Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Brew won't be upgraded because of SELinux #56

Open
coxde opened this issue Feb 16, 2025 · 4 comments
Open

Brew won't be upgraded because of SELinux #56

coxde opened this issue Feb 16, 2025 · 4 comments
Labels
bug Something isn't working

Comments

@coxde
Copy link

coxde commented Feb 16, 2025

Hiya! I'm using a custom image based on Bazzite. I switched to uupd for system upgrade weeks ago but just found out that Brew failed every time, checked some logs and it was related to SELinux.

Reproduction:

  1. Run sudo uupd -v or sudo systemctl start uupd.service
  2. Run brew upgrade -n and found out that nothing was upgraded
  3. Check the logs

For uupd:

uupd: {"time":"XXX","level":"DEBUG","msg":"Brew module","module_name":"Brew","module_configuration":{"Title":"Brew","Description":"CLI Apps","Enabled":true,"MultiUser":false,"DryRun":false,"UserDescription":null}}
uupd: {"time":"XXX","level":"INFO","msg":"Updating","title":"Brew","description":"CLI Apps","progress":0,"total":6}

For Brew:

brew: container-shell@6.service: Unable to locate executable '/home/linuxbrew/.linuxbrew/bin/brew': Permission denied

For SELinux (sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent):

----

type=AVC msg=audit(1739730968.987:564): avc:  denied  { mac_admin } for  pid=61965 comm="chcon" capability=33  scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=capability2 permissive=0
----

type=SELINUX_ERR msg=audit(1739730968.987:565): op=setxattr invalid_context="system_u:object_r:invalid_bootcinstall_testlabel_t:s0"
----

type=AVC msg=audit(1739730969.018:566): avc:  denied  { mac_admin } for  pid=61966 comm="chcon" capability=33  scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=capability2 permissive=0
----

type=SELINUX_ERR msg=audit(1739730969.018:567): op=setxattr invalid_context="system_u:object_r:invalid_bootcinstall_testlabel_t:s0"
----

type=AVC msg=audit(1739730969.329:568): avc:  denied  { mac_admin } for  pid=61970 comm="chcon" capability=33  scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=capability2 permissive=0
----

type=SELINUX_ERR msg=audit(1739730969.329:569): op=setxattr invalid_context="system_u:object_r:invalid_bootcinstall_testlabel_t:s0"
----

type=AVC msg=audit(1739730969.360:570): avc:  denied  { mac_admin } for  pid=61971 comm="chcon" capability=33  scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=capability2 permissive=0
----

type=SELINUX_ERR msg=audit(1739730969.360:571): op=setxattr invalid_context="system_u:object_r:invalid_bootcinstall_testlabel_t:s0"
----

type=AVC msg=audit(1739730970.598:572): avc:  denied  { mac_admin } for  pid=61995 comm="chcon" capability=33  scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=capability2 permissive=0
----

type=SELINUX_ERR msg=audit(1739730970.598:573): op=setxattr invalid_context="system_u:object_r:invalid_bootcinstall_testlabel_t:s0"
----

type=AVC msg=audit(1739730970.634:574): avc:  denied  { mac_admin } for  pid=61996 comm="chcon" capability=33  scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=capability2 permissive=0
----

type=SELINUX_ERR msg=audit(1739730970.634:575): op=setxattr invalid_context="system_u:object_r:invalid_bootcinstall_testlabel_t:s0"
----

type=AVC msg=audit(1739730970.711:582): avc:  denied  { read } for  pid=61999 comm="(brew)" name="brew" dev="dm-0" ino=5658 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=lnk_file permissive=0
----

type=AVC msg=audit(1739730971.750:590): avc:  denied  { read } for  pid=62007 comm="(brew)" name="brew" dev="dm-0" ino=5658 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=lnk_file permissive=0
@gerblesh gerblesh added bug Something isn't working help wanted Extra attention is needed labels Feb 24, 2025
@gerblesh
Copy link
Collaborator

Fixed this via some bash-ception but it feels real jank. Also learned that machinectl shell doesn't return a nonzero exit code when the specified program exits, so that's likely a bug on the systemd side, unless it's intentional somehow.

@gerblesh
Copy link
Collaborator

Should be fixed in: #54 now if you want to try it out

@gerblesh gerblesh removed the help wanted Extra attention is needed label Feb 24, 2025
@coxde
Copy link
Author

coxde commented Feb 24, 2025
edited
Loading

It did run well without SELinux errors tho I don't have upgradable brew pkgs for now.

@coxde
Copy link
Author

coxde commented Feb 25, 2025

Now can confirm it can upgrade pkgs with no problem. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@coxde @gerblesh