Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bootupd denied #2010

Open
karuboniru opened this issue Jan 25, 2024 · 1 comment
Open

bootupd denied #2010

karuboniru opened this issue Jan 25, 2024 · 1 comment

Comments

@karuboniru
Copy link

karuboniru commented Jan 25, 2024
edited
Loading

System selinux policy version selinux-policy-39.3-1.fc39.noarch

After using bootc to switch to ostree based system and enabled bootupd, seeing following denials in audit.log(grouped by target type)

  • var_run_t
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.334:410): avc:  denied  { write } for  pid=4795 comm="bootupd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.334:411): avc:  denied  { add_name } for  pid=4795 comm="bootupd" name="bootupd-lock" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.334:412): avc:  denied  { create } for  pid=4795 comm="bootupd" name="bootupd-lock" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.334:413): avc:  denied  { write open } for  pid=4795 comm="bootupd" path="/run/bootupd-lock" dev="tmpfs" ino=2796 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.334:414): avc:  denied  { lock } for  pid=4795 comm="bootupd" path="/run/bootupd-lock" dev="tmpfs" ino=2796 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
  • bin_t
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.431:423): avc:  denied  { execute } for  pid=4796 comm="bootupd" name="sync" dev="nvme0n1p3" ino=32003971 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.431:424): avc:  denied  { execute_no_trans } for  pid=4796 comm="bootupd" path="/usr/bin/sync" dev="nvme0n1p3" ino=32003971 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.432:425): avc:  denied  { map } for  pid=4796 comm="sync" path="/usr/bin/sync" dev="nvme0n1p3" ino=32003971 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
  • boot_t
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.439:427): avc:  denied  { write } for  pid=4795 comm="bootupd" name="/" dev="nvme0n1p2" ino=128 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.439:428): avc:  denied  { write } for  pid=4795 comm="bootupd" path=2F626F6F742F23313336202864656C6574656429 dev="nvme0n1p2" ino=136 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.440:429): avc:  denied  { add_name } for  pid=4795 comm="bootupd" name="#136" dev="nvme0n1p2" ino=136 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.440:430): avc:  denied  { link } for  pid=4795 comm="bootupd" name="#136" dev="nvme0n1p2" ino=136 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.440:431): avc:  denied  { remove_name } for  pid=4795 comm="bootupd" name=".tmp.S786tkF6.tmp" dev="nvme0n1p2" ino=136 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.440:432): avc:  denied  { rename } for  pid=4795 comm="bootupd" name=".tmp.S786tkF6.tmp" dev="nvme0n1p2" ino=136 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
  • cert_t
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.229:9039): avc:  denied  { search } for  pid=46253 comm="bootupd" name="pki" dev="nvme0n1p3" ino=32702526 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.229:9040): avc:  denied  { read } for  pid=46253 comm="bootupd" name="openssl.cnf" dev="nvme0n1p3" ino=32703268 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.229:9041): avc:  denied  { open } for  pid=46253 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32703268 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.229:9042): avc:  denied  { getattr } for  pid=46253 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32703268 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.336:415): avc:  denied  { search } for  pid=4795 comm="bootupd" name="pki" dev="nvme0n1p3" ino=32105407 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.336:416): avc:  denied  { read } for  pid=4795 comm="bootupd" name="openssl.cnf" dev="nvme0n1p3" ino=32106157 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.336:417): avc:  denied  { open } for  pid=4795 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32106157 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.336:418): avc:  denied  { getattr } for  pid=4795 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32106157 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1151): avc:  denied  { search } for  pid=20096 comm="bootupd" name="pki" dev="nvme0n1p3" ino=32146063 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1152): avc:  denied  { read } for  pid=20096 comm="bootupd" name="openssl.cnf" dev="nvme0n1p3" ino=32146813 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1153): avc:  denied  { open } for  pid=20096 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32146813 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.931:1154): avc:  denied  { getattr } for  pid=20096 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32146813 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.163:2816): avc:  denied  { search } for  pid=22528 comm="bootupd" name="pki" dev="nvme0n1p3" ino=32243992 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.163:2817): avc:  denied  { read } for  pid=22528 comm="bootupd" name="openssl.cnf" dev="nvme0n1p3" ino=32244742 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.163:2818): avc:  denied  { open } for  pid=22528 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32244742 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.163:2819): avc:  denied  { getattr } for  pid=22528 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="nvme0n1p3" ino=32244742 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
  • dosfs_t
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.228:9036): avc:  denied  { getattr } for  pid=46253 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.228:9037): avc:  denied  { read } for  pid=46253 comm="bootupd" name="BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log:type=AVC msg=audit(1706197327.228:9038): avc:  denied  { open } for  pid=46253 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.407:419): avc:  denied  { getattr } for  pid=4795 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.407:420): avc:  denied  { read } for  pid=4795 comm="bootupd" name="BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.407:421): avc:  denied  { open } for  pid=4795 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.430:422): avc:  denied  { read } for  pid=4795 comm="bootupd" name="EFI" dev="nvme0n1p1" ino=113 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1148): avc:  denied  { getattr } for  pid=20096 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=121 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1149): avc:  denied  { read } for  pid=20096 comm="bootupd" name="BOOTX64.EFI" dev="nvme0n1p1" ino=121 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706124301.930:1150): avc:  denied  { open } for  pid=20096 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=121 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.162:2813): avc:  denied  { getattr } for  pid=22528 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.162:2814): avc:  denied  { read } for  pid=22528 comm="bootupd" name="BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706135889.162:2815): avc:  denied  { open } for  pid=22528 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="nvme0n1p1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
  • efivarfs_t
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121499.997:386): avc:  denied  { getattr } for  pid=4767 comm="bootupd" path="/sys/firmware/efi/efivars" dev="efivarfs" ino=10267 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121499.997:387): avc:  denied  { search } for  pid=4767 comm="bootupd" name="/" dev="efivarfs" ino=10267 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.333:408): avc:  denied  { getattr } for  pid=4795 comm="bootupd" path="/sys/firmware/efi/efivars" dev="efivarfs" ino=10267 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.333:409): avc:  denied  { search } for  pid=4795 comm="bootupd" name="/" dev="efivarfs" ino=10267 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
  • dac_override
/var/log/audit/audit.log.3:type=AVC msg=audit(1706121507.439:426): avc:  denied  { dac_override } for  pid=4795 comm="bootupd" capability=1  scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:system_r:bootupd_t:s0 tclass=capability permissive=1

auto generated policy:

module my-bootupd 1.0;

require {
	type efivarfs_t;
	type cert_t;
	type var_run_t;
	type boot_t;
	type dosfs_t;
	type bin_t;
	type bootupd_t;
	class dir { add_name getattr read remove_name search write };
	class file { create execute execute_no_trans getattr link lock open read rename write };
	class capability dac_override;
}

#============= bootupd_t ==============
allow bootupd_t bin_t:file { execute execute_no_trans };
allow bootupd_t boot_t:dir { add_name remove_name write };
allow bootupd_t boot_t:file { link rename write };
allow bootupd_t cert_t:dir search;
allow bootupd_t cert_t:file { getattr open read };
allow bootupd_t dosfs_t:dir read;
allow bootupd_t dosfs_t:file { getattr open read };
allow bootupd_t efivarfs_t:dir { getattr search };
allow bootupd_t self:capability dac_override;
allow bootupd_t var_run_t:dir { add_name write };
allow bootupd_t var_run_t:file { create lock open write };
@cgwalters
Copy link
Contributor

Yeah we should have never created a bootupd_t, I tried to stop it but failed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cgwalters @karuboniru