Bug 1758746

Summary: SELinux is preventing boltd from 'read' accesses on the lnk_file driver.
Product: [Fedora] Fedora Reporter: Michael <michael.scheiffler>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 31CC: angelapuget, ckellner, dovla091, dwalsh, jdiaz, lvrabec, mgrepl, plautrba, praiskup, william_wofford, zpytela
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:b66c51ff9104d836a4c679eb71e0e3cdc8397dc74ce67bc76f7fe1657aca3978;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.14.4-37.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-11 23:18:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Michael 2019-10-05 09:26:52 UTC
Description of problem:
Plugged in USB stick
SELinux is preventing boltd from 'read' accesses on the lnk_file driver.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that boltd should be allowed read access on the driver lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'boltd' --raw | audit2allow -M my-boltd
# semodule -X 300 -i my-boltd.pp

Additional Information:
Source Context                system_u:system_r:boltd_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                driver [ lnk_file ]
Source                        boltd
Source Path                   boltd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.4-36.fc31.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.3.2-300.fc31.x86_64 #1 SMP Tue
                              Oct 1 20:44:46 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-10-05 11:25:57 CEST
Last Seen                     2019-10-05 11:25:57 CEST
Local ID                      2bc23e25-a827-4d86-a222-13701941fe6f

Raw Audit Messages
type=AVC msg=audit(1570267557.411:1076): avc:  denied  { read } for  pid=3799 comm="boltd" name="driver" dev="sysfs" ino=63607 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0


Hash: boltd,boltd_t,sysfs_t,lnk_file,read

Version-Release number of selected component:
selinux-policy-3.14.4-36.fc31.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.3.2-300.fc31.x86_64
type:           libreport

Potential duplicate: bug 1758731

Comment 1 dovla091 2019-10-05 18:29:20 UTC
*** Bug 1758797 has been marked as a duplicate of this bug. ***

Comment 2 Christian Kellner 2019-10-05 18:49:33 UTC

*** This bug has been marked as a duplicate of bug 1754360 ***

Comment 3 Christian Kellner 2019-10-05 19:09:01 UTC
Sorry, I was too quick here, I think the change in bug 1754360 (selinux-policy build 3.14.4-36.fc31) might actually *cause* this.

rpm -qa "selinux-policy*"
selinux-policy-3.14.4-36.fc31.noarch
selinux-policy-targeted-3.14.4-36.fc31.noarch

sudo ausearch -c 'boltd' --start boot --raw
type=AVC msg=audit(1570302004.301:104): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341" dev="sysfs" ino=24557 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:105): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/wmi/devices/05901221-D566-11D1-B2F0-00A0C9062910" dev="sysfs" ino=24687 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:106): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/wmi/devices/8D9DDCBC-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24619 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:107): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/wmi/devices/9DBB5994-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24663 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:108): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/wmi/devices/A80593CE-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24648 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:109): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/thunderbolt/devices/domain0" dev="sysfs" ino=40660 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:110): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/thunderbolt/devices/0-0" dev="sysfs" ino=40678 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:113): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=40679 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:114): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=40661 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:115): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8986 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:116): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8769 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:117): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8702 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:118): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8305 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0

As a result of this boltd does not work at all anymore:

journalctl -b -u bolt
-- Logs begin at Mon 2019-03-18 16:28:32 CET, end at Sat 2019-10-05 21:08:06 CEST. --
Oct 05 21:00:03 cobalt systemd[1]: Starting Thunderbolt system service...
Oct 05 21:00:03 cobalt boltd[1318]: bolt 0.8 starting up.
Oct 05 21:00:04 cobalt boltd[1318]: store: located at: /var/lib/boltd
Oct 05 21:00:04 cobalt boltd[1318]: config: loading user config
Oct 05 21:00:04 cobalt boltd[1318]: config: user config loaded successfully
Oct 05 21:00:04 cobalt boltd[1318]: config: auth mode set to 'enabled'
Oct 05 21:00:04 cobalt boltd[1318]: bouncer: initializing polkit
Oct 05 21:00:04 cobalt boltd[1318]: udev: initializing udev
Oct 05 21:00:04 cobalt boltd[1318]: store: loading domains
Oct 05 21:00:04 cobalt boltd[1318]: [c9030000-0070-domain?                    ] store: loading domain
Oct 05 21:00:04 cobalt boltd[1318]: journal: opened for 'c9030000-0070'; size: 0 bytes
Oct 05 21:00:04 cobalt boltd[1318]: [c9030000-0070-domain?                    ] domain: registered (bootacl: 9/16)
Oct 05 21:00:04 cobalt boltd[1318]: store: loading devices
Oct 05 21:00:04 cobalt boltd[1318]: [00eb011d-b15f                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [008b61e9-315f                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [10762168-2f5f                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [60515100-0200                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [003299ed-d8a0                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [002b12dc-739d                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [00d81a34-3824                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: power: state located at: /run/boltd/power
Oct 05 21:00:04 cobalt boltd[1318]: power: force power support: no
Oct 05 21:00:04 cobalt boltd[1318]: udev: enumerating devices
Oct 05 21:00:04 cobalt boltd[1318]: dbus: exported domain at /org/freedesktop/bolt/domains/c9030000_0070_6f08_23fd_a0485751381d
Oct 05 21:00:04 cobalt boltd[1318]: [00eb011d-b15f-HP Thunderbolt 3Dock       ] dbus: exported device at /org/freedesktop/bolt/devices/00eb011d_b15f...
Oct 05 21:00:04 cobalt boltd[1318]: [008b61e9-315f-Dell Thunderbolt Cable     ] dbus: exported device at /org/freedesktop/bolt/devices/008b61e9_315f...
Oct 05 21:00:04 cobalt boltd[1318]: [10762168-2f5f-Dell Thunderbolt Dock      ] dbus: exported device at /org/freedesktop/bolt/devices/10762168_2f5f...
Oct 05 21:00:04 cobalt boltd[1318]: [60515100-0200-Thunderbolt to Gigabit Ethe] dbus: exported device at /org/freedesktop/bolt/devices/60515100_0200...
Oct 05 21:00:04 cobalt boltd[1318]: [003299ed-d8a0-Thunderbolt3 Graphic Dock  ] dbus: exported device at /org/freedesktop/bolt/devices/003299ed_d8a0...
Oct 05 21:00:04 cobalt boltd[1318]: [002b12dc-739d-ThinkPad Thunderbolt 3 Dock] dbus: exported device at /org/freedesktop/bolt/devices/002b12dc_739d...
Oct 05 21:00:04 cobalt boltd[1318]: [00d81a34-3824-ThinkPad Thunderbolt 3 Dock] dbus: exported device at /org/freedesktop/bolt/devices/00d81a34_3824...
Oct 05 21:00:04 cobalt systemd[1]: Started Thunderbolt system service.
Oct 05 21:00:04 cobalt boltd[1318]: domain: could not find domain for device at '/sys/devices/pci0000:00/0000:00:1c.4/0000:03:00.0/0000:04:00.0/0000:05:00.0/domain0/0-0/0-1'

NB:it can not find any thunderbolt hardware (should appear between "udev: enumerating devices" and "dbus: exported domain at").

Comment 4 Lukas Vrabec 2019-10-07 11:08:44 UTC

*** This bug has been marked as a duplicate of bug 1759019 ***

Comment 5 Fedora Update System 2019-10-09 11:44:14 UTC
FEDORA-2019-5adca37a25 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25

Comment 6 Lukas Vrabec 2019-10-09 15:08:55 UTC
*** Bug 1759596 has been marked as a duplicate of this bug. ***

Comment 7 Fedora Update System 2019-10-09 23:05:37 UTC
selinux-policy-3.14.4-37.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25

Comment 8 Joel Diaz 2019-10-10 14:30:39 UTC
selinux-policy-3.14.4-37.fc31 got things back to working for me

Comment 9 Fedora Update System 2019-10-11 23:18:15 UTC
selinux-policy-3.14.4-37.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.