Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd: allow sys_admin for gpt-generator #1468

Open
wants to merge 1 commit into
base: rawhide
Choose a base branch
from
Open

systemd: allow sys_admin for gpt-generator #1468

wants to merge 1 commit into from

Conversation

QuintinHill
Copy link
Contributor

In Fedora 37 it seems systemd-gpt-auto-generator needs sys_admin capability.
Hopefully fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2141998

Signed-off-by: Quintin Hill stuff@quintin.me.uk

@zpytela
Copy link
Contributor

zpytela commented Nov 21, 2022

@QuintinHill Please add more information to the commit message, like triggering condition, syscall, library call. The sys_admin capability is too powerful so needs proper justification.

@QuintinHill QuintinHill mentioned this pull request Nov 21, 2022
Closed
@QuintinHill
Copy link
Contributor Author

@zpytela I've raised this fixing this another way in systemd/systemd#24431. But from that we at least learn that this is relevant only to Fedora 37 and not to Rawhide (since it is fixed already in the systemd version there).

@QuintinHill QuintinHill mentioned this pull request Nov 23, 2022
Closed
@QuintinHill
systemd: allow sys_admin for gpt-generator
5405749 
In Fedora 37 it seems systemd-gpt-auto-generator needs sys_admin capability.
This is because the code started using the BLKPG_ADD_PARTITION ioctl in
systemd/systemd@1b010ae that requires sys_admin
(see https://github.com/torvalds/linux/blob/master/block/ioctl.c#L23).

Errors in log:
systemd-gpt-auto-generator[398]: BLKPG_ADD_PARTITION failed: Permission denied
kernel: audit: type=1400 audit(1669241765.170:75): avc:  denied  { sys_admin } for  pid=398 comm="systemd-gpt-aut" capability=21  scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0
kernel: audit: type=1300 audit(1669241765.170:75): arch=c000003e syscall=16 success=no exit=-13 a0=4 a1=1269 a2=7ffd3d5cabd0 a3=fb800 items=0 ppid=386 pid=398 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-gpt-aut" exe="/usr/lib/systemd/system-generators/systemd-gpt-auto-generator" subj=system_u:system_r:systemd_gpt_generator_t:s0 key=(null)
kernel: audit: type=1327 audit(1669241765.170:75): proctitle=2F7573722F6C69622F73797374656D642F73797374656D2D67656E657261746F72732F73797374656D642D6770742D6175746F2D67656E657261746F72002F72756E2F73797374656D642F67656E657261746F72002F72756E2F73797374656D642F67656E657261746F722E6561726C79002F72756E2F73797374656D642F67

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2141998

Signed-off-by: Quintin Hill <stuff@quintin.me.uk>
@QuintinHill
Copy link
Contributor Author

QuintinHill commented Nov 23, 2022
edited

@zpytela Actually systemd/systemd@1b010ae introduces use of the BLKPG_ADD_PARTITION ioctl which requires sys_admin (https://github.com/torvalds/linux/blob/master/block/ioctl.c#L23) to the library code used by systemd-gpt-auto-generator. I was incorrect in my earlier comment that this is fixed in Rawhide that only removed use of the BLKPG_DEL_PARTITION ioctl that only appeared in an unreleased version of systemd. I've reworded the commit message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@QuintinHill @zpytela