Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Various systemd denials during expected usage #2507

Open
DaanDeMeyer opened this issue Jan 8, 2025 · 0 comments
Open

Various systemd denials during expected usage #2507

DaanDeMeyer opened this issue Jan 8, 2025 · 0 comments

Comments

@DaanDeMeyer
Copy link
Contributor

These are all the denials after booting up a systemd integration test VM running Fedora Rawhide:

To reproduce:

git clone https://github.com/systemd/mkosi.git
ln -sf $PWD/mkosi/bin/mkosi ~/.local/bin/mkosi
git clone https://github.com/systemd/systemd.git
cd systemd
mkosi -f sandbox meson setup build
mkosi -f genkey
mkosi -f sandbox meson compile -C build mkosi
mkosi -f sandbox env SYSTEMD_INTEGRATION_TESTS=1 TEST_SHELL=1 meson test -C build -v --no-rebuild -i TEST-06-SELINUX
journalctl -g AVC

This results in the following denials:

AVC avc:  denied  { read } for  pid=426 comm="systemd-debug-g" name="systemd.unit-dropin.TEST-06-SELINUX.service" dev="tmpfs" ino=8 scontext=system_u:system_r:systemd_debug_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=426 comm="systemd-debug-g" path="/run/credentials/@system/systemd.unit-dropin.TEST-06-SELINUX.service" dev="tmpfs" ino=8 scontext=system_u:system_r:systemd_debug_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { getattr } for  pid=426 comm="systemd-debug-g" path="/run/credentials/@system/systemd.unit-dropin.TEST-06-SELINUX.service" dev="tmpfs" ino=8 scontext=system_u:system_r:systemd_debug_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { sendto } for  pid=453 comm="systemd-pcrexte" path="/systemd/journal/socket" scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
AVC avc:  denied  { read } for  pid=453 comm="systemd-pcrexte" name="tpmrm" dev="sysfs" ino=3062 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
AVC avc:  denied  { read } for  pid=453 comm="systemd-pcrexte" name="StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=283 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=453 comm="systemd-pcrexte" path="/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=283 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { getattr } for  pid=453 comm="systemd-pcrexte" path="/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=283 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { read write } for  pid=453 comm="systemd-pcrexte" name="tpmrm0" dev="devtmpfs" ino=130 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=1
AVC avc:  denied  { open } for  pid=453 comm="systemd-pcrexte" path="/dev/tpmrm0" dev="devtmpfs" ino=130 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=1
AVC avc:  denied  { open } for  pid=453 comm="systemd-pcrexte" path="/run/log/systemd/tpm2-measure.log" dev="tmpfs" ino=119 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
AVC avc:  denied  { lock } for  pid=453 comm="systemd-pcrexte" path="/run/log/systemd/tpm2-measure.log" dev="tmpfs" ino=119 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
AVC avc:  denied  { getattr } for  pid=453 comm="systemd-pcrexte" path="/run/log/systemd/tpm2-measure.log" dev="tmpfs" ino=119 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
AVC avc:  denied  { read } for  pid=453 comm="systemd-pcrexte" name="systemd" dev="tmpfs" ino=118 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=1
AVC avc:  denied  { sendto } for  pid=453 comm="systemd-pcrexte" path="/systemd/journal/socket" scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
AVC avc:  denied  { create } for  pid=449 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=vsock_socket permissive=1
AVC avc:  denied  { connect } for  pid=449 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=vsock_socket permissive=1
AVC avc:  denied  { getattr } for  pid=468 comm="systemd-pcrexte" path="/dev/vda2" dev="devtmpfs" ino=314 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
AVC avc:  denied  { getattr } for  pid=468 comm="systemd-pcrexte" path="/sys/dev/block/252:2" dev="sysfs" ino=29230 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
AVC avc:  denied  { read } for  pid=468 comm="systemd-pcrexte" name="252:2" dev="sysfs" ino=29230 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
AVC avc:  denied  { read } for  pid=468 comm="systemd-pcrexte" name="uevent" dev="sysfs" ino=29206 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=468 comm="systemd-pcrexte" path="/sys/devices/pci0000:00/0000:00:08.0/virtio7/block/vda/vda2/uevent" dev="sysfs" ino=29206 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { getattr } for  pid=468 comm="systemd-pcrexte" path="/sys/devices/pci0000:00/0000:00:08.0/virtio7/block/vda/vda2/uevent" dev="sysfs" ino=29206 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { read } for  pid=468 comm="systemd-pcrexte" name="vda2" dev="devtmpfs" ino=314 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
AVC avc:  denied  { open } for  pid=468 comm="systemd-pcrexte" path="/dev/vda2" dev="devtmpfs" ino=314 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
AVC avc:  denied  { ioctl } for  pid=468 comm="systemd-pcrexte" path="/dev/vda2" dev="devtmpfs" ino=314 ioctlcmd=0x1272 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
AVC avc:  denied  { read } for  pid=468 comm="systemd-pcrexte" name="size" dev="sysfs" ino=29211 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=468 comm="systemd-pcrexte" path="/sys/devices/pci0000:00/0000:00:08.0/virtio7/block/vda/vda2/size" dev="sysfs" ino=29211 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { getattr } for  pid=468 comm="systemd-pcrexte" path="/sys/devices/pci0000:00/0000:00:08.0/virtio7/block/vda/vda2/size" dev="sysfs" ino=29211 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { read write } for  pid=468 comm="systemd-pcrexte" name="tpmrm0" dev="devtmpfs" ino=130 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=1
AVC avc:  denied  { open } for  pid=468 comm="systemd-pcrexte" path="/dev/tpmrm0" dev="devtmpfs" ino=130 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=1
AVC avc:  denied  { read } for  pid=526 comm="systemd-network" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
AVC avc:  denied  { prog_load } for  pid=526 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=bpf permissive=1
AVC avc:  denied  { bpf } for  pid=526 comm="systemd-network" capability=39  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability2 permissive=1
AVC avc:  denied  { prog_run } for  pid=526 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=bpf permissive=1
AVC avc:  denied  { map_create } for  pid=526 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=bpf permissive=1
AVC avc:  denied  { map_read map_write } for  pid=526 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=bpf permissive=1
AVC avc:  denied  { sendto } for  pid=570 comm="systemd-pcrexte" path="/systemd/journal/socket" scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
AVC avc:  denied  { read } for  pid=570 comm="systemd-pcrexte" name="tpmrm" dev="sysfs" ino=3062 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
AVC avc:  denied  { read } for  pid=570 comm="systemd-pcrexte" name="StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=283 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=570 comm="systemd-pcrexte" path="/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=283 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { getattr } for  pid=570 comm="systemd-pcrexte" path="/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=283 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
AVC avc:  denied  { read write } for  pid=570 comm="systemd-pcrexte" name="tpmrm0" dev="devtmpfs" ino=130 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=1
AVC avc:  denied  { open } for  pid=570 comm="systemd-pcrexte" path="/dev/tpmrm0" dev="devtmpfs" ino=130 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=1
AVC avc:  denied  { open } for  pid=570 comm="systemd-pcrexte" path="/run/log/systemd/tpm2-measure.log" dev="tmpfs" ino=119 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
AVC avc:  denied  { lock } for  pid=570 comm="systemd-pcrexte" path="/run/log/systemd/tpm2-measure.log" dev="tmpfs" ino=119 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
AVC avc:  denied  { getattr } for  pid=570 comm="systemd-pcrexte" path="/run/log/systemd/tpm2-measure.log" dev="tmpfs" ino=119 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
AVC avc:  denied  { read } for  pid=570 comm="systemd-pcrexte" name="systemd" dev="tmpfs" ino=118 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=1
AVC avc:  denied  { read write } for  pid=582 comm="systemd-pcrexte" name="tpmrm0" dev="devtmpfs" ino=130 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=1
AVC avc:  denied  { open } for  pid=582 comm="systemd-pcrexte" path="/dev/tpmrm0" dev="devtmpfs" ino=130 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=1
AVC avc:  denied  { read } for  pid=582 comm="systemd-pcrexte" name="systemd" dev="tmpfs" ino=118 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=1
AVC avc:  denied  { read } for  pid=599 comm="agetty" name="agetty.autologin" dev="tmpfs" ino=2 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=599 comm="agetty" path="/run/credentials/[email protected]/agetty.autologin" dev="tmpfs" ino=2 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
AVC avc:  denied  { read } for  pid=599 comm="login" name="login.noauth" dev="tmpfs" ino=3 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=599 comm="login" path="/run/credentials/[email protected]/login.noauth" dev="tmpfs" ino=3 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DaanDeMeyer