Bug 1803513
Summary: | Multiple denial messages | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Andrey Motoshkov <motoskov> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 32 | CC: | dwalsh, grepl.miroslav, lvrabec, plautrba, ppywlkiqletw, vkadlcik, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.5-28.fc32 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-07 13:03:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Andrey Motoshkov
2020-02-16 14:47:26 UTC
Hi Andrey, Could you please reproduce it with the latest selinux-policy build from koji? https://koji.fedoraproject.org/koji/buildinfo?buildID=1462575 Thanks, Lukas. rpm -qa | grep selinux-policy selinux-policy-targeted-3.14.5-26.fc32.noarch selinux-policy-3.14.5-26.fc32.noarch 2 AVC avc: denied { create } for comm="systemd-user-ru" name="blk" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 2 AVC avc: denied { create } for comm="systemd-user-ru" name="chr" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 2 AVC avc: denied { dac_override } for comm="plymouthd" capability=1 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability permissive=1 1 AVC avc: denied { getattr } for comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { getattr } for comm="systemd-tty-ask" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { mknod } for comm="systemd-user-ru" capability=27 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1 1 AVC avc: denied { open } for comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { open } for comm="systemd-tty-ask" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.19-org.a11y.atspi.Registry" dev="tmpfs" ino=56336 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.2-com.gexperts.Tilix" dev="tmpfs" ino=75336 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.Identity" dev="tmpfs" ino=61404 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.OnlineAccounts" dev="tmpfs" ino=60094 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.Shell.CalendarServer" dev="tmpfs" ino=59304 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=40230 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=49191 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-launched-gnome-software-service.desktop-2481.scope" dev="tmpfs" ino=65006 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 3 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=48355 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=58761 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:gsd-color.service" dev="tmpfs" ino=64454 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:pulseaudio.service" dev="tmpfs" ino=40219 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:pulseaudio.service" dev="tmpfs" ino=47241 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-journal" name="invocation:tracker-store.service" dev="tmpfs" ino=69869 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 1 AVC avc: denied { read } for comm="systemd-modules" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 2 AVC avc: denied { read } for comm="systemd-tty-ask" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=33735 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=46237 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=33734 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 1 AVC avc: denied { setattr } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=46236 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 1 AVC avc: denied { setsched } for comm="accounts-daemon" scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="boltd" scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=process permissive=1 2 AVC avc: denied { setsched } for comm="colord" scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process permissive=1 2 AVC avc: denied { setsched } for comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="pcscd" scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=process permissive=1 1 AVC avc: denied { setsched } for comm="tpm2-abrmd" scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:tabrmd_t:s0 tclass=process permissive=1 1 AVC avc: denied { sys_nice } for comm="accounts-daemon" capability=23 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1 1 AVC avc: denied { sys_nice } for comm="pcscd" capability=23 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability permissive=1 1 AVC avc: denied { unlink } for comm="systemd-user-ru" name="blk" dev="tmpfs" ino=46237 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1 1 AVC avc: denied { unlink } for comm="systemd-user-ru" name="chr" dev="tmpfs" ino=46236 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 Hi, These issues will be handle by this commit: commit 5474b82f5d1280e11a7a47ce7dc2feb50df049cb (HEAD -> rawhide, origin/rawhide) Author: Lukas Vrabec <lvrabec> Date: Tue Feb 18 17:53:01 2020 +0100 Allow systemd_logind_t domain to manage user_tmp_t char and block devices Resolves: rhbz#1798912 (In reply to Lukas Vrabec from comment #3) > Hi, > > These issues will be handle by this commit: > There are about five or six other SELinux issues unrelated to systemd-logind_t. > commit 5474b82f5d1280e11a7a47ce7dc2feb50df049cb (HEAD -> rawhide, > origin/rawhide) > Author: Lukas Vrabec <lvrabec> > Date: Tue Feb 18 17:53:01 2020 +0100 > > Allow systemd_logind_t domain to manage user_tmp_t char and block > devices > > Resolves: rhbz#1798912 |