SELINUX Violations rpm-ostree

[tajinder400]

Hi,

I've noticed some interesting SELINUX issues which seem to arise on a fresh install of a system. Specifically around rpm-ostree automatic upgrades. Not sure if this is currently documented, so I wanted to raise an issue for this. It's not too much trouble to create a rule to deal with this, but on a fresh install unless the user deals with this, their system will not automatically upgrade.

I can confirm if the user manually upgrades this using the relevant rpm-ostree commands, that works without issue.

Image: ucore-stable-nvidia-zfs

journalctl output:

Jan 08 19:21:20 aionios setroubleshoot[5483]: SELinux is preventing bootc from getattr access on the file /run/ostree-booted. For complete SELinux messages run: sealert -l d2ed86a0-1819-4bd4-bb17-71e51dba0a2f Jan 08 19:21:20 aionios setroubleshoot[5483]: SELinux is preventing bootc from getattr access on the file /run/ostree-booted.

                                        `  *****  Plugin catchall (100. confidence) suggests   **************************

                                          If you believe that bootc should be allowed getattr access on the ostree-booted file by default.
                                          Then you should report this as a bug.
                                          You can generate a local policy module to allow this access.
                                          Do
                                          allow this access for now by executing:
                                          # ausearch -c 'bootc' --raw | audit2allow -M my-bootc
                                          # semodule -X 300 -i my-bootc.pp`

Jan 08 19:39:28 aionios setroubleshoot[12849]: failed to get list from rpm: /usr/bin/rpm: line 6: /usr/bin/rpm-ostree: Permission denied /usr/bin/rpm: line 6: exec: /usr/bin/rpm-ostree: cannot execute: Permission denied Jan 08 19:39:28 aionios setroubleshoot[12849]: failed to retrieve rpm info for path '/run/ostree-booted': /usr/bin/rpm: line 6: /usr/bin/rpm-ostree: Permission denied /usr/bin/rpm: line 6: exec: /usr/bin/rpm-ostree: cannot execute: Permission denied Jan 08 19:39:28 aionios setroubleshoot[12849]: failed to retrieve rpm info for path '/etc/selinux/targeted': /usr/bin/rpm: line 6: /usr/bin/rpm-ostree: Permission denied /usr/bin/rpm: line 6: exec: /usr/bin/rpm-ostree: cannot execute: Permission denied Jan 08 19:39:29 aionios setroubleshoot[12849]: SELinux is preventing bootc from getattr access on the file /run/ostree-booted. For complete SELinux messages run: sealert -l d2ed86a0-1819-4bd4-bb17-71e51dba0a2f Jan 08 19:39:29 aionios setroubleshoot[12849]: SELinux is preventing bootc from getattr access on the file /run/ostree-booted.

                                          ` *****  Plugin catchall (100. confidence) suggests   **************************

                                           If you believe that bootc should be allowed getattr access on the ostree-booted file by default.
                                           Then you should report this as a bug.
                                           You can generate a local policy module to allow this access.
                                           Do
                                           allow this access for now by executing:
                                           # ausearch -c 'bootc' --raw | audit2allow -M my-bootc
                                           # semodule -X 300 -i my-bootc.pp`

Let me know if you feel further information is required. I haven't currently gotten round to resolving yet. Will test in a VM I'm using to automate post install steps when I get around to it.