Open
Description
On a Fedora 42 IoT system, I observed the following denials in the journal:
Mar 06 21:59:51 localhost kernel: audit: type=1400 audit(1741298390.793:7): avc: denied { map } for pid=665 comm="bootc-systemd-g" path="/usr/bin/bash" dev="overlay" ino=941 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
Mar 06 21:59:51 localhost kernel: audit: type=1400 audit(1741298390.793:8): avc: denied { execute } for pid=665 comm="bootc-systemd-g" path="/usr/bin/bash" dev="overlay" ino=941 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
Mar 06 21:59:51 localhost kernel: audit: type=1400 audit(1741298390.818:9): avc: denied { read } for pid=665 comm="bootc-systemd-g" name="passwd" dev="vda3" ino=152607 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
Mar 06 21:59:51 localhost kernel: audit: type=1400 audit(1741298390.818:10): avc: denied { open } for pid=665 comm="bootc-systemd-g" path="/etc/passwd" dev="vda3" ino=152607 scontext=system_u:system_r:systemd_generic_generator_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
This doesn't seem to have affected the ability to run the generator and resulting bootc-fstab-edit.service, but it would be nice to squash these.
Versions:
# rpm -q bootc selinux-policy
bootc-1.1.5-1.fc42.x86_64
selinux-policy-41.33-1.fc42.noarch
Activity