Bug 1625285

Summary: boltctl commands goes to timeout with SELinux enforcing mode
Product: [Fedora] Fedora Reporter: Martin Hoyer <mhoyer>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 28CC: dwalsh, kparal, lvrabec, matt.fagnani, mgrepl, mhoyer, pasik, plautrba, pmoore, swa
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.1-42.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-11 16:56:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ausearch -m USER_AVC -ts recent none

Description Martin Hoyer 2018-09-04 14:48:13 UTC
Description of problem:
Fresh install F28, tried to connect Thinkpad Thunderbolt3 dock, was not able to authorize the device in gnome or boltctl.
Tried as a user, sudoer and root.

With setenforce 0, all works well.

journalctl:
Sep 04 16:41:20 localhost.localdomain audit[4075]: CRED_DISP pid=4075 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root>
Sep 04 16:41:20 localhost.localdomain audit[4075]: USER_END pid=4075 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pa>
Sep 04 16:41:20 localhost.localdomain sudo[4075]: pam_unix(sudo:session): session closed for user root
Sep 04 16:40:55 localhost.localdomain audit[1039]: USER_AVC pid=1039 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method>
                                                    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Sep 04 16:40:55 localhost.localdomain audit[1039]: USER_AVC pid=1039 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method>
                                                    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


Version-Release number of selected component (if applicable):
4.17.19-200.fc28.x86_64
bolt-0.4-1.fc28.x86_64

How reproducible:
100%

Steps to Reproduce:
1.try to authorize a tb3 dock

Actual results:
timeout

Expected results:
authorization successful

Comment 1 Lukas Vrabec 2018-09-04 16:32:08 UTC
Hi, 

Could you please reproduce your issue and attach output of:

# ausearch -m USER_AVC -ts recent 

THanks,
Lukas.

Comment 2 Martin Hoyer 2018-09-05 10:42:58 UTC
Created attachment 1481057 [details]
ausearch -m USER_AVC -ts recent

Comment 3 Fedora Update System 2018-09-06 21:57:43 UTC
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 4 Lukas Vrabec 2018-09-06 22:03:09 UTC
*** Bug 1625786 has been marked as a duplicate of this bug. ***

Comment 5 Martin Hoyer 2018-09-07 08:42:56 UTC
Works well with selinux-policy-3.14.1-42.fc28. Thanks!

Comment 6 Fedora Update System 2018-09-07 17:13:10 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 7 Fedora Update System 2018-09-11 16:56:40 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Kamil Páral 2018-09-12 08:55:17 UTC
Confirmed fixed with selinux-policy-3.14.2-32.fc29.noarch

Comment 9 Sebastien Wains 2018-10-13 10:28:54 UTC
Just installed F29 on my Thinkpad T480s and Thunderbolt 3 docking station.

bolt service is not starting unless SELinux is in permissive mode. 

Name        : selinux-policy
Version     : 3.14.2
Release     : 36.fc29

Comment 10 Sebastien Wains 2018-10-13 10:36:29 UTC
Disregard my previous comment, I wasn't fully updated.

Fixed with:

Name        : selinux-policy
Version     : 3.14.2
Release     : 37.fc29