F40: selinux-policy-40.22-1 systemd-cryptsetup-generator no longer able to write untis

[Luap99]

My system was no longer able to boot after installing selinux-policy-40.22-1 because systemd couldn't decrypt my extra disks as the systemd-cryptsetup-generator failed to create the units for them.

systemd-cryptsetup-generator[1119]: Failed to generate keydev mount unit: Permission denied
kernel: audit: type=1400 audit(1718826964.334:4): avc:  denied  { write } for  pid=1119 comm="systemd-cryptse" name="systemd" dev="tmpfs" ino=845 scontext=system_u:system_r:systemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
(sd-exec-[1112]: /usr/lib/systemd/system-generators/systemd-cryptsetup-generator failed with exit status 1.

Obviously systemd-cryptsetup-generator should be allowed to write where it needs to, I guess /run/systemd/generator/ and /run/systemd/cryptsetup looking at the file paths after a successful boot but I am not sure if there is more.

[zpytela]

@Luap99 There were many related updates since you reported this issue, can you check if it is gone?

[Luap99]

Yes I can check later today

[Luap99]

Same issue with selinux-policy-40.27-1.fc40.noarch

I use the keyfile directive with a different file system label so it must be mounted first. systemd-cryptsetup-generator tries to create directories in /run/systemd/cryptsetup/ as mount point target for the keyfile fs but selinux seems to block blocking access there

I am using chcon system_u:object_r:init_exec_t:s0 /usr/lib/systemd/system-generators/systemd-cryptsetup-generator as work around for now