Bug 1645278
| Summary: | SELinux is preventing systemd-logind from 'read' accesses on the blk_file nvme0n1p1. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jonathan Haas <jonha87> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 29 | CC: | braden, bugzilla, dwalsh, jasuarez, jkonecny, kparal, luca.botti, lvrabec, mgrepl, mike, nrevo, plautrba, redhat, sbroz, sgallagh, sjoerd |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:6fd876b459704392257a2a80d9d8cda60eda31544dfc337a3fb10a273b6161df;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.14.2-41.fc29 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-11-07 02:42:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: Just logged in after a dnf update. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport Description of problem: Not sure exactly what activity triggered this alert. systemd was recently updated, though. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport Appeared the same time as https://bugzilla.redhat.com/show_bug.cgi?id=1644313, but not sure if related, also instead of going into standby mode, the system now does a regular boot whenever I close and reopen the lid instead of remembering/restoring the session. (Dell XPS 13 9350). commit c6e14c8e0fe178b24a59eb98792291c7a42e5df8 (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Fri Nov 2 17:27:57 2018 +0100
Allow systemd_logind_t domain to read nvme devices BZ(1645567)
Description of problem: Booting up after last updates Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport Description of problem: Showed up after an upgrade from Fedora 28 -> 29 Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport Description of problem:
This alert shows up right after boot, i.e. after logging into Gnome and is reported into syslog too. Example:
# sealert -l 4a3eef04-de90-4896-96ef-b7b5178546e1
/usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated.
Instead, use this sequence:
from dbus.mainloop.glib import DBusGMainLoop
DBusGMainLoop(set_as_default=True)
import dbus.glib
SELinux is preventing systemd-logind from read access on the blk_file nvme0n1p1.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd-logind should be allowed read access on the nvme0n1p1 blk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind
# semodule -X 300 -i my-systemdlogind.pp
Additional Information:
Source Context system_u:system_r:systemd_logind_t:s0
Target Context system_u:object_r:nvme_device_t:s0
Target Objects nvme0n1p1 [ blk_file ]
Source systemd-logind
Source Path systemd-logind
Port <Unknown>
Host horus
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.2-40.fc29.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name horus
Platform Linux horus 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct
20 23:24:08 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2018-11-03 20:06:04 PDT
Last Seen 2018-11-03 20:06:04 PDT
Local ID 4a3eef04-de90-4896-96ef-b7b5178546e1
Raw Audit Messages
type=AVC msg=audit(1541300764.423:258): avc: denied { read } for pid=892 comm="systemd-logind" name="nvme0n1p1" dev="devtmpfs" ino=13714 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=0
Hash: systemd-logind,systemd_logind_t,nvme_device_t,blk_file,read
Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch
Additional info:
reporter: libreport-2.9.6
hashmarkername: setroubleshoot
kernel: 4.18.16-300.fc29.x86_64
type: libreport
selinux-policy-3.14.2-41.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b *** Bug 1645902 has been marked as a duplicate of this bug. *** selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b *** Bug 1646560 has been marked as a duplicate of this bug. *** Description of problem: I rebooted and then logged in. Then I saw this report. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport *** Bug 1646185 has been marked as a duplicate of this bug. *** Description of problem: The problem occurred on first login after a reboot. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: Logging in and printing PDF document Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport |
Description of problem: SELinux is preventing systemd-logind from 'read' accesses on the blk_file nvme0n1p1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed read access on the nvme0n1p1 blk_file by default. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do allow this access for now by executing: # ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind # semodule -X 300 -i my-systemdlogind.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:nvme_device_t:s0 Target Objects nvme0n1p1 [ blk_file ] Source systemd-logind Source Path systemd-logind Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 4 First Seen 2018-11-01 19:23:51 CET Last Seen 2018-11-01 20:24:14 CET Local ID c6eb65b8-3ab3-47ca-9a5a-1b8b488d737a Raw Audit Messages type=AVC msg=audit(1541100254.983:210): avc: denied { read } for pid=1151 comm="systemd-logind" name="nvme0n1p1" dev="devtmpfs" ino=18784 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=0 Hash: systemd-logind,systemd_logind_t,nvme_device_t,blk_file,read Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport Potential duplicate: bug 1644786