modules/contrib/bootupd: Remove module #2145

travier · 2024-06-03T13:45:29Z

Bootupd is no longer using a systemd service and socket unit.

It is now called either directly from the command line by an administrator or in the furture as part of the boot process in a oneshot unit.

See: coreos/bootupd#551

HuijingHei · 2024-06-04T00:50:26Z

Maybe also need to remove

selinux-policy/policy/modules.conf

Lines 3117 to 3122 in 351a598

    
           # Layer: contrib 
        
           # Module: bootupd 
        
           # 
        
           #  bootupd - bootloader update daemon 
        
           # 
        
           bootupd = module

which was from d4da143

Bootupd is no longer using a systemd service and socket unit. It is now called either directly from the command line by an administrator or in the furture as part of the boot process in a oneshot unit. See: coreos/bootupd#551

travier · 2024-06-04T10:26:47Z

To be paired with https://src.fedoraproject.org/rpms/selinux-policy/pull-request/431

zpytela · 2024-06-12T14:12:49Z

@travier I am afraid we are not going to make such a change without any serious justification. Having not confined service violates a DISA STIG rule which customers require, and using systemd-run means it runs as a service. Running from cli makes the policy not user, but it also cannot clash with it. If there are any particular problems, please report it so that we can work on a fix.

travier · 2024-06-21T09:25:51Z

Well, it's not really a service, it only runs under systemd-run to get an isolated environment. We don't confine every single mkfs calls with SELinux for example. It's only available to root and we expect that to be the constraint.

travier · 2024-06-21T09:28:33Z

Turns out we do! system_u:object_r:fsadm_exec_t:s0.

travier · 2024-06-21T09:30:37Z

But we don't do it for efibootmgr or bootctl which are in the same category:

$ ls -alhZ /usr/sbin/efibootmgr
-rwxr-xr-x. 4 root root system_u:object_r:bin_t:s0 50K Jan  1  1970 /usr/sbin/efibootmgr
$ ls -alhZ /usr/bin/bootctl
-rwxr-xr-x. 4 root root system_u:object_r:bin_t:s0 110K Jan  1  1970 /usr/bin/bootctl

travier · 2024-06-21T09:31:06Z

We could keep this module, but it needs work as how it is written right now likely does not work.

travier · 2024-06-21T09:33:37Z

fs_search_dos(bootupd_t)
fs_search_efivarfs_dirs(bootupd_t)

It needs full writable access to /boot/efi.

HuijingHei · 2024-06-21T10:27:56Z

And if remove the permissive mode, bootupd will not work as there are a lot of denied logs.

travier · 2024-06-21T11:14:54Z

@HuijingHei Can you paste those logs here?

HuijingHei · 2024-06-25T14:22:57Z

Can you paste those logs here?

Sure, test with bootupd-0.2.19-1.fc40.x86_64 and selinux-policy-40.22-1.fc40.noarch on 40.20240624.20.0, run bootupctl validate, get avc denied logs:

[root@cosa-devsh ~]# rpm-ostree status
State: idle
Deployments:
● ostree-unverified-registry:quay.io/fedora/fedora-coreos:testing-devel
                   Digest: sha256:4f9d9087fe79e5e7d58fce2050df4d535ba5df1a2e39e5a811ff168bf6d714a2
                  Version: 40.20240624.20.0 (2024-06-24T23:50:24Z)

[root@cosa-devsh ~]# bootupctl validate
Skipped: BIOS
Validated: EFI
[root@cosa-devsh ~]# ausearch -m avc
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:150): avc:  denied  { getattr } for  pid=1615 comm="bootupd" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:151): avc:  denied  { getattr } for  pid=1615 comm="bootupd" path="/dev/vda2" dev="devtmpfs" ino=347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:152): avc:  denied  { execute } for  pid=1616 comm="bootupd" name="mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:153): avc:  denied  { read open } for  pid=1616 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.107:154): avc:  denied  { execute_no_trans } for  pid=1616 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.108:155): avc:  denied  { map } for  pid=1616 comm="mount" path="/usr/bin/mount" dev="vda4" ino=512575 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:156): avc:  denied  { read } for  pid=1616 comm="mount" name="vda2" dev="devtmpfs" ino=347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:157): avc:  denied  { open } for  pid=1616 comm="mount" path="/dev/vda2" dev="devtmpfs" ino=347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:158): avc:  denied  { ioctl } for  pid=1616 comm="mount" path="/dev/vda2" dev="devtmpfs" ino=347 ioctlcmd=0x1272 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:159): avc:  denied  { read } for  pid=1616 comm="mount" name="252:2" dev="sysfs" ino=29428 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:160): avc:  denied  { read } for  pid=1616 comm="mount" name="vda2" dev="sysfs" ino=29403 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:161): avc:  denied  { read } for  pid=1616 comm="mount" name="dev" dev="sysfs" ino=29269 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:162): avc:  denied  { open } for  pid=1616 comm="mount" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29269 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.110:163): avc:  denied  { getattr } for  pid=1616 comm="mount" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29269 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.139:164): avc:  denied  { search } for  pid=1616 comm="mount" name="mount" dev="tmpfs" ino=340 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.139:165): avc:  denied  { getattr } for  pid=1616 comm="mount" path="/run/mount" dev="tmpfs" ino=340 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.139:166): avc:  denied  { read write } for  pid=1616 comm="mount" name="mount" dev="tmpfs" ino=340 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.148:167): avc:  denied  { mount } for  pid=1616 comm="mount" name="/" dev="vda2" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.148:168): avc:  denied  { mounton } for  pid=1616 comm="mount" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.150:169): avc:  denied  { getattr } for  pid=1615 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="vda2" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.150:170): avc:  denied  { read } for  pid=1615 comm="bootupd" name="BOOTX64.EFI" dev="vda2" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.150:171): avc:  denied  { open } for  pid=1615 comm="bootupd" path="/boot/efi/EFI/BOOT/BOOTX64.EFI" dev="vda2" ino=115 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:172): avc:  denied  { search } for  pid=1615 comm="bootupd" name="pki" dev="vda4" ino=37801279 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:173): avc:  denied  { read } for  pid=1615 comm="bootupd" name="openssl.cnf" dev="vda4" ino=31457937 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:174): avc:  denied  { open } for  pid=1615 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=31457937 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.151:175): avc:  denied  { getattr } for  pid=1615 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=31457937 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Tue Jun 25 14:19:08 2024
type=AVC msg=audit(1719325148.188:176): avc:  denied  { unmount } for  pid=1620 comm="umount" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1

travier · 2024-06-25T16:06:18Z

Great, if you could get the logs from an update as well that would be great.

HuijingHei · 2024-06-26T07:00:08Z

get the logs from an update

[root@cosa-devsh ~]# bootupctl update
Previous BIOS: grub2-tools-1:2.06-121.fc40.x86_64
Updated BIOS: grub2-tools-1:2.06-123.fc40.x86_64
Previous EFI: grub2-efi-x64-1:2.06-121.fc40.x86_64,shim-x64-15.8-3.x86_64
Updated EFI: grub2-efi-x64-1:2.06-123.fc40.x86_64,shim-x64-15.8-3.x86_64
[root@cosa-devsh ~]# ausearch -m avc
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:146): avc:  denied  { execute } for  pid=1601 comm="bootupd" name="mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:147): avc:  denied  { read open } for  pid=1601 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:148): avc:  denied  { execute_no_trans } for  pid=1601 comm="bootupd" path="/usr/bin/mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.198:149): avc:  denied  { map } for  pid=1601 comm="mount" path="/usr/bin/mount" dev="vda4" ino=3304624 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.201:150): avc:  denied  { search } for  pid=1601 comm="mount" name="mount" dev="tmpfs" ino=299 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.201:151): avc:  denied  { getattr } for  pid=1601 comm="mount" path="/run/mount" dev="tmpfs" ino=299 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.201:152): avc:  denied  { read write } for  pid=1601 comm="mount" name="mount" dev="tmpfs" ino=299 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.224:153): avc:  denied  { setsched } for  pid=1601 comm="mount" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:154): avc:  denied  { write } for  pid=1600 comm="bootupd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:155): avc:  denied  { add_name } for  pid=1600 comm="bootupd" name="bootupd-lock" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:156): avc:  denied  { create } for  pid=1600 comm="bootupd" name="bootupd-lock" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.227:157): avc:  denied  { write open } for  pid=1600 comm="bootupd" path="/run/bootupd-lock" dev="tmpfs" ino=1408 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.228:158): avc:  denied  { lock } for  pid=1600 comm="bootupd" path="/run/bootupd-lock" dev="tmpfs" ino=1408 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.228:159): avc:  denied  { write } for  pid=1600 comm="bootupd" name="/" dev="vda3" ino=2 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.230:160): avc:  denied  { write } for  pid=1600 comm="bootupd" path=2F626F6F742F233134202864656C6574656429 dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.237:161): avc:  denied  { add_name } for  pid=1600 comm="bootupd" name="#14" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.237:162): avc:  denied  { link } for  pid=1600 comm="bootupd" name="#14" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:163): avc:  denied  { remove_name } for  pid=1600 comm="bootupd" name=".tmp.kmi6M32u.tmp" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:164): avc:  denied  { rename } for  pid=1600 comm="bootupd" name=".tmp.kmi6M32u.tmp" dev="vda3" ino=14 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:165): avc:  denied  { unlink } for  pid=1600 comm="bootupd" name="bootupd-state.json" dev="vda3" ino=21 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.238:166): avc:  denied  { execute } for  pid=1603 comm="bootupd" name="findmnt" dev="vda4" ino=1422347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.239:167): avc:  denied  { execute_no_trans } for  pid=1603 comm="bootupd" path="/usr/bin/findmnt" dev="vda4" ino=1422347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.239:168): avc:  denied  { map } for  pid=1603 comm="findmnt" path="/usr/bin/findmnt" dev="vda4" ino=1422347 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.246:169): avc:  denied  { read } for  pid=1604 comm="lsblk" name="block" dev="sysfs" ino=6 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.246:170): avc:  denied  { getattr } for  pid=1604 comm="lsblk" path="/dev/vda3" dev="devtmpfs" ino=348 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:171): avc:  denied  { read } for  pid=1604 comm="lsblk" name="252:3" dev="sysfs" ino=29718 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:172): avc:  denied  { read } for  pid=1604 comm="lsblk" name="dev" dev="sysfs" ino=29526 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:173): avc:  denied  { open } for  pid=1604 comm="lsblk" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29526 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.247:174): avc:  denied  { getattr } for  pid=1604 comm="lsblk" path="/sys/devices/pci0000:00/0000:00:03.0/virtio2/block/vda/dev" dev="sysfs" ino=29526 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:175): avc:  denied  { getattr } for  pid=1600 comm="bootupd" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:176): avc:  denied  { execute } for  pid=1605 comm="bootupd" name="grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:177): avc:  denied  { read open } for  pid=1605 comm="bootupd" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.248:178): avc:  denied  { execute_no_trans } for  pid=1605 comm="bootupd" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.249:179): avc:  denied  { map } for  pid=1605 comm="grub2-install" path="/usr/sbin/grub2-install" dev="vda4" ino=1766586 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.279:180): avc:  denied  { create } for  pid=1605 comm="grub2-install" name="ast.mo" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:181): avc:  denied  { getattr } for  pid=1605 comm="grub2-install" path="/dev/mapper/control" dev="devtmpfs" ino=161 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:182): avc:  denied  { read write } for  pid=1605 comm="grub2-install" name="control" dev="devtmpfs" ino=161 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:183): avc:  denied  { open } for  pid=1605 comm="grub2-install" path="/dev/mapper/control" dev="devtmpfs" ino=161 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:184): avc:  denied  { read } for  pid=1605 comm="grub2-install" name="devices" dev="proc" ino=4026532021 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:185): avc:  denied  { open } for  pid=1605 comm="grub2-install" path="/proc/devices" dev="proc" ino=4026532021 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:186): avc:  denied  { getattr } for  pid=1605 comm="grub2-install" path="/proc/devices" dev="proc" ino=4026532021 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.976:187): avc:  denied  { ioctl } for  pid=1605 comm="grub2-install" path="/dev/mapper/control" dev="devtmpfs" ino=161 ioctlcmd=0xfd00 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.977:188): avc:  denied  { read } for  pid=1605 comm="grub2-install" name="vda" dev="devtmpfs" ino=345 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.977:189): avc:  denied  { open } for  pid=1605 comm="grub2-install" path="/dev/vda" dev="devtmpfs" ino=345 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.977:190): avc:  denied  { ioctl } for  pid=1605 comm="grub2-install" path="/dev/vda" dev="devtmpfs" ino=345 ioctlcmd=0x1261 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.978:191): avc:  denied  { execute } for  pid=1606 comm="grub2-install" name="udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.978:192): avc:  denied  { read open } for  pid=1606 comm="grub2-install" path="/usr/bin/udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.978:193): avc:  denied  { execute_no_trans } for  pid=1606 comm="grub2-install" path="/usr/bin/udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.979:194): avc:  denied  { map } for  pid=1606 comm="udevadm" path="/usr/bin/udevadm" dev="vda4" ino=1234949 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.988:195): avc:  denied  { map } for  pid=1606 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.988:196): avc:  denied  { search } for  pid=1606 comm="udevadm" name="contexts" dev="vda4" ino=6293673 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:197): avc:  denied  { search } for  pid=1606 comm="udevadm" name="files" dev="vda4" ino=7441252 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:198): avc:  denied  { read } for  pid=1606 comm="udevadm" name="file_contexts.subs_dist" dev="vda4" ino=7441259 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:199): avc:  denied  { open } for  pid=1606 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="vda4" ino=7441259 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:200): avc:  denied  { getattr } for  pid=1606 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="vda4" ino=7441259 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.989:201): avc:  denied  { map } for  pid=1606 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.bin" dev="vda4" ino=7441418 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:01 2024
type=AVC msg=audit(1719385081.993:202): avc:  denied  { getattr } for  pid=1606 comm="udevadm" path="/sys/dev/block/252:3" dev="sysfs" ino=29718 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.249:203): avc:  denied  { write } for  pid=1605 comm="grub2-install" name="vda" dev="devtmpfs" ino=345 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.307:204): avc:  denied  { unlink } for  pid=1605 comm="grub2-install" name="mda_text.mod~" dev="vda3" ino=32951 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.311:205): avc:  denied  { write } for  pid=1600 comm="bootupd" path=2F626F6F742F233137202864656C6574656429 dev="vda3" ino=17 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.313:206): avc:  denied  { link } for  pid=1600 comm="bootupd" name="#17" dev="vda3" ino=17 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.313:207): avc:  denied  { rename } for  pid=1600 comm="bootupd" name=".tmp.xBbMvtEE.tmp" dev="vda3" ino=17 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:208): avc:  denied  { search } for  pid=1600 comm="bootupd" name="pki" dev="vda4" ino=15782406 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:209): avc:  denied  { read } for  pid=1600 comm="bootupd" name="openssl.cnf" dev="vda4" ino=10541892 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:210): avc:  denied  { open } for  pid=1600 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=10541892 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.317:211): avc:  denied  { getattr } for  pid=1600 comm="bootupd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=10541892 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.342:212): avc:  denied  { getattr } for  pid=1600 comm="bootupd" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.385:213): avc:  denied  { mount } for  pid=1627 comm="mount" name="/" dev="vda2" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.386:214): avc:  denied  { mounton } for  pid=1627 comm="mount" path="/boot/efi" dev="vda3" ino=65537 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.390:215): avc:  denied  { read } for  pid=1600 comm="bootupd" name="EFI" dev="vda2" ino=113 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:216): avc:  denied  { write } for  pid=1600 comm="bootupd" name="EFI" dev="vda2" ino=113 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:217): avc:  denied  { add_name } for  pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:218): avc:  denied  { create } for  pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.391:219): avc:  denied  { write open } for  pid=1600 comm="bootupd" path="/boot/efi/EFI/.tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.411:220): avc:  denied  { setattr } for  pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.411:221): avc:  denied  { remove_name } for  pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.411:222): avc:  denied  { rename } for  pid=1600 comm="bootupd" name=".tmp8hCmhPrN.tmp" dev="vda2" ino=127 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.419:223): avc:  denied  { unlink } for  pid=1600 comm="bootupd" name="grubx64.efi" dev="vda2" ino=128 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=1
----
time->Wed Jun 26 06:58:02 2024
type=AVC msg=audit(1719385082.426:224): avc:  denied  { unmount } for  pid=1634 comm="umount" scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem permissive=1

HuijingHei · 2024-06-26T14:53:41Z

Create https://issues.redhat.com/browse/FC-1230 to track the denied logs.

travier · 2024-07-23T15:28:45Z

Create issues.redhat.com/browse/FC-1230 to track the denied logs.

Note that there is probably nobody looking at this project as it's mostly mirrored issues from bugzilla. It should probably be a bugzilla instead.

travier · 2024-07-23T16:34:15Z

Closing for now. We'll do #2257

HuijingHei · 2024-07-29T07:37:31Z

Create issues.redhat.com/browse/FC-1230 to track the denied logs.

Note that there is probably nobody looking at this project as it's mostly mirrored issues from bugzilla. It should probably be a bugzilla instead.

Thanks! New bug https://bugzilla.redhat.com/show_bug.cgi?id=2300306 to track the issue.

modules/contrib/bootupd: Remove module

e1d2073

Bootupd is no longer using a systemd service and socket unit. It is now called either directly from the command line by an administrator or in the furture as part of the boot process in a oneshot unit. See: coreos/bootupd#551

travier force-pushed the rawhide-rm-bootupd branch from 8ad8753 to e1d2073 Compare June 4, 2024 09:38

travier closed this Jul 23, 2024

travier deleted the rawhide-rm-bootupd branch July 23, 2024 16:34

travier mentioned this pull request Jul 23, 2024

Help SELinux team with SELinux failures on Rawhide coreos/fedora-coreos-tracker#1768

Open

travier mentioned this pull request Aug 29, 2024

Revert to permissive for coreos-installer & bootupd #2257

Open

travier mentioned this pull request Nov 25, 2024

Make bootupd_t permissive #2444

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

modules/contrib/bootupd: Remove module #2145

modules/contrib/bootupd: Remove module #2145

travier commented Jun 3, 2024

HuijingHei commented Jun 4, 2024

travier commented Jun 4, 2024

zpytela commented Jun 12, 2024

travier commented Jun 21, 2024 •

edited

Loading

travier commented Jun 21, 2024

travier commented Jun 21, 2024

travier commented Jun 21, 2024

travier commented Jun 21, 2024

HuijingHei commented Jun 21, 2024

travier commented Jun 21, 2024

HuijingHei commented Jun 25, 2024 •

edited

Loading

travier commented Jun 25, 2024

HuijingHei commented Jun 26, 2024

HuijingHei commented Jun 26, 2024

travier commented Jul 23, 2024

travier commented Jul 23, 2024

HuijingHei commented Jul 29, 2024

modules/contrib/bootupd: Remove module #2145

modules/contrib/bootupd: Remove module #2145

Conversation

travier commented Jun 3, 2024

HuijingHei commented Jun 4, 2024

travier commented Jun 4, 2024

zpytela commented Jun 12, 2024

travier commented Jun 21, 2024 • edited Loading

travier commented Jun 21, 2024

travier commented Jun 21, 2024

travier commented Jun 21, 2024

travier commented Jun 21, 2024

HuijingHei commented Jun 21, 2024

travier commented Jun 21, 2024

HuijingHei commented Jun 25, 2024 • edited Loading

travier commented Jun 25, 2024

HuijingHei commented Jun 26, 2024

HuijingHei commented Jun 26, 2024

travier commented Jul 23, 2024

travier commented Jul 23, 2024

HuijingHei commented Jul 29, 2024

travier commented Jun 21, 2024 •

edited

Loading

HuijingHei commented Jun 25, 2024 •

edited

Loading