You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On upgrades it appears files in dtb files in /boot on aarch64 systems have the wrong context. It looks like the context matches where the files are copied from rather than the paths they are being copied to.
When booted from the fresh 40.20240825.3.0stable image (i.e. the release from a few weeks back):
Fedora CoreOS 40.20240906.3.0
[core@cosa-devsh ~]$
[core@cosa-devsh ~]$ rpm-ostree status
State: idle
AutomaticUpdatesDriver: Zincati
DriverState: active; periodically polling for updates (last checked Fri 2024-10-04 16:07:17 UTC)
Deployments:
_ fedora:fedora/aarch64/coreos/stable
Version: 40.20240906.3.0 (2024-09-23T18:11:19Z)
Commit: aad86a6390dbcf8caab4390e14854b2d6ddfa2b6885d5d3dfc7511bd431ba0ae
GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC
fedora:fedora/aarch64/coreos/stable
Version: 40.20240825.3.0 (2024-09-10T00:49:47Z)
Commit: a0e2520be57c71a0d459fee831b1e9eb0f9aea02b4d05d2fe7b8f66b8678471a
GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC
[core@cosa-devsh ~]$ sudo restorecon -vnr /boot/ostree/ | wc -l
1866
[core@cosa-devsh ~]$ sudo restorecon -vnr /boot/ostree/ | head
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/cn9132-db-B.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/armada-3720-uDPU.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/cn9130-crb-B.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/armada-7040-mochabin.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/armada-3720-gl-mv1000.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/armada-7040-db.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/cn9131-db-B.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/armada-3720-espressobin-v7-emmc.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
So they are modules_object_t versus the policy expecting them to be boot_t. Not sure if this is a real problem or not.
Note I think this happens even on upgrades where there is no kernel update.
The text was updated successfully, but these errors were encountered:
On upgrades it appears files in dtb files in /boot on aarch64 systems have the wrong context. It looks like the context matches where the files are copied from rather than the paths they are being copied to.
When booted from the fresh
40.20240825.3.0
stable
image (i.e. the release from a few weeks back):After upgrade to latest stable:
So they are
modules_object_t
versus the policy expecting them to beboot_t
. Not sure if this is a real problem or not.Note I think this happens even on upgrades where there is no kernel update.
The text was updated successfully, but these errors were encountered: