Fedora 33: "Generating initramfs" causes AVC denial and SELINUX_ERR

[Mershl]

Host system details
selinux-policy-3.14.6-30.fc33.noarch
rpm-ostree-2020.8-1.fc33.x86_64

Seen Behavior

rpm-ostree override replace kernel*.rpm
...
Generating initramfs...    // AVC denial and SELINUX_ERR reported

ausearch -i -m avc,user_avc,selinux_err,user_selinux_err:
----
type=AVC msg=audit(29.11.2020 23:35:58.798:534) : avc:  denied  { nnp_transition nosuid_transition } for  pid=42690 comm=dracut scontext=system_u:system_r:install_t:s0 tcontext=system_u:system_r:setfiles_mac_t:s0 tclass=process2 permissive=0 
----
type=SELINUX_ERR msg=audit(29.11.2020 23:35:58.798:535) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:install_t:s0 newcontext=system_u:system_r:setfiles_mac_t:s0

Fedora Bugzilla ticket
https://bugzilla.redhat.com/show_bug.cgi?id=1902522

[cgwalters]

Thanks for filing this! We have tests for this but...this one slips through an unfortunate gap because:

• Our upstream CI is still on f32
• We aren't yet running upstream tests on the main CoreOS releases (which includes a next stream that is f33); I've been trying to do this for a while, see exttests: New container image with upstream tests coreos-assembler#1745
• Fedora's CI doesn't run either tests

[cgwalters]

Coincidentally I happened to hit this in a different way and then figured out it was the same bug:
#2371

[Mershl]

Hi @cgwalters, just tested rpm-ostree-2020.10-1.fc33.x86_64 and rpm-ostree-libs-2020.10-1.fc33.x86_64. The AVC denial is still popping up for "rpm-ostree override replace kernel*.rpm".

$ rpm -qa | grep rpm-ostree
gnome-software-rpm-ostree-3.38.0-2.fc33.x86_64
rpm-ostree-libs-2020.10-1.fc33.x86_64
rpm-ostree-2020.10-1.fc33.x86_64

$ rpm -qa | grep "^selinux"
selinux-policy-targeted-3.14.6-31.fc33.noarch
selinux-policy-3.14.6-31.fc33.noarch

$ rpm-ostree override replace kernel-5.10.0-0.rc6.20201204git34816d20f173.92.fc34.x86_64.rpm kernel-core-5.10.0-0.rc6.20201204git34816d20f173.92.fc34.x86_64.rpm kernel-modules-5.10.0-0.rc6.20201204git34816d20f173.92.fc34.x86_64.rpm kernel-modules-extra-5.10.0-0.rc6.20201204git34816d20f173.92.fc34.x86_64.rpm
Checking out tree 9e7a339... done
[...]
Importing rpm-md... done
Resolving dependencies... done
Applying 13 overrides and 332 overlays
Processing packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Generating initramfs... done
Writing OSTree commit... done
Staging deployment... done
Freed: 941,3 MB (pkgcache branches: 19)
Upgraded:
  kernel 5.9.13-200.fc33 -> 5.10.0-0.rc6.20201204git34816d20f173.92.fc34
  kernel-core 5.9.13-200.fc33 -> 5.10.0-0.rc6.20201204git34816d20f173.92.fc34
  kernel-modules 5.9.13-200.fc33 -> 5.10.0-0.rc6.20201204git34816d20f173.92.fc34
  kernel-modules-extra 5.9.13-200.fc33 -> 5.10.0-0.rc6.20201204git34816d20f173.92.fc34
Run "systemctl reboot" to start a reboot

$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot
type=AVC msg=audit(15.12.2020 17:07:25.752:536) : avc:  denied  { nnp_transition nosuid_transition } for  pid=19800 comm=dracut scontext=system_u:system_r:install_t:s0 tcontext=system_u:system_r:setfiles_mac_t:s0 tclass=process2 permissive=1

[cgwalters]

Moved that to https://bugzilla.redhat.com/show_bug.cgi?id=1911505