Bug 1633786

Summary:	SELinux is preventing (boltd) from 'create' accesses on the directory boltd.
Product:	[Fedora] Fedora	Reporter:	Leslie Satenstein <lsatenstein>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	29	CC:	awilliam, bugzilla, dwalsh, fzatlouk, jacek.kruger, julen, kparal, lvrabec, mgrepl, plautrba, robatino
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:	AcceptedBlocker abrt_hash:22755db9622cb05ee6adae0d3e9c1e77a3e86d28f610f855598d47d6d21e1aca;
Fixed In Version:	selinux-policy-3.14.2-40.fc29	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-10-19 13:45:28 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1517013

Description Leslie Satenstein 2018-09-27 18:42:09 UTC

Description of problem:
SELinux is preventing (boltd) from 'create' accesses on the directory boltd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (boltd) should be allowed create access on the boltd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(boltd)' --raw | audit2allow -M my-boltd
# semodule -X 300 -i my-boltd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:boltd_var_lib_t:s0
Target Objects                boltd [ dir ]
Source                        (boltd)
Source Path                   (boltd)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-35.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.9-300.fc29.x86_64 #1 SMP Thu
                              Sep 20 02:32:53 UTC 2018 x86_64
Alert Count                   10
First Seen                    2018-09-27 14:33:19 EDT
Last Seen                     2018-09-27 14:38:53 EDT
Local ID                      d4255d4d-9f17-423f-9a1c-e4a0e4578c15

Raw Audit Messages
type=AVC msg=audit(1538073533.47:325): avc:  denied  { create } for  pid=3536 comm="(boltd)" name="boltd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boltd_var_lib_t:s0 tclass=dir permissive=0


Hash: (boltd),init_t,boltd_var_lib_t,dir,create

Version-Release number of selected component:
selinux-policy-3.14.2-35.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.9-300.fc29.x86_64
type:           libreport

Comment 1 Leslie Satenstein 2018-10-04 01:41:08 UTC

Don't know what this boltd is now,

Comment 2 Julen Landa Alustiza 2018-10-07 11:12:38 UTC

Description of problem:
fc27 workstation upgraded to fc29

Version-Release number of selected component:
selinux-policy-3.14.2-34.fc29.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.11-301.fc29.x86_64
type:           libreport

Comment 3 Fedora Blocker Bugs Application 2018-10-08 08:03:45 UTC

Proposed as a Blocker for 29-final by Fedora user jlanda using the blocker tracking app because:

 I Installed a new fc27 workstation with everything iso, default options.

After upgrading to fc29 with dnf I'm hitting this selinux-policy bug

Comment 4 Chris Murphy 2018-10-08 17:08:51 UTC

criterion: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

And actually there's a bunch of other boltd selinux AVC's I see on each boot that trigger the gnome-shell notification banner thingy...

1636823
1632230
1636660
1636539
1636538
1635436
1633725

Comment 5 František Zatloukal 2018-10-08 18:03:31 UTC

Discussed during the 2018-10-08 blocker review meeting: [1]

The decision to classify this bug as an AcceptedBlocker was made:

"This is accepted as a violation of the criterion "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop.""

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-10-08/f29-blocker-review.2018-10-08-16.00.log.txt

Comment 6 Lukas Vrabec 2018-10-09 15:46:01 UTC

commit fdc0a2e0c507704fdfb15644cdbab41532411df2 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 9 17:45:23 2018 +0200

    Allow boltd_t to be activated by init socket activation
    Resolves: rhbz#1633786

Comment 7 Chris Murphy 2018-10-13 19:17:27 UTC

With selinux-policy-3.14.2-37.fc29.noarch I'm still getting denials, and notifications for them in GNOME shell for these two boltd related bugs:

Bug 1636823
Bug 1637676

Comment 8 Adam Williamson 2018-10-15 18:41:30 UTC

Lukas, can you please submit an update for -39 (or a later build with further fixes) to fix this plus the subsequent denials Chris noted, plus the cron stuff, for F29 Final? Thanks!

Comment 9 Chris Murphy 2018-10-15 19:15:24 UTC

After upgrading to selinux-policy-targeted-3.14.2-39.fc29.noarch I'm no longer seeing any AVC denial notifications by GNOME. I see one in the journal:

Oct 15 13:08:48 flap.local audit[659]: USER_AVC pid=659 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.411 spid=1951 tpid=1941 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=1
[chris@flap ~]$ 


Tested with and without a thunderbolt device connected; and also connected and disconnected after startup/login.

Comment 10 Lukas Vrabec 2018-10-15 22:13:44 UTC

Adam, 

Everything should be included in -39.fc29 except SELinux denial from comment#9. I can fix it and create the build but it is after midnight in my timezone, could you create update from that build and include it to the rc compose? 

Thanks,
Lukas

Comment 11 Lukas Vrabec 2018-10-15 22:19:29 UTC

commit a69f9e63d83dd5f603147ddf7a349e075c80959d (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 16 00:15:11 2018 +0200

    Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)

Comment 12 Kamil Páral 2018-10-16 10:32:56 UTC

I can confirm comment 9, AVCs seem to be fixed in -39 except the one mentioned. Lukas, Adam is on vacation now, can you please make the build and submit to Bodhi? Thanks.

Comment 13 Lukas Vrabec 2018-10-16 11:50:40 UTC

Build is in bodhi. 

https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac

Comment 14 Kamil Páral 2018-10-16 11:57:52 UTC

Thanks, can you please modify it and mark it to fix this bug? 
I just tested it and all the boltd AVCs seem to be gone.

Comment 15 František Zatloukal 2018-10-19 13:45:28 UTC

Update FEDORA-2018-ce273879ac wasn't marked as fixing this bug. It has been pushed to stable, closing.

Comment 16 Lukas Vrabec 2018-12-17 19:17:35 UTC

*** Bug 1650364 has been marked as a duplicate of this bug. ***