-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.5.z
-
No
-
Low
-
rhel-security-selinux
-
ssg_security
-
3
-
QE ack
-
False
-
False
-
-
No
-
None
-
-
None
-
None
-
Release Note Not Required
-
All
-
None
What were you trying to do that didn't work?
rpm-ostree based system, when using `rpm-ostree usroverlay` it creates `/var/tmp/ostree-unlock-ovl.XXXXXX` with some overlayfs on top
Sometimes (when files where changed but unclean shutdown I think) files are left behind.
ostree does ship `/usr/lib/tmpfiles.d/ostree-tmpfiles.conf` to cleanup on boot but it's blocked by SELinux
What is the impact of this issue to you?
files are not removed + AVC denied in the logs
Please provide the package NVR for which the bug is seen:
selinux-policy-38.1.45-3.el9_5.noarch
How reproducible is this bug?:
Quickly tried to reproduce it manually but couldn't, but I've seen it multiple times already
Steps to reproduce
no reproduction scenario for now
Expected results
It works 
Actual results
```
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-boot-update comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[1992]: AVC avc: denied
audit[1992]: SYSCALL arch=c000003e syscall=263 success=no exit=-13 a0=c a1=56480fb89e73 a2=0 a3=9b items=0 ppid=1 pid=1992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)
audit: PROCTITLE proctitle=73797374656D642D746D7066696C6573002D2D637265617465002D2D72656D6F7665002D2D626F6F74002D2D6578636C7564652D7072656669783D2F646576
audit[1992]: AVC avc: denied { unlink }
for pid=1992 comm="systemd-tmpfile" name="#2f2" dev="dm-0" ino=410626511 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=chr_file permissive=0
audit[1992]: SYSCALL arch=c000003e syscall=263 success=no exit=-13 a0=6 a1=56480fb59cf3 a2=0 a3=9b items=0 ppid=1 pid=1992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)
audit: PROCTITLE proctitle=73797374656D642D746D7066696C6573002D2D637265617465002D2D72656D6F7665002D2D626F6F74002D2D6578636C7564652D7072656669783D2F646576
systemd-tmpfiles[1992]: rm_rf(/var/tmp/ostree-unlock-ovl.MUTOZ2): Permission denied
```
Needed rules:
```
- audit2allow -b -m test
module test 1.0;
require
{ type usr_t; type systemd_tmpfiles_t; class chr_file unlink; }#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t usr_t:chr_file unlink;
```
Or in cil
```
(typeattributeset cil_gen_require systemd_tmpfiles_t)
(typeattributeset cil_gen_require usr_t)
(allow systemd_tmpfiles_t usr_t (chr_file (unlink)))
```