Bug 1226824

Summary:	[SELinux] growpart-generator AVC denials
Product:	[openSUSE] openSUSE Tumbleweed	Reporter:	Matej Cepl <mcepl>
Component:	Security	Assignee:	Cathy Hu <cathy.hu>
Status:	NEW ---	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P5 - None	CC:	cathy.hu
Version:	Current
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Matej Cepl 2024-06-23 16:15:13 UTC

mitmanek:~ # ausearch -m AVC -ts boot
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.392:27): avc:  denied  { execute } for  pid=1227 comm="growpart-genera" path="/usr/bin/bash" dev="nvme0n1p3" ino=124016 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.395:28): avc:  denied  { read } for  pid=1227 comm="growpart-genera" name="passwd" dev="overlay" ino=726 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.395:29): avc:  denied  { open } for  pid=1227 comm="growpart-genera" path="/etc/passwd" dev="overlay" ino=726 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.395:30): avc:  denied  { getattr } for  pid=1227 comm="growpart-genera" path="/etc/passwd" dev="overlay" ino=726 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.395:31): avc:  denied  { execute } for  pid=1240 comm="growpart-genera" name="findmnt" dev="nvme0n1p3" ino=229659 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.395:32): avc:  denied  { execute_no_trans } for  pid=1240 comm="growpart-genera" path="/usr/bin/findmnt" dev="nvme0n1p3" ino=229659 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.399:33): avc:  denied  { getattr } for  pid=1239 comm="systemd-fstab-g" path="/.snapshots" dev="nvme0n1p3" ino=256 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir permissive=1
----
time->Sun Jun 23 02:01:49 2024
type=AVC msg=audit(1719100909.876:105): avc:  denied  { unlink } for  pid=1793 comm="bootctl" name="bfb41e21a4f34f10958f75adb1378666-6.9.3-1-default-114.conf" dev="nvme0n1p2" ino=46 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
mitmanek:~ # rpm -q selinux-policy
selinux-policy-20240617-1.1.noarch
mitmanek:~ # 

This is on MicroOS with the latest Tumbleweed packages as of 2024-06-23.

Comment 1 Cathy Hu 2024-07-16 11:56:25 UTC

https://build.opensuse.org/request/show/1187893

Comment 2 Cathy Hu 2024-07-16 14:41:24 UTC

superseeded by this submission: https://build.opensuse.org/request/show/1187945