Bug 1636823

Summary: SELinux is preventing (boltd) from 'mounton' accesses on the directory /run/systemd/unit-root/run/boltd.
Product: [Fedora] Fedora Reporter: Chuck Mattern <cmattern>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: akurtako, awilliam, bugzilla, carwyn, chmelarz, dwalsh, ego.cordatus, lruzicka, lvrabec, mgrepl, mikhail.v.gavrilov, plautrba, plroskin, timur.kristof, xzj8b3
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:46c911a8f05007638070614ecc17550bcbe29514973df28a3804c57867f20f5d;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.14.2-40.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-18 11:07:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1517014    
Attachments:
Description Flags
journalctl log none

Description Chuck Mattern 2018-10-08 01:55:15 UTC 
Description of problem:
Error occurrs at system boot and with systemctl restart bolt
Running on an old Lenovo T410 with no thunderbolt hardware and getting the errors below.

SELinux is preventing (boltd) from 'mounton' accesses on the directory /run/systemd/unit-root/run/boltd.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/run/systemd/unit-root/run/boltd default label should be init_var_run_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /run/systemd/unit-root/run/boltd

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that (boltd) should be allowed mounton access on the boltd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(boltd)' --raw | audit2allow -M my-boltd
# semodule -X 300 -i my-boltd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:boltd_var_run_t:s0
Target Objects                /run/systemd/unit-root/run/boltd [ dir ]
Source                        (boltd)
Source Path                   (boltd)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-36.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.11-301.fc29.x86_64 #1 SMP Mon
                              Oct 1 13:47:10 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-10-07 21:39:41 EDT
Last Seen                     2018-10-07 21:51:35 EDT
Local ID                      e7bd2d98-28f9-4b8c-a713-5f462d3338a2

Raw Audit Messages
type=AVC msg=audit(1538963495.536:297): avc:  denied  { mounton } for  pid=4721 comm="(boltd)" path="/run/systemd/unit-root/run/boltd" dev="tmpfs" ino=56475 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=dir permissive=0


Hash: (boltd),init_t,boltd_var_run_t,dir,mounton

Version-Release number of selected component:
selinux-policy-3.14.2-36.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.11-301.fc29.x86_64
type:           libreport

Potential duplicate: bug 1636660
Comment 1 Pavel Roskin 2018-10-09 19:26:21 UTC 
Description of problem:
Seeing this issue after every reboot.

The suggestion to run "/sbin/restorecon -v /run/systemd/unit-root/run/boltd" didn't help, as /run/systemd/unit-root is an empty directory.

Version-Release number of selected component:
selinux-policy-3.14.2-36.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.12-300.fc29.x86_64
type:           libreport
Comment 2 Lukas Vrabec 2018-10-12 16:08:10 UTC 
*** Bug 1636660 has been marked as a duplicate of this bug. ***
Comment 3 Carwyn Edwards 2018-10-12 16:42:17 UTC 
I'm also getting this, happens to be a system with no thunderbolt interfaces on it at all.
Comment 4 Chris Murphy 2018-10-13 19:15:04 UTC 
Running on battery with nothing connected; I do get notification for this denial in GNOME.


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:boltd_var_run_t:s0
Target Objects                /run/systemd/unit-root/run/boltd [ dir ]
Source                        (boltd)
Source Path                   (boltd)
Port                          <Unknown>
Host                          flap.local
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-37.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     flap.local
Platform                      Linux flap.local 4.18.12-300.fc29.x86_64 #1 SMP
                              Thu Oct 4 15:01:22 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-10-13 13:09:43 MDT
Last Seen                     2018-10-13 13:09:44 MDT
Local ID                      16fa60d7-2c18-4197-986e-94e11c790d3e

Raw Audit Messages
type=AVC msg=audit(1539457784.476:238): avc:  denied  { mounton } for  pid=2080 comm="(boltd)" path="/run/systemd/unit-root/run/boltd" dev="tmpfs" ino=47233 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=dir permissive=0


Hash: (boltd),init_t,boltd_var_run_t,dir,mounton
Comment 5 Zdenek Chmelar 2018-10-14 12:37:15 UTC 
Description of problem:
Appeared right afre the first login on the desktop. System has been upgraded to F29 before.

Version-Release number of selected component:
selinux-policy-3.14.2-36.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.12-300.fc29.x86_64
type:           libreport
Comment 6 Chris Murphy 2018-10-14 14:28:19 UTC 
Created attachment 1493729 [details]
journalctl log

Just in case it's useful to see what all boltd is doing (or at least logging) in relation to the AVC's. Used -o short-monotonic time.
Comment 7 xzj8b3 2018-10-14 15:41:36 UTC 
Description of problem:
# ausearch -c '(boltd)' --raw | audit2allow -M my-boltd
# semodule -X 300 -i my-boltd.pp

Version-Release number of selected component:
selinux-policy-3.14.2-37.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.13-300.fc29.x86_64
type:           libreport
Comment 8 Timur Kristóf 2018-10-15 11:20:27 UTC 
Description of problem:
This showed up at boot after I updaded to Fedora 29. I believe the thunderbolt daemon should be allowed to access its own directory.

Version-Release number of selected component:
selinux-policy-3.14.2-36.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.12-300.fc29.x86_64
type:           libreport
Comment 9 Lukas Vrabec 2018-10-15 12:13:42 UTC 
commit 2d39d24bc2473eac94a5ccdfa373e29db041d3fd (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Oct 15 14:13:06 2018 +0200

    Allow systemd to mount boltd_var_run_t dirs BZ(1636823)
Comment 10 Artem 2018-10-15 17:26:00 UTC 
Description of problem:
This began after i upgraded from F28W to F29W.

Version-Release number of selected component:
selinux-policy-3.14.2-37.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.13-300.fc29.x86_64
type:           libreport
Comment 11 Chris Murphy 2018-10-15 19:16:57 UTC 
Appears to be fixed by 3.14.2-39.fc29
Comment 12 Chris Murphy 2018-10-15 19:20:11 UTC 
Proposing freeze exception per blocker review #info to make sure a fix gets pushed to stable. The bug only happens with upgraded systems that still have setroubleshooter.
Comment 13 Fedora Update System 2018-10-15 20:23:40 UTC 
selinux-policy-3.14.2-39.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac
Comment 14 Adam Williamson 2018-10-15 22:38:01 UTC 
+1 FE for this, we should definitely accept -39 for it and its buddy.
Comment 15 Fedora Update System 2018-10-16 15:52:27 UTC 
selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac
Comment 16 Lukas Ruzicka 2018-10-18 10:09:03 UTC 
I am not experiencing any boltd related selinux messages since 3.14.2-39. Considering verified.
Comment 17 Artem 2018-10-18 10:15:13 UTC 
LGTM too now. selinux-policy-3.14.2-40.fc29
Comment 18 Fedora Update System 2018-10-18 11:07:32 UTC 
selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.