:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Setup :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 16:01:34 ] :: [ BEGIN ] :: Running 'rlImport 'selinux-policy/common'' :: [ 16:01:34 ] :: [ INFO ] :: rlImport: Found 'selinux-policy/common', version '43' during upwards traversal :: [ 16:01:34 ] :: [ INFO ] :: rlImport: Will try to import selinux-policy/common from /root/selinux/selinux-policy/Library/common/lib.sh :: [ 16:01:34 ] :: [ INFO ] :: found dependencies: 'distribution/epel ' :: [ 16:01:34 ] :: [ INFO ] :: rlImport: Found 'distribution/epel', version '2' during upwards traversal :: [ 16:01:34 ] :: [ INFO ] :: rlImport: Will try to import distribution/epel from /root/distribution/Library/epel/lib.sh :: [ 16:01:35 ] :: [ INFO ] :: found dependencies: ' distribution/LibrariesWrapper distribution/epel-internal' :: [ 16:01:35 ] :: [ INFO ] :: rlImport: Found 'distribution/LibrariesWrapper', version '9' during upwards traversal :: [ 16:01:35 ] :: [ INFO ] :: rlImport: Will try to import distribution/LibrariesWrapper from /root/distribution/Library/LibrariesWrapper/lib.sh :: [ 16:01:35 ] :: [ INFO ] :: found dependencies: '' :: [ 16:01:35 ] :: [ INFO ] :: rlImport: Found 'distribution/epel-internal', version '3' during upwards traversal :: [ 16:01:35 ] :: [ INFO ] :: rlImport: Will try to import distribution/epel-internal from /root/distribution/Library/epel-internal/lib.sh :: [ 16:01:35 ] :: [ INFO ] :: found dependencies: '' done. done. :: [ 16:01:35 ] :: [ BEGIN ] :: Running 'rlImport distribution/LibrariesWrapper' :: [ 16:01:35 ] :: [ PASS ] :: Command 'rlImport distribution/LibrariesWrapper' (Expected 0, got 0) :: [ 16:01:35 ] :: [ INFO ] :: LibrariesWrapperImport(): library fetched already :: [ 16:01:35 ] :: [ BEGIN ] :: Running 'git checkout "master" -- "epel"' :: [ 16:01:35 ] :: [ PASS ] :: Command 'git checkout "master" -- "epel"' (Expected 0, got 0) :: [ 16:01:35 ] :: [ INFO ] :: found epel v42 from https://github.com/beakerlib/epel.git?72a1d18b541fdbd775d87bb69b57c3e018e18552#epel in /root/distribution/Library/epel/lib/epel loading library distribution/epel v42... done. :: [ 16:01:35 ] :: [ LOG ] :: Determined distro is 'rhel' :: [ 16:01:35 ] :: [ LOG ] :: Determined rhel release is '10' :: [ 16:01:35 ] :: [ LOG ] :: epel repo is accessible :: [ 16:01:35 ] :: [ LOG ] :: epel repo already present :: [ 16:01:35 ] :: [ INFO ] :: SELinux: using 'semodule -lfull' to list modules :: [ 16:01:35 ] :: [ INFO ] :: Running with policy located in /etc/selinux/targeted/policy/policy.34 :: [ 16:01:35 ] :: [ LOG ] :: enriched audit log format already enabled :: [ 16:01:35 ] :: [ LOG ] :: stop the audit daemon first :: [ 16:01:35 ] :: [ BEGIN ] :: Running 'service auditd stop' Stopping logging: :: [ 16:01:35 ] :: [ PASS ] :: Command 'service auditd stop' (Expected 0,2, got 0) :: [ 16:01:40 ] :: [ LOG ] :: audit daemon configuration file is updated, starting the audit service Redirecting to /bin/systemctl status auditd.service Redirecting to /bin/systemctl start auditd.service :: [ 16:01:40 ] :: [ LOG ] :: rlServiceStart: Service auditd started successfully :: [ 16:01:40 ] :: [ INFO ] :: SELinux related packages listing: :: [ 16:01:41 ] :: [ INFO ] :: checkpolicy-3.8-1.el10.x86_64 libselinux-3.8-1.el10.x86_64 libselinux-utils-3.8-1.el10.x86_64 libsemanage-3.8.1-1.el10_0.x86_64 libsepol-3.8-1.el10.x86_64 mcstrans-3.8-1.el10.x86_64 policycoreutils-3.8-1.el10.x86_64 policycoreutils-devel-3.8-1.el10.x86_64 policycoreutils-newrole-3.8-1.el10.x86_64 policycoreutils-python-utils-3.8-1.el10.noarch selinux-policy-40.13.30-1.el10.noarch selinux-policy-devel-40.13.30-1.el10.noarch selinux-policy-epel-targeted-40.13.29-1.el10_1.noarch selinux-policy-mls-40.13.30-1.el10.noarch selinux-policy-targeted-40.13.30-1.el10.noarch setools-console-4.5.1-4.el10.x86_64 setroubleshoot-plugins-3.3.14-11.el10.noarch setroubleshoot-server-3.3.35-2.el10.x86_64 :: [ 16:01:41 ] :: [ INFO ] :: listing took 1 second(s) :: [ 16:01:41 ] :: [ INFO ] :: package 'setools-console-4.5.1-4.el10.x86_64' covers required package 'setools-console' :: [ 16:01:41 ] :: [ INFO ] :: package 'expect-5.45.4-25.el10.x86_64' covers required package 'expect' :: [ 16:01:41 ] :: [ INFO ] :: package 'policycoreutils-python-utils-3.8-1.el10.noarch' covers required package 'policycoreutils-python-utils' :: [ 16:01:41 ] :: [ INFO ] :: package 'selinux-policy-devel-40.13.30-1.el10.noarch' covers required package 'selinux-policy-devel' :: [ 16:01:41 ] :: [ INFO ] :: package 'audit-rules-4.0.3-4.el10.x86_64' covers required package 'audit-rules' :: [ 16:01:41 ] :: [ PASS ] :: Command 'rlImport 'selinux-policy/common'' (Expected 0,1, got 0) :: [ 16:01:41 ] :: [ BEGIN ] :: Running 'epelyum install -y --nobest --nogpgcheck --skip-broken audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console /usr/sbin/service bootupd ' actually running 'yum --enablerepo epel --enablerepo epel-internal install -y --nobest --nogpgcheck --skip-broken audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console /usr/sbin/service bootupd' Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register. internal epel repository 11 kB/s | 2.9 kB 00:00 Package audit-4.0.3-4.el10.x86_64 is already installed. Package libselinux-3.8-1.el10.x86_64 is already installed. Package libselinux-utils-3.8-1.el10.x86_64 is already installed. Package policycoreutils-3.8-1.el10.x86_64 is already installed. Package selinux-policy-40.13.30-1.el10.noarch is already installed. Package selinux-policy-targeted-40.13.30-1.el10.noarch is already installed. Package setools-console-4.5.1-4.el10.x86_64 is already installed. Package initscripts-service-10.26-2.el10.noarch is already installed. Package bootupd-0.2.27-2.el10.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! :: [ 16:01:43 ] :: [ PASS ] :: Command 'epelyum install -y --nobest --nogpgcheck --skip-broken audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console /usr/sbin/service bootupd ' (Expected 0,1, got 0) selinux-policy-40.13.30-1.el10.noarch :: [ 16:01:43 ] :: [ PASS ] :: Checking for the presence of selinux-policy rpm :: [ 16:01:43 ] :: [ LOG ] :: Package versions: :: [ 16:01:43 ] :: [ LOG ] :: selinux-policy-40.13.30-1.el10.noarch selinux-policy-targeted-40.13.30-1.el10.noarch :: [ 16:01:43 ] :: [ PASS ] :: Checking for the presence of selinux-policy-targeted rpm :: [ 16:01:43 ] :: [ LOG ] :: Package versions: :: [ 16:01:43 ] :: [ LOG ] :: selinux-policy-targeted-40.13.30-1.el10.noarch bootupd-0.2.27-2.el10.x86_64 :: [ 16:01:43 ] :: [ PASS ] :: Checking for the presence of bootupd rpm :: [ 16:01:43 ] :: [ LOG ] :: Package versions: :: [ 16:01:43 ] :: [ LOG ] :: bootupd-0.2.27-2.el10.x86_64 Redirecting to /bin/systemctl status bootupd.service Unit bootupd.service could not be found. :: [ 16:01:43 ] :: [ WARNING ] :: rlServiceStop: service bootupd status returned 4 :: [ 16:01:43 ] :: [ WARNING ] :: rlServiceStop: Guessing that original state of bootupd is stopped Redirecting to /bin/systemctl stop bootupd.service Failed to stop bootupd.service: Unit bootupd.service not loaded. :: [ 16:01:43 ] :: [ ERROR ] :: rlServiceStop: Stopping service bootupd failed :: [ 16:01:43 ] :: [ ERROR ] :: Status of the failed service: :: [ 16:01:43 ] :: [ LOG ] :: Redirecting to /bin/systemctl status bootupd.service :: [ 16:01:43 ] :: [ LOG ] :: Unit bootupd.service could not be found. :: [ 16:01:43 ] :: [ BEGIN ] :: Running 'setenforce 1' :: [ 16:01:43 ] :: [ PASS ] :: Command 'setenforce 1' (Expected 0, got 0) :: [ 16:01:43 ] :: [ BEGIN ] :: Running 'id -Z' unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 :: [ 16:01:43 ] :: [ PASS ] :: Command 'id -Z' (Expected 0, got 0) :: [ 16:01:43 ] :: [ BEGIN ] :: Running 'sestatus' SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 :: [ 16:01:43 ] :: [ PASS ] :: Command 'sestatus' (Expected 0, got 0) :: [ 16:01:43 ] :: [ BEGIN ] :: Running 'semodule --list-modules=full | grep -i disabled' :: [ 16:01:43 ] :: [ PASS ] :: Command 'semodule --list-modules=full | grep -i disabled' (Expected 0,1, got 1) :: [ 16:01:43 ] :: [ LOG ] :: rlSESetTimestamp: Setting timestamp 'TIMESTAMP' [04/29/2025 16:01:43] :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 11s :: Assertions: 12 good, 0 bad :: RESULT: PASS (Setup) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#2029478 + bz#2044508 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/libexec/bootupd system_u:object_r:bootupd_exec_t:s0 :: [ 16:01:46 ] :: [ PASS ] :: Result of matchpathcon /usr/libexec/bootupd should contain bootupd_exec_t (Assert: expected 0, got 0) :: [ 16:01:46 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow init_t bootupd_exec_t : file { getattr open read execute } [ ]' FILTERED RULES allow init_t direct_init_entry:file execute_no_trans; allow init_t file_type:file { getattr relabelfrom relabelto }; allow init_t non_security_file_type:file watch; allow initrc_domain direct_init_entry:file { execute getattr map open read }; :: [ 16:01:48 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 16:01:48 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :: [ 16:01:48 ] :: [ PASS ] :: check permission 'read' is present (Assert: '0' should equal '0') :: [ 16:01:48 ] :: [ PASS ] :: check permission 'execute' is present (Assert: '0' should equal '0') :: [ 16:01:48 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow init_t bootupd_t : process { transition } [ ]' FILTERED RULES allow init_t daemon:process siginh; allow init_t domain:process { getattr getpgid noatsecure rlimitinh setrlimit setsched sigchld sigkill signal signull sigstop }; allow initrc_domain daemon:process transition; :: [ 16:01:50 ] :: [ PASS ] :: check permission 'transition' is present (Assert: '0' should equal '0') :: [ 16:01:50 ] :: [ INFO ] :: rlSESearchRule: checking rule 'type_transition init_t bootupd_exec_t : process bootupd_t [ ]' FILTERED RULES type_transition init_t bootupd_exec_t:process bootupd_t; :: [ 16:01:52 ] :: [ PASS ] :: check permission 'bootupd_t' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 7s :: Assertions: 7 good, 0 bad :: RESULT: PASS (bz#2029478 + bz#2044508) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: bz#2218106 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/libexec/bootupd system_u:object_r:bootupd_exec_t:s0 :: [ 16:01:52 ] :: [ PASS ] :: Result of matchpathcon /usr/libexec/bootupd should contain bootupd_exec_t (Assert: expected 0, got 0) :: [ 16:01:52 ] :: [ BEGIN ] :: Running 'ls -aRlZ /boot/efi' /boot/efi: total 4 drwxr-xr-x. 3 root root system_u:object_r:boot_t:s0 17 Apr 22 04:58 . dr-xr-xr-x. 5 root root system_u:object_r:boot_t:s0 4096 Apr 22 05:05 .. drwxr-xr-x. 3 root root system_u:object_r:boot_t:s0 20 Apr 22 04:58 EFI /boot/efi/EFI: total 0 drwxr-xr-x. 3 root root system_u:object_r:boot_t:s0 20 Apr 22 04:58 . drwxr-xr-x. 3 root root system_u:object_r:boot_t:s0 17 Apr 22 04:58 .. drwx------. 2 root root system_u:object_r:boot_t:s0 6 Mar 17 20:00 redhat /boot/efi/EFI/redhat: total 0 drwx------. 2 root root system_u:object_r:boot_t:s0 6 Mar 17 20:00 . drwxr-xr-x. 3 root root system_u:object_r:boot_t:s0 20 Apr 22 04:58 .. :: [ 16:01:52 ] :: [ PASS ] :: Command 'ls -aRlZ /boot/efi' (Expected 0, got 0) :: [ 16:01:52 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow bootupd_t dosfs_t : dir { getattr search } [ ]' FILTERED RULES allow bootupd_t dosfs_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; :: [ 16:01:54 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 16:01:54 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 4 good, 0 bad :: RESULT: PASS (bz#2218106) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: RHEL-36289 + RHEL-39514 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /usr/libexec/bootupd system_u:object_r:bootupd_exec_t:s0 :: [ 16:01:55 ] :: [ PASS ] :: Result of matchpathcon /usr/libexec/bootupd should contain bootupd_exec_t (Assert: expected 0, got 0) :: [ 16:01:55 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow bootupd_t efivarfs_t : dir { getattr search } [ ]' FILTERED RULES allow bootupd_t efivarfs_t:dir { getattr open search }; :: [ 16:01:56 ] :: [ PASS ] :: check permission 'getattr' is present (Assert: '0' should equal '0') :: [ 16:01:56 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 3 good, 0 bad :: RESULT: PASS (RHEL-36289 + RHEL-39514) bootupd_t is defined :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: RHEL-66584 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /boot/bootupd-state.json system_u:object_r:boot_t:s0 :: [ 16:01:57 ] :: [ PASS ] :: Result of matchpathcon /boot/bootupd-state.json should contain boot_t (Assert: expected 0, got 0) :: [ 16:01:57 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow bootupd_t boot_t : dir { write remove_name } [ ]' FILTERED RULES allow bootupd_t boot_t:dir { add_name remove_name write }; allow domain base_file_type:dir { getattr open search }; allow domain base_ro_file_type:dir { ioctl lock read }; :: [ 16:01:59 ] :: [ PASS ] :: check permission 'write' is present (Assert: '0' should equal '0') :: [ 16:01:59 ] :: [ PASS ] :: check permission 'remove_name' is present (Assert: '0' should equal '0') :: [ 16:01:59 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow bootupd_t boot_t : file { unlink } [ ]' FILTERED RULES allow bootupd_t boot_t:file { append create link rename setattr unlink watch watch_reads write }; allow domain base_ro_file_type:file { getattr ioctl lock open read }; :: [ 16:02:01 ] :: [ PASS ] :: check permission 'unlink' is present (Assert: '0' should equal '0') :: [ 16:02:01 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow bootupd_t dosfs_t : dir { search } [ ]' FILTERED RULES allow bootupd_t dosfs_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; :: [ 16:02:03 ] :: [ PASS ] :: check permission 'search' is present (Assert: '0' should equal '0') :: [ 16:02:03 ] :: [ INFO ] :: rlSESearchRule: checking rule 'allow bootupd_t dosfs_t : file { open } [ ]' FILTERED RULES allow bootupd_t dosfs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; :: [ 16:02:04 ] :: [ PASS ] :: check permission 'open' is present (Assert: '0' should equal '0') :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 7s :: Assertions: 6 good, 0 bad :: RESULT: PASS (RHEL-66584) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: real scenario without the service or the socket :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 16:02:04 ] :: [ BEGIN ] :: Running 'rm -f /boot/bootupd-state.json' :: [ 16:02:04 ] :: [ PASS ] :: Command 'rm -f /boot/bootupd-state.json' (Expected 0, got 0) :: [ 16:02:04 ] :: [ BEGIN ] :: Running 'bootupctl adopt-and-update' Running as unit: bootupd.service; invocation ID: cb2237dde7fa4239b4ba9912124d80bf No components are adoptable. :: [ 16:02:05 ] :: [ PASS ] :: Command 'bootupctl adopt-and-update' (Expected 0,1, got 0) :: [ 16:02:05 ] :: [ BEGIN ] :: Running 'bootupctl status' Running as unit: bootupd.service No components installed. No components are adoptable. Boot method: BIOS :: [ 16:02:05 ] :: [ PASS ] :: Command 'bootupctl status' (Expected 0,1, got 0) :: [ 16:02:05 ] :: [ BEGIN ] :: Running 'bootupctl validate' Running as unit: bootupd.service; invocation ID: 04b8c95465a549618ef1d90205e0b869 No components installed. :: [ 16:02:05 ] :: [ PASS ] :: Command 'bootupctl validate' (Expected 0,1, got 0) :: [ 16:02:05 ] :: [ BEGIN ] :: Running 'lsblk' NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS vda 253:0 0 20G 0 disk ├─vda1 253:1 0 1M 0 part └─vda2 253:2 0 20G 0 part / :: [ 16:02:05 ] :: [ PASS ] :: Command 'lsblk' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 5 good, 0 bad :: RESULT: PASS (real scenario without the service or the socket) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Cleanup :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 16:02:07 ] :: [ LOG ] :: rlSEAVCCheck: Search for AVCs, USER_AVCs, SELINUX_ERRs, and USER_SELINUX_ERRs since timestamp 'TIMESTAMP' [04/29/2025 16:01:43] :: [ 16:02:07 ] :: [ INFO ] :: rlSEAVCCheck: ignoring patterns: :: [ 16:02:07 ] :: [ INFO ] :: rlSEAVCCheck: type=USER_AVC.*received (policyload|setenforce) notice :: [ 16:02:07 ] :: [ PASS ] :: Check there are no unexpected AVCs/ERRORs (Assert: expected 0, got 0) Redirecting to /bin/systemctl status bootupd.service Unit bootupd.service could not be found. :: [ 16:02:07 ] :: [ WARNING ] :: rlServiceRestore: service bootupd status returned 4 :: [ 16:02:07 ] :: [ WARNING ] :: rlServiceRestore: Guessing that current state of bootupd is stopped :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 1 good, 0 bad :: RESULT: PASS (Cleanup)