Bug 1824196

*** Bug 1823035 has been marked as a duplicate of this bug. ***

commit 94e50ba442ae8792587879a18d714c10747e7de6 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Apr 20 16:54:13 2020 +0200

    Allow read efivarfs_t files by domains executing systemctl file
    
    Resolves: rhbz#1824196

FEDORA-2020-3ffe9fdf42 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-3ffe9fdf42

FEDORA-2020-3ffe9fdf42 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-3ffe9fdf42`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-3ffe9fdf42

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Lukasi,

This bug was reported not fixed with the update. I cannot see the permission either:

# sesearch -A -s systemd_resolved_t -t efivarfs_t -c file -p read
# sesearch -A -s systemd_modules_load_t -t efivarfs_t -c file
allow domain file_type:file map; [ domain_can_mmap_files ]:True

I even cannot find the commit. Has the commit reached the github repo?

commit ff8b5f9c119a828e92036f86e3d82c898412db59 (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Apr 30 10:06:21 2020 +0200

    Allow read efivarfs_t files by domains executing systemctl file
    
    Resolves: rhbz#1824196


https://github.com/fedora-selinux/selinux-policy/commit/ff8b5f9c119a828e92036f86e3d82c898412db59

Thanks for heads-up.

*** Bug 1819161 has been marked as a duplicate of this bug. ***

just noted this happening for me too. following.

FEDORA-2020-a6cd8de2ed has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a6cd8de2ed

Fixed with the following:

# cat efivars-systemd-resolved-fix.te 

module efivars-systemd-resolved-fix 1.0;

require {
        type efivarfs_t;
        type systemd_resolved_t;
        class file { getattr open read };
}

#============= systemd_resolved_t ==============
allow systemd_resolved_t efivarfs_t:file getattr;

#!!!! This avc is allowed in the current policy
allow systemd_resolved_t efivarfs_t:file { open read };


---

# sesearch -A -s systemd_resolved_t -t efivarfs_t -c file -p read
allow systemd_resolved_t efivarfs_t:file { getattr open read };

Similar problem has been detected:

 It happens when I tried to install some third-party kernel modules

hashmarkername: setroubleshoot
kernel:         5.6.8-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-32.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

FEDORA-2020-a6cd8de2ed has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Similar problem has been detected:

It happens every time when I install a third-party kernel module (probably ashmem?)

hashmarkername: setroubleshoot
kernel:         5.6.10-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

Similar problem has been detected:

Install a third party software called xDroid (a proprietary Android compatibility layer developed by Chinese people)
During the installation process the warning pops up several times.

hashmarkername: setroubleshoot
kernel:         5.6.10-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

This issue is not resolved with this update, even after a manual relabel.  Also note #1827466 in the first AVC.

~]# ausearch -m avc -ts boot
----
time->Wed May  6 17:57:42 2020
type=AVC msg=audit(1588805862.874:118): avc:  denied  { read } for  pid=815 comm="sssd" name="systemd" dev="tmpfs" ino=256 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
----
time->Wed May  6 17:57:44 2020
type=AVC msg=audit(1588805864.772:163): avc:  denied  { read } for  pid=925 comm="systemd-resolve" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
----
time->Wed May  6 17:57:44 2020
type=AVC msg=audit(1588805864.772:164): avc:  denied  { open } for  pid=925 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
----
time->Wed May  6 17:57:44 2020
type=AVC msg=audit(1588805864.772:165): avc:  denied  { getattr } for  pid=925 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1

I am also getting: SELinux is preventing systemd-resolve from read access on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c

selinux-policy 3.14.5-8.fc32

audit2allow generates the following

module my-systemdresolve 1.0;

require {
        type efivarfs_t;
        type systemd_resolved_t;
        class file read;
}

#============= systemd_resolved_t ==============
allow systemd_resolved_t efivarfs_t:file read;

edit: selinux-policy version is 3.14.5-38.fc32

after applying the above policy (2 comments up) I now get:

SELinux is preventing systemd-resolve from open access on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c

audit2allow module updated:

module my-systemdresolve 1.0;

require {
        type efivarfs_t;
        type systemd_resolved_t;
        class file { open read };
}

#============= systemd_resolved_t ==============

#!!!! This avc is allowed in the current policy
allow systemd_resolved_t efivarfs_t:file read;
allow systemd_resolved_t efivarfs_t:file open;

after applying the above policy I get SELinux is preventing systemd-resolve from getattr access on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c

audit2allow policy now looks like:

module my-systemdresolve 1.0;

require {
        type systemd_resolved_t;
        type efivarfs_t;
        class file { getattr open read };
}

#============= systemd_resolved_t ==============
allow systemd_resolved_t efivarfs_t:file getattr;

#!!!! This avc is allowed in the current policy
allow systemd_resolved_t efivarfs_t:file { open read };

this resolves the whole issue

Similar problem has been detected:

dnf distro-sync --allowerasing --best --refresh
Happend during 'Running scriptlet: kernel-core-5.6.10-300.fc32.x86_64' phase.

hashmarkername: setroubleshoot
kernel:         5.6.8-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

I'm not sure if relevant, but I did `fixfiles onboot` in previous session, rebooted, and now had the issue popup during new kernel-core install.

Similar problem has been detected:

This SELinux alert was present on first boot after upgrading from Fedora 31 to Fedora 32.

hashmarkername: setroubleshoot
kernel:         5.6.10-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

Similar problem has been detected:

this happened while updating packages (among them kernel packages)

hashmarkername: setroubleshoot
kernel:         5.6.8-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the Datei SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

Similar problem has been detected:

This happened after waking up my laptop from suspend. Reason unknown.

hashmarkername: setroubleshoot
kernel:         5.6.10-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the Datei SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

Similar problem has been detected:

In boot show message "Failed to start Load Kernel Modules"

hashmarkername: setroubleshoot
kernel:         5.6.12-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the arquivo SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

*** Bug 1827972 has been marked as a duplicate of this bug. ***

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=PROCTITLE msg=audit(05/19/2020 00:01:02.472:577) : proctitle=/usr/bin/systemctl --quiet is-active psacct.service 
type=PATH msg=audit(05/19/2020 00:01:02.472:577) : item=0 name=/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c inode=15548 dev=00:1c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:efivarfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/19/2020 00:01:02.472:577) : cwd=/ 
type=SYSCALL msg=audit(05/19/2020 00:01:02.472:577) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5632c2c7fe40 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=10059 pid=10060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null) 
type=AVC msg=audit(05/19/2020 00:01:02.472:577) : avc:  denied  { read } for  pid=10060 comm=systemctl name=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c dev="efivarfs" ino=15548 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

FEDORA-2020-886cc9af08 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-886cc9af08

FEDORA-2020-886cc9af08 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-886cc9af08`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-886cc9af08

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Similar problem has been detected:

Happened after dnf update command.


hashmarkername: setroubleshoot
kernel:         5.6.12-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing /usr/lib/systemd/systemd-modules-load from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

Changing status to assigned, the reported issue has not been resolved, neither was the similar for systemd_modules_load_t.

Similar problem has been detected:

Restarted nfs

 sudo systemctl restart rpcbind nfs-server 

the error suddenly appeared

hashmarkername: setroubleshoot
kernel:         5.6.13-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

Similar problem has been detected:

This occurs upon rebooting and whenever I resume (power on) from a hybrid suspend.  This started after upgrading from Fedora 31 to 32.  

The same occurs with systemd-modules:

SELinux is preventing systemd-modules from read access on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.

Plugin: catchall 
 SELinux denied access requested by systemd-modules. It is not expected that
this access is required by systemd-modules and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

If you believe that systemd-modules should be allowed read access on the SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c file by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# ausearch -c 'systemd-modules' --raw | audit2allow -M my-systemdmodules
# semodule -X 300 -i my-systemdmodules.pp

hashmarkername: setroubleshoot
kernel:         5.6.13-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

FEDORA-2020-886cc9af08 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Similar problem has been detected:

A bateria do Notebook acabou no momento da instalação de programas

hashmarkername: setroubleshoot
kernel:         5.6.14-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-39.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the arquivo SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

Similar problem has been detected:

This just popped up after dnf update

hashmarkername: setroubleshoot
kernel:         5.6.8-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-39.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

I've submitted a new Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/361

commit 8c4ffe785f5278ca5399563df5091487041d9257 (HEAD -> rawhide, origin/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed Jun 3 16:00:48 2020 +0200

    Allow systemd_resolved_t to read efivarfs
    
    Resolves: rhbz#1824196

FEDORA-2020-ca8855e4de has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de

FEDORA-2020-ca8855e4de has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-ca8855e4de`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Similar problem has been detected:

This error gets reported after logging on. I suspect it occurs at startup time. But I do not know what software causes this violation.

hashmarkername: setroubleshoot
kernel:         5.6.16-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-39.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

gbonnema, see bz#1833502, should be resolved in the same policy package version.

Zdenek Pytela, thanks for the pointer.

Similar problem has been detected:

Just logged in and received this error message

hashmarkername: setroubleshoot
kernel:         5.6.16-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-39.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport

selinux-policy-3.14.5-40.fc32 has been pushed to the Fedora 32 stable repository. If problems still persist, please make note of it in this bug report.