Bug 1632230

Summary: New denials for bolt 0.5
Product: [Fedora] Fedora Reporter: Christian Kellner <ckellner>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: alciregi, ardillon.42, awilliam, bitwalk, bojan, chrissharp123, dwalsh, fedora, info, jorti, lray+redhatbugzilla, luya, lvrabec, matt.fagnani, mgrepl, michael.scheiffler, mikhail.v.gavrilov, nicolas.mailhot, plautrba, robimarko, samuel-rhbugs, sanjay.ankur, sgallagh, sumitkbhardwaj, szabobogdan, tpopela, trever, truls
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-9.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-15 20:30:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ausearch -m avc --comm boltd
none
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today showing denials of boltd actions with fwupd, power, tmpfs none

Description Christian Kellner 2018-09-24 12:12:19 UTC
Created attachment 1486385 [details]
ausearch -m avc --comm boltd

bolt 0.5 wants to create a directory /var/run/boltd/power; (/var/run/boltd should be created by systemd) and also read write files there, and also remove that dir again.

Comment 1 Lukas Vrabec 2018-09-26 11:30:21 UTC
*** Bug 1632991 has been marked as a duplicate of this bug. ***

Comment 2 Alessio 2018-09-27 15:04:14 UTC
Description of problem:
After the latest dnf update with updates-testing repo enabled

Version-Release number of selected component:
selinux-policy-3.14.1-42.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.9-200.fc28.x86_64
type:           libreport

Comment 3 Sumit Bhardwaj 2018-09-29 09:38:43 UTC
Description of problem:
Just booting up the system and logging into gnome shell gave this warning via setroubleshoot.

Version-Release number of selected component:
selinux-policy-3.14.2-35.fc29.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.9-300.fc29.x86_64
type:           libreport

Comment 4 Matt Fagnani 2018-09-30 19:02:47 UTC
I saw the denial of send_msg between boltd and fwupd on dbus when logging into GNOME twice. The audit message of that denial was

type=USER_AVC msg=audit(1538327984.836:253): pid=716 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.81 spid=1436 tpid=1970 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

I'll attach the output of sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today which included three other denials also in the attachment by Christian Kellner. I'm using the targeted policy 3.14.1-42 in enforcing mode. The journal messages involved showed that fwupd failed to coldplug thunderbolt_power after that denial.

Sep 30 13:19:44 dimension dbus-daemon[716]: [system] Activating via systemd: service name='org.freedesktop.fwupd' unit='fwupd.service' requested by ':1.72' (uid=1000 pid=1696 comm="/usr/bin/gnome-software --gapplication-service " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023")
Sep 30 13:19:44 dimension systemd[1]: Starting Firmware update daemon...
Sep 30 13:19:44 dimension fwupd[1970]: disabling plugin because: failed to coldplug amt: Unable to find a ME interface
Sep 30 13:19:44 dimension audit[716]: USER_AVC pid=716 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.81 spid=1436 tpid=1970 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=1
                                       exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Sep 30 13:19:44 dimension audispd[677]: node=dimension type=USER_AVC msg=audit(1538327984.836:253): pid=716 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.81 spid=1436 tpid=1970 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Sep 30 13:19:44 dimension fwupd[1970]: disabling plugin because: failed to coldplug thunderbolt_power: No support for force power via kernel or bolt
Sep 30 13:19:44 dimension fwupd[1970]: using plugins: unifying, dfu, csr, steelseries, wacomhid, ebitdo, nitrokey, colorhug, thunderbolt, altos, upower, udev
Sep 30 13:19:44 dimension fwupd[1970]: Daemon ready for requests
Sep 30 13:19:45 dimension dbus-daemon[716]: [system] Successfully activated service 'org.freedesktop.fwupd'

The package versions were:
bolt-0:0.5-1.fc28.i686
dbus-1:1.12.10-1.fc28.i686
fwupd-0:1.0.9-1.fc28.i686
gnome-shell-0:3.28.3-1.fc28.i686
selinux-policy-targeted-0:3.14.1-42.fc28.noarch

Comment 5 Matt Fagnani 2018-09-30 19:07:33 UTC
Created attachment 1488679 [details]
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today showing denials of boltd actions with fwupd, power, tmpfs

Comment 6 Keiichi Takahashi 2018-10-01 04:36:34 UTC
Description of problem:
just after login my account, this warning alwaysis  reported.

Version-Release number of selected component:
selinux-policy-3.14.2-35.fc29.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.10-300.fc29.x86_64
type:           libreport

Comment 7 Truls Gulbrandsen 2018-10-01 07:34:27 UTC
Description of problem:
The error message occurs when I enter Settings.

Version-Release number of selected component:
selinux-policy-3.14.2-35.fc29.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.10-300.fc29.x86_64
type:           libreport

Comment 8 Adam Williamson 2018-10-02 21:44:07 UTC
Description of problem:
This seems to occur on boot of Fedora 29 with all recent updates. The AVC does show 'permissive=1'.

Version-Release number of selected component:
selinux-policy-3.14.2-35.fc29.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.11-300.fc29.x86_64
type:           libreport

Comment 9 Christian Kellner 2018-10-04 13:13:10 UTC
*** Bug 1635385 has been marked as a duplicate of this bug. ***

Comment 10 info 2018-10-07 23:41:33 UTC
Description of problem:



SELinux is denying boltd to create access to power folder.

***** The complement catchall (100. confidence) suggests **********************

If you think that by default you should allow boltd access create over power directory.
Then I should report this as a mistake.
You can generate a local policy module to allow this access.
Do
allow access temporarily by running:
# ausearch -c 'boltd' --raw | audit2allow -M mi-boltd
# semodule -X 300 -i mi-boltd.pp

Additional Information:
Origin context system_u: system_r: boltd_t: s0
Destination context system_u: object_r: var_run_t: s0
Objects Destino power [dir]
Origin boltd
Origin direction boltd
Port <Unknown>
Team Name (removed)
Packages RPM Fonts
RPM Packages Destinations
Policy RPM selinux-policy-3.14.2-35.fc29.noarch
SELinux activated True
Policy type targeted
Enforcing tax mode
Equipment name (removed)

Version-Release number of selected component:
selinux-policy-3.14.2-35.fc29.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.11-301.fc29.x86_64
type:           libreport