F41 ublue-sulogin-generator selinux #653

bsherman · 2024-10-26T16:02:51Z

@antheas discovered an issue for F41 with our ublue-sulogin-generator

bsherman · 2024-10-26T19:11:37Z

Did some research...

noticed that the SElinux contexts for several systemd-generators differ between F40 and F41.

F41 Silverblue/ublue:

bsherman@fedora:~$ ls -Z /usr/lib/systemd/system-generators/
                         system_u:object_r:nfsd_exec_t:s0 nfs-server-generator
    system_u:object_r:systemd_generic_generator_exec_t:s0 ostree-system-generator
                               system_u:object_r:lib_t:s0 podman-system-generator
    system_u:object_r:systemd_generic_generator_exec_t:s0 rpc-pipefs-generator
system_u:object_r:selinux_autorelabel_generator_exec_t:s0 selinux-autorelabel-generator.sh
 system_u:object_r:systemd_bless_boot_generator_exec_t:s0 systemd-bless-boot-generator
 system_u:object_r:systemd_cryptsetup_generator_exec_t:s0 systemd-cryptsetup-generator
      system_u:object_r:systemd_debug_generator_exec_t:s0 systemd-debug-generator
      system_u:object_r:systemd_fstab_generator_exec_t:s0 systemd-fstab-generator
      system_u:object_r:systemd_getty_generator_exec_t:s0 systemd-getty-generator
        system_u:object_r:systemd_gpt_generator_exec_t:s0 systemd-gpt-auto-generator
    system_u:object_r:systemd_generic_generator_exec_t:s0 systemd-hibernate-resume-generator
    system_u:object_r:systemd_generic_generator_exec_t:s0 systemd-integritysetup-generator
   system_u:object_r:systemd_rc_local_generator_exec_t:s0 systemd-rc-local-generator
    system_u:object_r:systemd_generic_generator_exec_t:s0 systemd-run-generator
        system_u:object_r:systemd_ssh_generator_exec_t:s0 systemd-ssh-generator
    system_u:object_r:systemd_generic_generator_exec_t:s0 systemd-system-update-generator
       system_u:object_r:systemd_sysv_generator_exec_t:s0 systemd-sysv-generator
       system_u:object_r:systemd_tpm2_generator_exec_t:s0 systemd-tpm2-generator
    system_u:object_r:systemd_generic_generator_exec_t:s0 systemd-veritysetup-generator
    **system_u:object_r:systemd_generic_generator_exec_t:s0 ublue-sulogin-generator**
       system_u:object_r:systemd_zram_generator_exec_t:s0 zram-generator

F40 Silverblue/ublue:

bsherman@fedora:~$ ls -Z /usr/lib/systemd/system-generators/
                         system_u:object_r:init_exec_t:s0 bootc-systemd-generator
                         system_u:object_r:nfsd_exec_t:s0 nfs-server-generator
                         system_u:object_r:init_exec_t:s0 ostree-system-generator
                               system_u:object_r:lib_t:s0 podman-system-generator
                         system_u:object_r:init_exec_t:s0 rpc-pipefs-generator
system_u:object_r:selinux_autorelabel_generator_exec_t:s0 selinux-autorelabel-generator.sh
 system_u:object_r:systemd_bless_boot_generator_exec_t:s0 systemd-bless-boot-generator
 system_u:object_r:systemd_cryptsetup_generator_exec_t:s0 systemd-cryptsetup-generator
      system_u:object_r:systemd_debug_generator_exec_t:s0 systemd-debug-generator
      system_u:object_r:systemd_fstab_generator_exec_t:s0 systemd-fstab-generator
      system_u:object_r:systemd_getty_generator_exec_t:s0 systemd-getty-generator
        system_u:object_r:systemd_gpt_generator_exec_t:s0 systemd-gpt-auto-generator
                         system_u:object_r:init_exec_t:s0 systemd-hibernate-resume-generator
                         system_u:object_r:init_exec_t:s0 systemd-integritysetup-generator
   system_u:object_r:systemd_rc_local_generator_exec_t:s0 systemd-rc-local-generator
                         system_u:object_r:init_exec_t:s0 systemd-run-generator
                         system_u:object_r:init_exec_t:s0 systemd-system-update-generator
       system_u:object_r:systemd_sysv_generator_exec_t:s0 systemd-sysv-generator
                         system_u:object_r:init_exec_t:s0 systemd-veritysetup-generator
                         system_u:object_r:init_exec_t:s0 ublue-sulogin-generator
       system_u:object_r:systemd_zram_generator_exec_t:s0 zram-generator

I found that this commit from May adds the new systemd_generic_generator_exec_t context, which is more restrictive than the previous default of init_exec_t: fedora-selinux/selinux-policy@feb2379

And this commit from July adds some CoreOS specific policies: fedora-selinux/selinux-policy@7aad2a6

This is important because ublue-sulogin-generator started life in ublue, but I also submitted it to coreos as coreos-sulogin-generator...

So we can probably solve this issue by renaming our ublue-sulogin-generator to coreos-sulogin-generator and calling it good.

antheas · 2024-10-26T19:18:05Z

By the way, do not worry about the gnome issue. Unrelated upstream crash.

Remove our in-repo copy of `ublue-sulogin-generator` and replace with the current version from CoreOS. This way we will stay in sync with that as an upstream, and comply with new Fedora 41 SElinux policy. Safe for F39/F40 as well. Fixes: #653

bsherman mentioned this issue Oct 26, 2024

Fedora 41 Readiness Tracker #634

Open

23 tasks

dosubot bot added the bug Something isn't working label Oct 26, 2024

bsherman self-assigned this Oct 26, 2024

bsherman mentioned this issue Oct 26, 2024

fix: handle new F41 selinux policies for sulogin-generator #654

Merged

bsherman closed this as completed in #654 Oct 26, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

F41 ublue-sulogin-generator selinux #653

F41 ublue-sulogin-generator selinux #653

bsherman commented Oct 26, 2024

bsherman commented Oct 26, 2024

antheas commented Oct 26, 2024

F41 ublue-sulogin-generator selinux #653

F41 ublue-sulogin-generator selinux #653

Comments

bsherman commented Oct 26, 2024

bsherman commented Oct 26, 2024

antheas commented Oct 26, 2024