Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing rules for bootupd #2334

Closed
travier opened this issue Sep 2, 2024 · 4 comments · Fixed by #2336
Closed

Missing rules for bootupd #2334

travier opened this issue Sep 2, 2024 · 4 comments · Fixed by #2336

Comments

@travier
Copy link
Contributor

travier commented Sep 2, 2024
edited
Loading

On Fedora 41 Atomic Desktops, we have the following AVCs:

type=AVC msg=audit(1725290040.770:429): avc:  denied  { getattr } for  pid=4524 comm="bootupctl" path="/boot/efi/EFI/BOOT/BOOTIA32.EFI" dev="vda1" ino=142 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290040.770:430): avc:  denied  { read } for  pid=4524 comm="bootupctl" name="BOOTIA32.EFI" dev="vda1" ino=142 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290040.770:431): avc:  denied  { open } for  pid=4524 comm="bootupctl" path="/boot/efi/EFI/BOOT/BOOTIA32.EFI" dev="vda1" ino=142 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290040.862:432): avc:  denied  { read } for  pid=4524 comm="bootupctl" name="EFI" dev="vda1" ino=113 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1725290040.863:433): avc:  denied  { write } for  pid=4524 comm="bootupctl" path=2F626F6F742F233234202864656C6574656429 dev="vda2" ino=24 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290040.869:434): avc:  denied  { link } for  pid=4524 comm="bootupctl" name="#24" dev="vda2" ino=24 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290040.869:435): avc:  denied  { rename } for  pid=4524 comm="bootupctl" name=".tmp.X84SiQFG.tmp" dev="vda2" ino=24 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1

when running the commands from https://fedoraproject.org/wiki/Changes/FedoraSilverblueBootupd#How_To_Test.

How to reproduce

  • Install a Fedora Silverblue 41 system
  • Run: 
    $ sudo semanage permissive -a bootupd_t
$ sudo rm /boot/bootupd-state.json
$ sudo bootupctl update
@travier
Copy link
Contributor Author

travier commented Sep 2, 2024
edited
Loading

More rules missing from a real update:

type=AVC msg=audit(1725290584.206:609): avc:  denied  { getattr } for  pid=3484 comm="bootupctl" path="/boot/efi/EFI/BOOT/BOOTIA32.EFI" dev="vda1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290584.206:610): avc:  denied  { read } for  pid=3484 comm="bootupctl" name="BOOTIA32.EFI" dev="vda1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290584.206:611): avc:  denied  { open } for  pid=3484 comm="bootupctl" path="/boot/efi/EFI/BOOT/BOOTIA32.EFI" dev="vda1" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290584.270:612): avc:  denied  { read } for  pid=3484 comm="bootupctl" name="EFI" dev="vda1" ino=113 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1725290584.270:613): avc:  denied  { write } for  pid=3484 comm="bootupctl" name="EFI" dev="vda1" ino=113 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1725290584.270:614): avc:  denied  { add_name } for  pid=3484 comm="bootupctl" name=".tmpGbLl0E79.tmp" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1725290584.270:615): avc:  denied  { create } for  pid=3484 comm="bootupctl" name=".tmpGbLl0E79.tmp" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290584.270:616): avc:  denied  { write } for  pid=3484 comm="bootupctl" path="/boot/efi/EFI/.tmpGbLl0E79.tmp" dev="vda1" ino=130 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290584.278:617): avc:  denied  { setattr } for  pid=3484 comm="bootupctl" name=".tmpGbLl0E79.tmp" dev="vda1" ino=130 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290584.278:618): avc:  denied  { remove_name } for  pid=3484 comm="bootupctl" name=".tmpGbLl0E79.tmp" dev="vda1" ino=130 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1725290584.278:619): avc:  denied  { rename } for  pid=3484 comm="bootupctl" name=".tmpGbLl0E79.tmp" dev="vda1" ino=130 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290584.295:620): avc:  denied  { unlink } for  pid=3484 comm="bootupctl" name="grubx64.efi" dev="vda1" ino=123 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290584.297:621): avc:  denied  { write } for  pid=3484 comm="bootupctl" path=2F626F6F742F233136202864656C6574656429 dev="vda2" ino=16 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290584.333:622): avc:  denied  { link } for  pid=3484 comm="bootupctl" name="#16" dev="vda2" ino=16 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
type=AVC msg=audit(1725290584.333:623): avc:  denied  { rename } for  pid=3484 comm="bootupctl" name=".tmp.Z4pRaNq2.tmp" dev="vda2" ino=16 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1

@travier
Copy link
Contributor Author

travier commented Sep 2, 2024

Essentially, bootupd needs to do be able to do all common file/dir create/rename/write/remove operations in the EFI partition.

zpytela added a commit to zpytela/selinux-policy that referenced this issue Sep 2, 2024
@zpytela
Update bootupd policy for removing-state-file test
703dfa5 
How to reproduce:
Install a Fedora Silverblue 41 system
run sudo semanage permissive -a bootupd_t
run sudo rm /boot/bootupd-state.json
run sudo bootupctl update

The commit addresses the following AVC denial example:
type=AVC msg=audit(1725290040.770:431): avc:  denied  { open } for  pid=4524 comm="bootupctl" path="/boot/efi/EFI/BOOT/BOOTIA32.EFI" dev="vda1" ino=142 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1

Resolves: fedora-selinux#2334
zpytela added a commit to zpytela/selinux-policy that referenced this issue Sep 2, 2024
@zpytela
Update bootupd policy for the removing-state-file test
74f2d64 
How to reproduce:
Install a Fedora Silverblue 41 system
run sudo rm /boot/bootupd-state.json
run sudo bootupctl update

The commit addresses the following AVC denial example:
type=AVC msg=audit(1725290040.770:431): avc:  denied  { open } for  pid=4524 comm="bootupctl" path="/boot/efi/EFI/BOOT/BOOTIA32.EFI" dev="vda1" ino=142 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1

Resolves: fedora-selinux#2334
@zpytela zpytela mentioned this issue Sep 2, 2024
Merged
@travier
Copy link
Contributor Author

travier commented Sep 2, 2024

This is running selinux-policy-targeted-41.14-1.fc41.noarch

zpytela added a commit to zpytela/selinux-policy that referenced this issue Sep 2, 2024
@zpytela
Update bootupd policy for the removing-state-file test
889da6a 
How to reproduce:
Install a Fedora Silverblue 41 system
run sudo rm /boot/bootupd-state.json
run sudo bootupctl update

The commit addresses the following AVC denial example:
type=AVC msg=audit(1725290040.770:431): avc:  denied  { open } for  pid=4524 comm="bootupctl" path="/boot/efi/EFI/BOOT/BOOTIA32.EFI" dev="vda1" ino=142 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1

Resolves: fedora-selinux#2334
@travier travier mentioned this issue Sep 2, 2024
Open
@zpytela zpytela closed this as completed in 8346b7b Sep 2, 2024
@travier
Copy link
Contributor Author

travier commented Sep 3, 2024

Next part in #2341

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update bootupd policy for the removing-state-file test zpytela/selinux-policy
1 participant
@travier