Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-98656

selinux-policy denies systemd_cryptsetup_generator_t

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-40.13.35-1.el10
    • No
    • Low
    • 1
    • rhel-security-selinux
    • 19
    • 0.5
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 250716: 9
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      In our Cockpit CI infrastructure we have a test to convert a system to NBDE, rebooting into this system emits several SELinux violations

      What is the impact of this issue to you?

      None, we simply assert in our tests that we have no selinux violations.

      Please provide the package NVR for which the bug is seen:

      selinux-policy (40.13.31-2.el10 -> 40.13.33-1.el10)
      selinux-policy-targeted (40.13.31-2.el10 -> 40.13.33-1.el10)

      How reproducible is this bug?:

      100%

      Steps to reproduce

      I'm afraid an exact reproducer is very complex as our tests creates a NBDE setup. We are happy to test a potential package with a fix.

      Expected results

      no SELinux denials

      Actual results

      ----
type=PROCTITLE msg=audit(06/18/25 23:20:28.047:299) : proctitle=/usr/lib/systemd/system-generators/systemd-cryptsetup-generator /run/systemd/generator /run/systemd/generator.early /run/systemd
type=PATH msg=audit(06/18/25 23:20:28.047:299) : item=3 name=(null) inode=1994 dev=00:1a mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_unit_file_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(06/18/25 23:20:28.047:299) : item=2 name=(null) inode=1991 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_unit_file_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(06/18/25 23:20:28.047:299) : item=1 name=(null) nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(06/18/25 23:20:28.047:299) : item=0 name=(null) inode=1991 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_unit_file_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/18/25 23:20:28.047:299) : cwd=/
type=SYSCALL msg=audit(06/18/25 23:20:28.047:299) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x55aefec35300 a2=O_WRONLY|O_CREAT|O_EXCL|O_TRUNC|O_CLOEXEC a3=0x1b6 items=4 ppid=2098 pid=2108 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-cryptse exe=/usr/lib/systemd/system-generators/systemd-cryptsetup-generator subj=system_u:system_r:systemd_cryptsetup_generator_t:s0 key=(null)
type=AVC msg=audit(06/18/25 23:20:28.047:299) : avc:  denied  { write open } for  pid=2108 comm=systemd-cryptse path=/run/systemd/generator/systemd-cryptsetup@luks\x2d3571530f\x2db457\x2d4049\x2da9ae\x2d96fb388a0a60.service dev="tmpfs" ino=1994 scontext=system_u:system_r:systemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/18/25 23:20:28.047:299) : avc:  denied  { create } for  pid=2108 comm=systemd-cryptse name=systemd-cryptsetup@luks\x2d3571530f\x2db457\x2d4049\x2da9ae\x2d96fb388a0a60.service scontext=system_u:system_r:systemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(06/18/25 23:20:28.052:300) : proctitle=/usr/lib/systemd/system-generators/systemd-cryptsetup-generator /run/systemd/generator /run/systemd/generator.early /run/systemd
type=SYSCALL msg=audit(06/18/25 23:20:28.052:300) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x5 a1=0x7ffdc89e84d0 a2=0x7f3a5a1f4f00 a3=0x0 items=0 ppid=2098 pid=2108 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-cryptse exe=/usr/lib/systemd/system-generators/systemd-cryptsetup-generator subj=system_u:system_r:systemd_cryptsetup_generator_t:s0 key=(null)
type=AVC msg=audit(06/18/25 23:20:28.052:300) : avc:  denied  { getattr } for  pid=2108 comm=systemd-cryptse path=/run/systemd/generator/systemd-cryptsetup@luks\x2d3571530f\x2db457\x2d4049\x2da9ae\x2d96fb388a0a60.service dev="tmpfs" ino=1994 scontext=system_u:system_r:systemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----

      More violations in:

      https://cockpit-logs.us-east-1.linodeobjects.com/pull-7894-beb0ec04-20250618-230338-rhel-10-1-storage-cockpit-project-cockpit/log.html

              rhn-support-zpytela Zdenek Pytela
              jvanderw@redhat.com Jelle van der Waa
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: