Bug 1222994

Summary: [Build 20240417] [SELinux] sdboot: error in journal
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dominique Leuenberger <dimstar>
Component: SecurityAssignee: Cathy Hu <cathy.hu>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: cathy.hu, fvogt, lnussel
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.opensuse.org/tests/4090879/modules/journal_check/steps/21
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1223599
https://bugzilla.suse.com/show_bug.cgi?id=1222736
Whiteboard:
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---

Description Dominique Leuenberger 2024-04-17 20:16:27 UTC 
## Observation


Apr 17 19:44:44.259158 localhost.localdomain systemd-gpt-auto-generator[1423]: Failed to create symlink "/run/systemd/generator.late/local-fs.target.wants/systemd-remount-fs.service": No such file or directory

openQA test in scenario microos-Tumbleweed-MicroOS-Image-sdboot-x86_64-microos-combustion@uefi fails in
[journal_check](https://openqa.opensuse.org/tests/4090879/modules/journal_check/steps/21)

## Test suite description
Like MicroOS, but use only combustion for the initial configuration.
jlausuch: it was `EXTRA=FEATURES`.


## Reproducible

Fails since (at least) Build [20240414](https://openqa.opensuse.org/tests/4084116)


## Expected result

Last good: [20240412](https://openqa.opensuse.org/tests/4081333) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=microos&flavor=MicroOS-Image-sdboot&machine=uefi&test=microos-combustion&version=Tumbleweed)
Comment 1 Ludwig Nussel 2024-04-18 07:26:15 UTC 
I have no idea what that test does. Fabian?
Comment 2 Fabian Vogt 2024-04-18 07:32:43 UTC 
Apr 17 19:44:44.259133 localhost.localdomain kernel: audit: type=1400 audit(1713383083.573:6): avc:  denied  { map_read map_write } for  pid=1421 comm="systemd-fstab-g" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
Apr 17 19:44:44.259141 localhost.localdomain kernel: audit: type=1400 audit(1713383083.586:7): avc:  denied  { map_read map_write } for  pid=1423 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
Apr 17 19:44:44.259150 localhost.localdomain kernel: audit: type=1400 audit(1713383083.640:8): avc:  denied  { write } for  pid=1423 comm="systemd-gpt-aut" name="generator.late" dev="tmpfs" ino=682 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
Apr 17 19:44:44.259158 localhost.localdomain systemd-gpt-auto-generator[1423]: Failed to create symlink "/run/systemd/generator.late/local-fs.target.wants/systemd-remount-fs.service": No such file or directory

Looks like a selinux policy issue, reassigning.
Comment 3 Cathy Hu 2024-05-16 11:30:35 UTC 
systemd introduced new features in their generators, we don't have a policy for this yet. 
will take a while
Comment 4 Cathy Hu 2024-05-16 12:03:02 UTC 
ah wait sorry, i just had a closer look and i already fixed this in security:SELinux, but it is not in factory yet because we are waiting for the cockpit update to go through. i will ping them and submit

this is a duplicate of bsc#1222736, but leaving it open until it is in factory
Comment 5 Cathy Hu 2024-06-07 14:07:28 UTC 
the fix is in factory now, closing