Bug 1632230
Summary: | New denials for bolt 0.5 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christian Kellner <ckellner> | ||||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | rawhide | CC: | alciregi, ardillon.42, awilliam, bitwalk, bojan, chrissharp123, dwalsh, fedora, info, jorti, lray+redhatbugzilla, luya, lvrabec, matt.fagnani, mgrepl, michael.scheiffler, mikhail.v.gavrilov, nicolas.mailhot, plautrba, robimarko, samuel-rhbugs, sanjay.ankur, sgallagh, sumitkbhardwaj, szabobogdan, tpopela, trever, truls | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | selinux-policy-3.14.3-9.fc30 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2018-10-15 20:30:30 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
*** Bug 1632991 has been marked as a duplicate of this bug. *** Description of problem: After the latest dnf update with updates-testing repo enabled Version-Release number of selected component: selinux-policy-3.14.1-42.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.9-200.fc28.x86_64 type: libreport Description of problem: Just booting up the system and logging into gnome shell gave this warning via setroubleshoot. Version-Release number of selected component: selinux-policy-3.14.2-35.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.9-300.fc29.x86_64 type: libreport I saw the denial of send_msg between boltd and fwupd on dbus when logging into GNOME twice. The audit message of that denial was type=USER_AVC msg=audit(1538327984.836:253): pid=716 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.81 spid=1436 tpid=1970 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' I'll attach the output of sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today which included three other denials also in the attachment by Christian Kellner. I'm using the targeted policy 3.14.1-42 in enforcing mode. The journal messages involved showed that fwupd failed to coldplug thunderbolt_power after that denial. Sep 30 13:19:44 dimension dbus-daemon[716]: [system] Activating via systemd: service name='org.freedesktop.fwupd' unit='fwupd.service' requested by ':1.72' (uid=1000 pid=1696 comm="/usr/bin/gnome-software --gapplication-service " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") Sep 30 13:19:44 dimension systemd[1]: Starting Firmware update daemon... Sep 30 13:19:44 dimension fwupd[1970]: disabling plugin because: failed to coldplug amt: Unable to find a ME interface Sep 30 13:19:44 dimension audit[716]: USER_AVC pid=716 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.81 spid=1436 tpid=1970 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Sep 30 13:19:44 dimension audispd[677]: node=dimension type=USER_AVC msg=audit(1538327984.836:253): pid=716 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.81 spid=1436 tpid=1970 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Sep 30 13:19:44 dimension fwupd[1970]: disabling plugin because: failed to coldplug thunderbolt_power: No support for force power via kernel or bolt Sep 30 13:19:44 dimension fwupd[1970]: using plugins: unifying, dfu, csr, steelseries, wacomhid, ebitdo, nitrokey, colorhug, thunderbolt, altos, upower, udev Sep 30 13:19:44 dimension fwupd[1970]: Daemon ready for requests Sep 30 13:19:45 dimension dbus-daemon[716]: [system] Successfully activated service 'org.freedesktop.fwupd' The package versions were: bolt-0:0.5-1.fc28.i686 dbus-1:1.12.10-1.fc28.i686 fwupd-0:1.0.9-1.fc28.i686 gnome-shell-0:3.28.3-1.fc28.i686 selinux-policy-targeted-0:3.14.1-42.fc28.noarch Created attachment 1488679 [details]
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today showing denials of boltd actions with fwupd, power, tmpfs
Description of problem: just after login my account, this warning alwaysis reported. Version-Release number of selected component: selinux-policy-3.14.2-35.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.10-300.fc29.x86_64 type: libreport Description of problem: The error message occurs when I enter Settings. Version-Release number of selected component: selinux-policy-3.14.2-35.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.10-300.fc29.x86_64 type: libreport Description of problem: This seems to occur on boot of Fedora 29 with all recent updates. The AVC does show 'permissive=1'. Version-Release number of selected component: selinux-policy-3.14.2-35.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.11-300.fc29.x86_64 type: libreport *** Bug 1635385 has been marked as a duplicate of this bug. *** Description of problem: SELinux is denying boltd to create access to power folder. ***** The complement catchall (100. confidence) suggests ********************** If you think that by default you should allow boltd access create over power directory. Then I should report this as a mistake. You can generate a local policy module to allow this access. Do allow access temporarily by running: # ausearch -c 'boltd' --raw | audit2allow -M mi-boltd # semodule -X 300 -i mi-boltd.pp Additional Information: Origin context system_u: system_r: boltd_t: s0 Destination context system_u: object_r: var_run_t: s0 Objects Destino power [dir] Origin boltd Origin direction boltd Port <Unknown> Team Name (removed) Packages RPM Fonts RPM Packages Destinations Policy RPM selinux-policy-3.14.2-35.fc29.noarch SELinux activated True Policy type targeted Enforcing tax mode Equipment name (removed) Version-Release number of selected component: selinux-policy-3.14.2-35.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.11-301.fc29.x86_64 type: libreport |
Created attachment 1486385 [details] ausearch -m avc --comm boltd bolt 0.5 wants to create a directory /var/run/boltd/power; (/var/run/boltd should be created by systemd) and also read write files there, and also remove that dir again.