Bug 1414539
Summary: | gnome-disks: SD card break the utility | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michal Schorm <mschorm> | ||||
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 39 | CC: | 3wcq6pxz, amigadave, arnis.jaundzeikars, bugzilla.redhat.com, daltonminer, dwalsh, fedora, glesage, gnikandrov+fedora, grepl.miroslav, joost, leif.middelschulte, lvrabec, mmalik, ngompa13, nikperrakis, omosnace, plautrba, redhat.c2zyt, seb, stanley_chris, starsareblueandfaraway, thaytan, tommy, V02460, vmojzis, zeeshanak, zpytela | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2023-12-05 20:58:14 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Michal Schorm
2017-01-18 19:11:28 UTC
Same here, although I discovered it in attempt to benchmark my SD card. Same here, but with eMMC. This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Still happens on Fedora 27 here. Oops, actually it works! But segfaults if run on disk ChromeOS partitions, but that's another story. It is still an issue. A week ago, i tried it again on F27. Exactly same result. I gave up on 'gnome-disks' with SD cards. Using pure 'dd' for such purposes now. I'm encountering this problem still on F27 too. When asked to do some tasks (like Benchmarking), udisksd exits with SIGTERM. I can't see what's wrong, but it works if I do setenforce 0, so it's something related to selinux policies. I can confirm this problem on F27 as well. No AVC in audit.log, but disabling of selinux helps as Jan said. This is still an issue in Fedora 28 (pre-)beta. Also confirmed: Running 'sudo setenforce 0' and restarting gnome-disks is a workaround to make "restoring" an image to an SD card work. (This is necessary when imaging a disk image to an SD or microSD card for ARM devices.) As setting SELinux to permissive is a workaround, it appears to be an SELinux policy problem. Maintainers, can we get some quick response, please? It has been a year ... I really don't know what info I should provide as I'm not gnome-disk's maintainer. Same problem here with Fedora 28. Set SELinux to permissive stop the problem. This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. Still happens on version 29 Still happens on Fedora 30. This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Still happens on fedora 32 $ sudo setenforce permissive is a workaround Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. This bug still exists (see my last comment) Reopening and updating the version field per comment #19 To make the devices accessible again, after running into the error described above, execute: # systemctl restart udisks2 Thw following command is a workaround for people who do not want to disable SELinux altogether, yet want to use `gnome-disks` on MMC block devices (i.e. `/dev/mmcblk0`): 1. Insert MMC into drive. 2. Execute: # chcon -t fixed_disk_device_t /dev/mmcblk0 3. Open gnome-disks to write an image to /dev/mmcblk0 AFAICT a proper fix should go into SELinux policies. This is still an issue on Fedora 34 This seems like an SELinux policy issue, changing component and updating to track for F34, since it's still an issue. Neal, Will you be able to gather all denials with full auditing enabled? 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today @Zdenek, I've been encountering the same scenario today on F34 Here's what I gathered: [root@Cordelia chris]# service auditd restart Stopping logging: [ OK ] Redirecting start to /bin/systemctl start auditd.service [root@Cordelia chris]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=AVC msg=audit(09/08/2021 12:51:50.325:231) : avc: denied { read } for pid=1276 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=AVC msg=audit(09/08/2021 12:51:50.325:232) : avc: denied { read } for pid=1276 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. Fedora Linux 34 entered end-of-life (EOL) status on 2022-06-07. Fedora Linux 34 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. Thank you for reporting this bug and we are sorry it could not be fixed. Have faced this issue in Fedora 36 Silverblue recently. Hot Fix mentioned at https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 worked I can still reproduce this on Fedora 37 Workstation. Applying the fixed_disk_device_t label as suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 does temporarily fix this for me. I can provide additional details as requested. Dalton, Can you provide some more data? rpm -qa selinux-policy matchpathcon /dev/mmblk* ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today The key permissions were added in selinux-policy-37.9-1 Sure Zdenek, here's what I have: dminer $ rpm -qa selinux-policy selinux-policy-37.19-1.fc37.noarch ~ dminer $ matchpathcon /dev/mmcblk* /dev/mmcblk0 system_u:object_r:removable_device_t:s0 ~ dminer $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today <no matches> I can confirm that I can still reproduce the bug described in the ticket as of today. I'm also using the auditd settings that you suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c26. (In reply to Dalton Miner from comment #33) > dminer $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts > today > <no matches> > > I can confirm that I can still reproduce the bug described in the ticket as > of today. I'm also using the auditd settings that you suggested in > https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c26. These two seem to be contradictory tome, please show the AVC denials using current selinux-policy. I cannot see any problem with your settings. This bug still exists in fc38. $ rpm -qa selinux-policy selinux-policy-38.12-1.fc38.noarch $ matchpathcon /dev/mmcblk* /dev/mmcblk0 system_u:object_r:removable_device_t:s0 $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today <no matches> Workaround was to use `setenforce 0`. Do I read it correctly there are no AVC denials audited nor they are in journal, but setenforce 0 makes the scenario working? In that case, can you temporarily enable dontaudit rules? semodule -DB <reproduce> ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent semodule -B Can reproduce in Fedora Silverblue 38. Steps are slightly different due to the change in UI (now: open gnome disks, select the SD card from the sidebar, and then "Create disk image" from the menu). Can also reproduce when trying to write to the disk with the Fedora Media Writer. My system: [kabisala@fedora ~]$ matchpathcon /dev/mmcblk0 /dev/mmcblk0 system_u:object_r:removable_device_t:s0 [kabisala@fedora ~]$ rpm -qa selinux-policy selinux-policy-38.22-1.fc38.noarch [kabisala@fedora ~]$ semodule -DB [kabisala@fedora ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=AVC msg=audit(08/19/2023 11:47:53.140:964) : avc: denied { noatsecure } for pid=99562 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.141:965) : avc: denied { rlimitinh } for pid=99562 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.141:966) : avc: denied { siginh } for pid=99562 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.166:967) : avc: denied { noatsecure } for pid=99571 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.167:968) : avc: denied { rlimitinh } for pid=99571 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.167:969) : avc: denied { siginh } for pid=99571 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.387:970) : avc: denied { noatsecure } for pid=99580 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.387:971) : avc: denied { rlimitinh } for pid=99580 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.387:972) : avc: denied { siginh } for pid=99580 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.415:973) : avc: denied { noatsecure } for pid=99583 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.415:974) : avc: denied { rlimitinh } for pid=99583 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.415:975) : avc: denied { siginh } for pid=99583 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.442:978) : avc: denied { read } for pid=914 comm=dbus-broker path=/dev/mmcblk0 dev="devtmpfs" ino=1948 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.452:979) : avc: denied { noatsecure } for pid=99595 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.453:980) : avc: denied { rlimitinh } for pid=99595 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.453:981) : avc: denied { siginh } for pid=99595 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.499:983) : avc: denied { noatsecure } for pid=99598 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.499:984) : avc: denied { rlimitinh } for pid=99598 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.499:985) : avc: denied { siginh } for pid=99598 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.538:986) : avc: denied { noatsecure } for pid=99601 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.538:987) : avc: denied { rlimitinh } for pid=99601 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.538:988) : avc: denied { siginh } for pid=99601 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.562:989) : avc: denied { noatsecure } for pid=99604 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.562:990) : avc: denied { rlimitinh } for pid=99604 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.562:991) : avc: denied { siginh } for pid=99604 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.583:992) : avc: denied { noatsecure } for pid=99607 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.583:993) : avc: denied { rlimitinh } for pid=99607 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.583:994) : avc: denied { siginh } for pid=99607 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.620:995) : avc: denied { noatsecure } for pid=99610 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.620:996) : avc: denied { rlimitinh } for pid=99610 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.620:997) : avc: denied { siginh } for pid=99610 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.644:998) : avc: denied { noatsecure } for pid=99613 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.645:999) : avc: denied { rlimitinh } for pid=99613 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.645:1000) : avc: denied { siginh } for pid=99613 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:58.386:1001) : avc: denied { noatsecure } for pid=99621 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:58.387:1002) : avc: denied { rlimitinh } for pid=99621 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:58.387:1003) : avc: denied { siginh } for pid=99621 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 Can also confirm that `chcon -t fixed_disk_device_t /dev/mmcblk0` solves the issue without the need of disabling selinux I'm not an expert (or a beginner really) on selinux policies at all, so I might be completely off. Documenting what I found so far, will see if I manage to find some time to investigate further. I believe the policy that is supposed to give the read/write permission is configured here (https://github.com/fedora-selinux/selinux-policy/blob/77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/contrib/dbus.te#L118C1-L118C38). The interface (?) itself, in contrast with it's name, consist of a single dontaudit rule https://github.com/fedora-selinux/selinux-policy/blob/77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/kernel/storage.if#L866 instead of a allow rules (compare it with storage_rw_inherited_fixed_disk_dev). (In reply to Kabir from comment #38) > I'm not an expert (or a beginner really) on selinux policies at all, so I > might be completely off. Documenting what I found so far, will see if I > manage to find some time to investigate further. > > I believe the policy that is supposed to give the read/write permission is > configured here > (https://github.com/fedora-selinux/selinux-policy/blob/ > 77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/contrib/dbus. > te#L118C1-L118C38). > > The interface (?) itself, in contrast with it's name, consist of a single > dontaudit rule > https://github.com/fedora-selinux/selinux-policy/blob/ > 77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/kernel/storage. > if#L866 instead of a allow rules (compare it with > storage_rw_inherited_fixed_disk_dev). Thank you for the interesting findings, indeed the interface name does not match the content. This message is a reminder that Fedora Linux 37 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '37'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 37 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. Fedora Linux 37 entered end-of-life (EOL) status on None. Fedora Linux 37 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed. Hello, This issue exists in Fedora 39. It is possible to reopen this issue, or do I have to open a new ticket about it? The steps in the workaround https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 (change selinux context for device mmcblk0 to "fixed_disk_device_t") are currently valid. Thanks. |