Issue
Summary:
bootupd is a daemon with a remote command line interface (bootupctl). It listens on /run/bootupd.sock. Although it does not expose any privilege escalating command, it is currently only exposed to root as a precaution, thus should probably only be reachable by the sysadm/staff domains.
It requires privileges to remount /boot as RW as needed and update the content of /boot with files from /usr/lib/bootupd/updates/.
$ ls -alhZ /usr/lib/bootupd/updates/
total 4.0K
drwxr-xr-x. 3 root root system_u:object_r:lib_t:s0 33 Jan 1 1970 .
...
It also reads:
$ ls -alhZ /sysroot/.coreos-aleph-version.json
rw-rr-. 1 root root system_u:object_r:root_t:s0 195 Oct 14 02:07 /sysroot/.coreos-aleph-version.json
Refer to https://bugzilla.redhat.com/show_bug.cgi?id=2044508 for further details.
The service was confined in Fedora in https://github.com/fedora-selinux/selinux-policy/pull/1598, with 1 subsequent fix. There is a test available:
/CoreOS/selinux-policy/Regression/bootupd-and-similar
