Bug 1637676
| Summary: | SELinux is preventing dbus-daemon from 'write' accesses on the fifo_file /run/boltd/power/2.guard.fifo. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Pavel Roskin <plroskin> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 29 | CC: | awilliam, bugzilla, ckellner, dwalsh, lruzicka, lvrabec, mgrepl, plautrba, roddy.mickael, sgallagh, timur.kristof |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:643f88ac0611046014f0b4a05cdb0ebe96a4a143952e2e478d512afd4956011b;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.14.2-40.fc29 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-18 11:07:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1517014 | ||
Still seeing this with policy -37
Additional Information:
Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context system_u:object_r:boltd_var_run_t:s0
Target Objects /run/boltd/power/2.guard.fifo [ fifo_file ]
Source dbus-daemon
Source Path dbus-daemon
Port <Unknown>
Host flap.local
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.2-37.fc29.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name flap.local
Platform Linux flap.local 4.18.12-300.fc29.x86_64 #1 SMP
Thu Oct 4 15:01:22 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2018-10-13 13:09:44 MDT
Last Seen 2018-10-13 13:09:44 MDT
Local ID 0c2e124c-2d8b-4f22-bd30-cfcf6b6ba6e0
Raw Audit Messages
type=AVC msg=audit(1539457784.367:236): avc: denied { write } for pid=687 comm="dbus-daemon" path="/run/boltd/power/2.guard.fifo" dev="tmpfs" ino=43935 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=fifo_file permissive=0
Hash: dbus-daemon,system_dbusd_t,boltd_var_run_t,fifo_file,write
Hi Chris, Do you know why dbus is trying to write to 2.guard pipe? Thanks, Lukas. Description of problem: This one just appeared out of the blue after upgrading to F29. Version-Release number of selected component: selinux-policy-3.14.2-36.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.12-300.fc29.x86_64 type: libreport Hi Lukas, it is a named pipe, where the boltd opens both sides and then passes the write and of it via dbus to the client. I would guess that is the reason. The whole idea behind it is outlined in the commits of bolt MR 101 (https://gitlab.freedesktop.org/bolt/bolt/merge_requests/101) *** Bug 1638754 has been marked as a duplicate of this bug. *** commit e096da420b3e2f2fe1d8d3d3f69651b3da12b9a6 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date: Mon Oct 15 14:09:21 2018 +0200
Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)
Appears to be fixed by 3.14.2-39.fc29 Proposing freeze exception per blocker review #info to make sure a fix gets pushed to stable. The bug only happens with upgraded systems that still have setroubleshooter. selinux-policy-3.14.2-39.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac +1 FE for this, we should definitely accept -39 for it and its buddy. selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: This appears on reboot. SELinux is preventing dbus-daemon from 'write' accesses on the fifo_file /run/boltd/power/2.guard.fifo. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dbus-daemon should be allowed write access on the 2.guard.fifo fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dbus-daemon' --raw | audit2allow -M my-dbusdaemon # semodule -X 300 -i my-dbusdaemon.pp Additional Information: Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Context system_u:object_r:boltd_var_run_t:s0 Target Objects /run/boltd/power/2.guard.fifo [ fifo_file ] Source dbus-daemon Source Path dbus-daemon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.12-300.fc29.x86_64 #1 SMP Thu Oct 4 15:01:22 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-10-09 10:49:33 PDT Last Seen 2018-10-09 10:49:33 PDT Local ID 8084f588-4daf-4e72-b1f5-66b05e63f6a1 Raw Audit Messages type=AVC msg=audit(1539107373.979:294): avc: denied { write } for pid=763 comm="dbus-daemon" path="/run/boltd/power/2.guard.fifo" dev="tmpfs" ino=51116 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=fifo_file permissive=0 Hash: dbus-daemon,system_dbusd_t,boltd_var_run_t,fifo_file,write Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.12-300.fc29.x86_64 type: libreport