Bug 1222994 - [Build 20240417] [SELinux] sdboot: error in journal
Summary: [Build 20240417] [SELinux] sdboot: error in journal
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Cathy Hu
QA Contact: E-mail List
URL: https://openqa.opensuse.org/tests/409...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-17 20:16 UTC by Dominique Leuenberger
Modified: 2024-06-07 14:07 UTC (History)
3 users (show)

See Also:
Found By: openQA
Services Priority:
Business Priority:
Blocker: Yes
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dominique Leuenberger 2024-04-17 20:16:27 UTC 
## Observation


Apr 17 19:44:44.259158 localhost.localdomain systemd-gpt-auto-generator[1423]: Failed to create symlink "/run/systemd/generator.late/local-fs.target.wants/systemd-remount-fs.service": No such file or directory

openQA test in scenario microos-Tumbleweed-MicroOS-Image-sdboot-x86_64-microos-combustion@uefi fails in
[journal_check](https://openqa.opensuse.org/tests/4090879/modules/journal_check/steps/21)

## Test suite description
Like MicroOS, but use only combustion for the initial configuration.
jlausuch: it was `EXTRA=FEATURES`.


## Reproducible

Fails since (at least) Build [20240414](https://openqa.opensuse.org/tests/4084116)


## Expected result

Last good: [20240412](https://openqa.opensuse.org/tests/4081333) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=microos&flavor=MicroOS-Image-sdboot&machine=uefi&test=microos-combustion&version=Tumbleweed)
Comment 1 Ludwig Nussel 2024-04-18 07:26:15 UTC 
I have no idea what that test does. Fabian?
Comment 2 Fabian Vogt 2024-04-18 07:32:43 UTC 
Apr 17 19:44:44.259133 localhost.localdomain kernel: audit: type=1400 audit(1713383083.573:6): avc:  denied  { map_read map_write } for  pid=1421 comm="systemd-fstab-g" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
Apr 17 19:44:44.259141 localhost.localdomain kernel: audit: type=1400 audit(1713383083.586:7): avc:  denied  { map_read map_write } for  pid=1423 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
Apr 17 19:44:44.259150 localhost.localdomain kernel: audit: type=1400 audit(1713383083.640:8): avc:  denied  { write } for  pid=1423 comm="systemd-gpt-aut" name="generator.late" dev="tmpfs" ino=682 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
Apr 17 19:44:44.259158 localhost.localdomain systemd-gpt-auto-generator[1423]: Failed to create symlink "/run/systemd/generator.late/local-fs.target.wants/systemd-remount-fs.service": No such file or directory

Looks like a selinux policy issue, reassigning.
Comment 3 Cathy Hu 2024-05-16 11:30:35 UTC 
systemd introduced new features in their generators, we don't have a policy for this yet. 
will take a while
Comment 4 Cathy Hu 2024-05-16 12:03:02 UTC 
ah wait sorry, i just had a closer look and i already fixed this in security:SELinux, but it is not in factory yet because we are waiting for the cockpit update to go through. i will ping them and submit

this is a duplicate of bsc#1222736, but leaving it open until it is in factory
Comment 5 Cathy Hu 2024-06-07 14:07:28 UTC 
the fix is in factory now, closing