA-2022-096f7730be has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be

Comment 2 Fedora Update System 2022-09-15 02:21:33 UTC
FEDORA-2022-096f7730be has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-096f7730be`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 3 Fedora Update System 2022-09-22 01:17:27 UTC
FEDORA-2022-096f7730be has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.