Bug 1414539

Summary:

gnome-disks: SD card break the utility

Product:

[Fedora] Fedora

Reporter:

Michal Schorm <mschorm>

Component:

selinux-policy

Assignee:

Zdenek Pytela <zpytela>

Status:

ASSIGNED ---

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

high

Docs Contact:

Priority:

medium

Version:

CC:

3wcq6pxz, amigadave, arnis.jaundzeikars, bugzilla.redhat.com, daltonminer, dwalsh, fedora, glesage, gnikandrov+fedora, grepl.miroslav, joost, leif.middelschulte, lvrabec, mmalik, ngompa13, nikperrakis, omosnace, plautrba, redhat.c2zyt, seb, stanley_chris, starsareblueandfaraway, thaytan, tommy, V02460, vmojzis, zeeshanak, zpytela

Target Milestone:

---

Keywords:

Reopened

Target Release:

---

Hardware:

x86_64

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2023-12-05 20:58:14 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
screen of app window after the error	none

Description Michal Schorm 2017-01-18 19:11:28 UTC

Created attachment 1242270 [details]
screen of app window after the error

Usage:

# gnome-disks
 (opens GUI of the application)
> select devices > SD card
 (click in the left collumn)
> restore from disk image OR create image 
 (right top corner, applies for whole device instead of parition)
> choose image, run recovery, ok, provide root password


Error:
Error while .... (selected operation)
Message recipient disconnected from message bus without replying (g-dbus-error-quark, 4)

Then the window goes grey (see attachement).
The only resolution is to restart the utility.

Reproducible: always

Comment 1 George Nikandrov 2017-04-23 04:36:39 UTC

Same here, although I discovered it in attempt to benchmark my SD card.

Comment 2 ojab 2017-05-09 13:31:58 UTC

Same here, but with eMMC.

Comment 3 Fedora End Of Life 2017-11-16 18:52:09 UTC

This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 4 ojab 2017-11-16 19:05:48 UTC

Still happens on Fedora 27 here.

Comment 5 ojab 2017-11-16 19:07:44 UTC

Oops, actually it works!
But segfaults if run on disk ChromeOS partitions, but that's another story.

Comment 6 Michal Schorm 2017-11-19 14:21:47 UTC

It is still an issue.
A week ago, i tried it again on F27. Exactly same result.

I gave up on 'gnome-disks' with SD cards. Using pure 'dd' for such purposes now.

Comment 7 Jan Schmidt 2017-12-08 05:11:13 UTC

I'm encountering this problem still on F27 too. When asked to do some tasks (like Benchmarking), udisksd exits with SIGTERM. I can't see what's wrong, but it works if I do setenforce 0, so it's something related to selinux policies.

Comment 8 Martin Korbel 2017-12-16 18:07:48 UTC

I can confirm this problem on F27 as well. No AVC in audit.log, but disabling of selinux helps as Jan said.

Comment 9 Garrett LeSage 2018-03-29 13:07:57 UTC

This is still an issue in Fedora 28 (pre-)beta.

Also confirmed: Running 'sudo setenforce 0' and restarting gnome-disks is a workaround to make "restoring" an image to an SD card work. (This is necessary when imaging a disk image to an SD or microSD card for ARM devices.)

As setting SELinux to permissive is a workaround, it appears to be an SELinux policy problem.

Comment 10 Michal Schorm 2018-03-29 14:16:09 UTC

Maintainers, can we get some quick response, please?
It has been a year ...

Comment 11 Tomas Popela 2018-03-29 18:57:50 UTC

I really don't know what info I should provide as I'm not gnome-disk's maintainer.

Comment 12 seb 2018-06-27 17:15:53 UTC

Same problem here with Fedora 28.

Set SELinux to permissive stop the problem.

Comment 13 Ben Cotton 2018-11-27 14:14:03 UTC

This message is a reminder that Fedora 27 is nearing its end of life.
On 2018-Nov-30  Fedora will stop maintaining and issuing updates for
Fedora 27. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora  'version' of '27'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 27 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 14 Ben Cotton 2018-11-30 23:01:14 UTC

Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 15 Joost van der Sluis 2019-09-08 20:39:55 UTC

Still happens on version 29

Comment 16 Arnis Jaundzeikars 2019-10-13 16:31:06 UTC

Still happens on Fedora 30.

Comment 17 Ben Cotton 2019-10-31 18:46:20 UTC

This message is a reminder that Fedora 29 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '29'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 29 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 18 Ben Cotton 2020-04-30 20:47:40 UTC

This message is a reminder that Fedora 30 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '30'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 30 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 19 maic 2020-05-01 18:15:02 UTC

Still happens on fedora 32

$ sudo setenforce permissive

is a workaround

Comment 20 Ben Cotton 2020-05-26 14:37:45 UTC

Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 21 maic 2020-06-07 00:55:18 UTC

This bug still exists (see my last comment)

Comment 22 Ben Cotton 2020-06-15 14:59:56 UTC

Reopening and updating the version field per comment #19

Comment 23 leif.middelschulte 2020-09-15 14:57:57 UTC

To make the devices accessible again, after running into the error described above, execute:

# systemctl restart udisks2


Thw following command is a workaround for people who do not want to disable SELinux altogether, yet want to use `gnome-disks` on MMC block devices (i.e. `/dev/mmcblk0`):
1. Insert MMC into drive.
2. Execute:
# chcon -t fixed_disk_device_t /dev/mmcblk0
3. Open gnome-disks to write an image to /dev/mmcblk0

AFAICT a proper fix should go into SELinux policies.

Comment 24 Tommy 2021-04-25 17:09:28 UTC

This is still an issue on Fedora 34

Comment 25 Neal Gompa 2021-04-26 14:53:12 UTC

This seems like an SELinux policy issue, changing component and updating to track for F34, since it's still an issue.

Comment 26 Zdenek Pytela 2021-04-26 16:27:37 UTC

Neal,

Will you be able to gather all denials with full auditing enabled?

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Comment 27 Chris Stanley 2021-09-08 19:03:10 UTC

@Zdenek,

I've been encountering the same scenario today on F34

Here's what I gathered:

[root@Cordelia chris]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
[root@Cordelia chris]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(09/08/2021 12:51:50.325:231) : avc:  denied  { read } for  pid=1276 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 
----
type=AVC msg=audit(09/08/2021 12:51:50.325:232) : avc:  denied  { read } for  pid=1276 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0

Comment 28 Ben Cotton 2022-05-12 16:49:03 UTC

This message is a reminder that Fedora Linux 34 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '34'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 34 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 29 Ben Cotton 2022-06-08 06:19:59 UTC

Fedora Linux 34 entered end-of-life (EOL) status on 2022-06-07.

Fedora Linux 34 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 30 Nikolaos Perrakis 2022-12-11 14:33:42 UTC

Have faced this issue in Fedora 36 Silverblue recently.
Hot Fix mentioned at
https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23
worked

Comment 31 Dalton Miner 2023-01-31 21:46:27 UTC

I can still reproduce this on Fedora 37 Workstation. Applying the fixed_disk_device_t label as suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 does temporarily fix this for me. I can provide additional details as requested.

Comment 32 Zdenek Pytela 2023-05-02 15:15:56 UTC

Dalton,

Can you provide some more data?

rpm -qa selinux-policy
matchpathcon /dev/mmblk*
ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

The key permissions were added in selinux-policy-37.9-1

Comment 33 Dalton Miner 2023-05-02 23:41:13 UTC

Sure Zdenek, here's what I have:

dminer $ rpm -qa selinux-policy
selinux-policy-37.19-1.fc37.noarch
~ 
dminer $ matchpathcon /dev/mmcblk*
/dev/mmcblk0	system_u:object_r:removable_device_t:s0
~ 
dminer $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
<no matches>

I can confirm that I can still reproduce the bug described in the ticket as of today. I'm also using the auditd settings that you suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c26.

Comment 34 Zdenek Pytela 2023-05-04 14:53:07 UTC

(In reply to Dalton Miner from comment #33)
> dminer $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts
> today
> <no matches>
> 
> I can confirm that I can still reproduce the bug described in the ticket as
> of today. I'm also using the auditd settings that you suggested in
> https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c26.

These two seem to be contradictory tome, please show the AVC denials using current selinux-policy.
I cannot see any problem with your settings.

Comment 35 starsareblueandfaraway 2023-05-26 23:32:51 UTC

This bug still exists in fc38.

$ rpm -qa selinux-policy
selinux-policy-38.12-1.fc38.noarch

$ matchpathcon /dev/mmcblk*
/dev/mmcblk0	system_u:object_r:removable_device_t:s0

$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
<no matches>

Workaround was to use `setenforce 0`.

Comment 36 Zdenek Pytela 2023-05-29 10:15:23 UTC

Do I read it correctly there are no AVC denials audited nor they are in journal, but setenforce 0 makes the scenario working?

In that case, can you temporarily enable dontaudit rules?

semodule -DB
<reproduce>
ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
semodule -B

Comment 37 Kabir 2023-08-19 11:01:29 UTC

Can reproduce in Fedora Silverblue 38. Steps are slightly different due to the change in UI (now: open gnome disks, select the SD card from the sidebar, and then "Create disk image" from the menu). Can also reproduce when trying to write to the disk with the Fedora Media Writer.

My system:
[kabisala@fedora ~]$ matchpathcon /dev/mmcblk0
/dev/mmcblk0	system_u:object_r:removable_device_t:s0


[kabisala@fedora ~]$ rpm -qa selinux-policy
selinux-policy-38.22-1.fc38.noarch

[kabisala@fedora ~]$ semodule -DB
[kabisala@fedora ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(08/19/2023 11:47:53.140:964) : avc:  denied  { noatsecure } for  pid=99562 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.141:965) : avc:  denied  { rlimitinh } for  pid=99562 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.141:966) : avc:  denied  { siginh } for  pid=99562 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.166:967) : avc:  denied  { noatsecure } for  pid=99571 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.167:968) : avc:  denied  { rlimitinh } for  pid=99571 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.167:969) : avc:  denied  { siginh } for  pid=99571 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.387:970) : avc:  denied  { noatsecure } for  pid=99580 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.387:971) : avc:  denied  { rlimitinh } for  pid=99580 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.387:972) : avc:  denied  { siginh } for  pid=99580 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.415:973) : avc:  denied  { noatsecure } for  pid=99583 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.415:974) : avc:  denied  { rlimitinh } for  pid=99583 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.415:975) : avc:  denied  { siginh } for  pid=99583 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.442:978) : avc:  denied  { read } for  pid=914 comm=dbus-broker path=/dev/mmcblk0 dev="devtmpfs" ino=1948 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.452:979) : avc:  denied  { noatsecure } for  pid=99595 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.453:980) : avc:  denied  { rlimitinh } for  pid=99595 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.453:981) : avc:  denied  { siginh } for  pid=99595 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.499:983) : avc:  denied  { noatsecure } for  pid=99598 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.499:984) : avc:  denied  { rlimitinh } for  pid=99598 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.499:985) : avc:  denied  { siginh } for  pid=99598 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.538:986) : avc:  denied  { noatsecure } for  pid=99601 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.538:987) : avc:  denied  { rlimitinh } for  pid=99601 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.538:988) : avc:  denied  { siginh } for  pid=99601 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.562:989) : avc:  denied  { noatsecure } for  pid=99604 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.562:990) : avc:  denied  { rlimitinh } for  pid=99604 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.562:991) : avc:  denied  { siginh } for  pid=99604 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.583:992) : avc:  denied  { noatsecure } for  pid=99607 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.583:993) : avc:  denied  { rlimitinh } for  pid=99607 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.583:994) : avc:  denied  { siginh } for  pid=99607 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.620:995) : avc:  denied  { noatsecure } for  pid=99610 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.620:996) : avc:  denied  { rlimitinh } for  pid=99610 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.620:997) : avc:  denied  { siginh } for  pid=99610 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.644:998) : avc:  denied  { noatsecure } for  pid=99613 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.645:999) : avc:  denied  { rlimitinh } for  pid=99613 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.645:1000) : avc:  denied  { siginh } for  pid=99613 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:58.386:1001) : avc:  denied  { noatsecure } for  pid=99621 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:58.387:1002) : avc:  denied  { rlimitinh } for  pid=99621 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:58.387:1003) : avc:  denied  { siginh } for  pid=99621 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 


Can also confirm that `chcon -t fixed_disk_device_t /dev/mmcblk0` solves the issue without the need of disabling selinux

Comment 38 Kabir 2023-08-19 18:32:23 UTC

I'm not an expert (or a beginner really) on selinux policies at all, so I might be completely off. Documenting what I found so far, will see if I manage to find some time to investigate further.

I believe the policy that is supposed to give the read/write permission is configured here (https://github.com/fedora-selinux/selinux-policy/blob/77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/contrib/dbus.te#L118C1-L118C38).  

The interface (?) itself, in contrast with it's name, consist of a single dontaudit rule https://github.com/fedora-selinux/selinux-policy/blob/77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/kernel/storage.if#L866 instead of a allow rules (compare it with storage_rw_inherited_fixed_disk_dev).

Comment 39 Zdenek Pytela 2023-08-23 09:11:57 UTC

(In reply to Kabir from comment #38)
> I'm not an expert (or a beginner really) on selinux policies at all, so I
> might be completely off. Documenting what I found so far, will see if I
> manage to find some time to investigate further.
> 
> I believe the policy that is supposed to give the read/write permission is
> configured here
> (https://github.com/fedora-selinux/selinux-policy/blob/
> 77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/contrib/dbus.
> te#L118C1-L118C38).  
> 
> The interface (?) itself, in contrast with it's name, consist of a single
> dontaudit rule
> https://github.com/fedora-selinux/selinux-policy/blob/
> 77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/kernel/storage.
> if#L866 instead of a allow rules (compare it with
> storage_rw_inherited_fixed_disk_dev).

Thank you for the interesting findings, indeed the interface name does not match the content.

Comment 40 Aoife Moloney 2023-11-23 00:01:26 UTC

This message is a reminder that Fedora Linux 37 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '37'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 37 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 41 Aoife Moloney 2023-12-05 20:58:14 UTC

Fedora Linux 37 entered end-of-life (EOL) status on None.

Fedora Linux 37 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 42 Allan 2024-04-23 12:14:54 UTC

Hello,

This issue exists in Fedora 39. It is possible to reopen this issue, or do I have to open a new ticket about it?
The steps in the workaround https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 (change selinux context for device mmcblk0 to "fixed_disk_device_t") are currently valid.

Thanks.