c9s: coreos-installer-generator hitting SELinux denials, breaking ISO tests #1514
Description
[ 19.224742] zram_generator::config[868]: No configuration found.
[ 19.246283] audit: type=1400 audit(1716454944.544:4): avc: denied { search } for pid=878 comm="ln" name="generator" dev="tmpfs" ino=512 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=0
[ 19.246869] audit: type=1400 audit(1716454944.544:5): avc: denied { search } for pid=878 comm="ln" name="generator" dev="tmpfs" ino=512 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=0
[ 19.246909] ln:
[ 19.246912] failed to access '/run/systemd/generator/default.target'
[ 19.246922] : Permission denied
Specifically, coreos-installer is prevented from writing to /run/systemd/generator/. The type of the generator here looks suspect. It's one of the only generator which isn't init_exec_t:
[root@cosa-devsh ~]# ls -lZ /usr/lib/systemd/system-generators/
total 7748
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 6480248 Jan 1 1970 bootc-systemd-generator
-r-xr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 4101 Jan 1 1970 coreos-boot-mount-generator
-rwxr-xr-x. 2 root root system_u:object_r:coreos_installer_exec_t:s0 1050 Jan 1 1970 coreos-installer-generator
-r-xr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 2955 Jan 1 1970 coreos-liveiso-autologin-generator
-r-xr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 2221 Jan 1 1970 coreos-sulogin-force-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 541 Jan 1 1970 kdump-dep-generator.sh
-rwxr-xr-x. 2 root root system_u:object_r:nfsd_exec_t:s0 40656 Jan 1 1970 nfs-server-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 15832 Jan 1 1970 ostree-system-generator
lrwxrwxrwx. 3 root root system_u:object_r:lib_t:s0 31 Aug 1 2022 podman-system-generator -> ../../../libexec/podman/quadlet
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 24032 Jan 1 1970 rpc-pipefs-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 1005 Jan 1 1970 selinux-autorelabel-generator.sh
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 15624 Jan 1 1970 systemd-bless-boot-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 40920 Jan 1 1970 systemd-cryptsetup-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 24312 Jan 1 1970 systemd-debug-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 57688 Jan 1 1970 systemd-fstab-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 24096 Jan 1 1970 systemd-getty-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 16096 Jan 1 1970 systemd-hibernate-resume-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 24240 Jan 1 1970 systemd-integritysetup-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 15624 Jan 1 1970 systemd-rc-local-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 24288 Jan 1 1970 systemd-run-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 15824 Jan 1 1970 systemd-system-update-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 36424 Jan 1 1970 systemd-sysv-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 36864 Jan 1 1970 systemd-veritysetup-generator
-rwxr-xr-x. 2 root root system_u:object_r:init_exec_t:s0 995400 Jan 1 1970 zram-generator
This looks like a regression from fedora-selinux/selinux-policy@55e9ed8edf, i.e. fedora-selinux/selinux-policy#2111, i.e. https://issues.redhat.com/browse/RHEL-22173.
/cc @zpytela