1226824 – [SELinux] growpart-generator AVC denials

Bug 1226824 - [SELinux] growpart-generator AVC denials

Summary: [SELinux] growpart-generator AVC denials

Status:	NEW

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Cathy Hu
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-06-23 16:15 UTC by Matej Cepl
Modified:	2024-07-16 14:41 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matej Cepl 2024-06-23 16:15:13 UTC

mitmanek:~ # ausearch -m AVC -ts boot
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.392:27): avc:  denied  { execute } for  pid=1227 comm="growpart-genera" path="/usr/bin/bash" dev="nvme0n1p3" ino=124016 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.395:28): avc:  denied  { read } for  pid=1227 comm="growpart-genera" name="passwd" dev="overlay" ino=726 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.395:29): avc:  denied  { open } for  pid=1227 comm="growpart-genera" path="/etc/passwd" dev="overlay" ino=726 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.395:30): avc:  denied  { getattr } for  pid=1227 comm="growpart-genera" path="/etc/passwd" dev="overlay" ino=726 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.395:31): avc:  denied  { execute } for  pid=1240 comm="growpart-genera" name="findmnt" dev="nvme0n1p3" ino=229659 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.395:32): avc:  denied  { execute_no_trans } for  pid=1240 comm="growpart-genera" path="/usr/bin/findmnt" dev="nvme0n1p3" ino=229659 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 01:51:49 2024
type=AVC msg=audit(1719100309.399:33): avc:  denied  { getattr } for  pid=1239 comm="systemd-fstab-g" path="/.snapshots" dev="nvme0n1p3" ino=256 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir permissive=1
----
time->Sun Jun 23 02:01:49 2024
type=AVC msg=audit(1719100909.876:105): avc:  denied  { unlink } for  pid=1793 comm="bootctl" name="bfb41e21a4f34f10958f75adb1378666-6.9.3-1-default-114.conf" dev="nvme0n1p2" ino=46 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
mitmanek:~ # rpm -q selinux-policy
selinux-policy-20240617-1.1.noarch
mitmanek:~ # 

This is on MicroOS with the latest Tumbleweed packages as of 2024-06-23.

Comment 1 Cathy Hu 2024-07-16 11:56:25 UTC

https://build.opensuse.org/request/show/1187893

Comment 2 Cathy Hu 2024-07-16 14:41:24 UTC

superseeded by this submission: https://build.opensuse.org/request/show/1187945