Bug 1827972

Summary: SELinux is preventing systemctl from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
Product: [Fedora] Fedora Reporter: dmt <bugzilla>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: andrew, buribullet, charliebergren, dwalsh, ewl+redhat, fadnix, grepl.miroslav, jim.button, joe, johannes.lips, jonathonpoppleton, lvrabec, macosguy, pedro.moresco93, plautrba, prd-fedora, simon.bachenberg, thedatum+bz, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:004827e3798fd1ff816428277acd2d61395784ba1a70f575dde410f02df40f16;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-19 15:50:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dmt 2020-04-26 02:08:29 UTC 
Description of problem:
I had just disconnected from a thunderbolt dock and moved to the couch.
The laptop has Secure Boot enabled and is running Fedora 32 Beta.

Should systemd have this access?

Let me know if there's anything more I can do.
SELinux is preventing systemctl from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemctl should be allowed read access on the SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
# semodule -X 300 -i my-systemctl.pp

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0
Target Context                system_u:object_r:efivarfs_t:s0
Target Objects                SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c [
                              file ]
Source                        systemctl
Source Path                   systemctl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-3.14.5-32.fc32.noarch
Local Policy RPM              selinux-policy-targeted-3.14.5-32.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.6.2-301.fc32.x86_64 #1 SMP Tue
                              Apr 7 18:23:18 UTC 2020 x86_64 x86_64
Alert Count                   1
First Seen                    2020-04-26 00:01:01 GMT
Last Seen                     2020-04-26 00:01:01 GMT
Local ID                      76289825-cd57-47f9-882c-03fd514af85a

Raw Audit Messages
type=AVC msg=audit(1587859261.824:506): avc:  denied  { read } for  pid=28440 comm="systemctl" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15078 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0


Hash: systemctl,logrotate_t,efivarfs_t,file,read

Version-Release number of selected component:
selinux-policy-3.14.5-32.fc32.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.12.0
hashmarkername: setroubleshoot
kernel:         5.6.6-300.fc32.x86_64
type:           libreport
Comment 1 Zdenek Pytela 2020-04-27 16:21:20 UTC 
Hi,

Thank you for reporting the issue. Was the denial triggered directly after undocking? In the setroubleshoot alert we see "2020-04-26 00:01:01 GMT".

While systemd and various its service already have access to efivarfs, this denial was triggered by logrotate. Do you by any change know which service, executing systemctl, it was?

These steps can get more of auditing:

1) Open /etc/audit/rules.d/audit.rules file in an editor.
2) Remove following line if it exists:
-a task,never
3) Add following line at the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario or wait until it happens again
6) Collect audit denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Comment 2 dmt 2020-04-27 17:23:26 UTC 
(In reply to Zdenek Pytela from comment #1)
> Was the denial triggered directly after undocking?
It happened a few seconds after. I unplugged the dock, carried the laptop with me into the next room, had a seat and that's when I noticed the SELinux Troubleshooter.

> Do you by any change know which service, executing systemctl, it was?
I'm afraid not.

> 5) Re-run your scenario or wait until it happens again
Will do. It hasn't happened since but I'll inspect the audit denials as soon as it does and send them your way.
Comment 3 Paul DeStefano 2020-05-04 15:16:44 UTC 
For me, this happened right after wake from sleep and login to the GUI.
Comment 4 thedatum+bz 2020-05-10 04:05:39 UTC 
Similar problem has been detected:

Occurred spontaneously when systemd logrotate service ran.

hashmarkername: setroubleshoot
kernel:         5.6.10-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport
Comment 5 Fahad Alduraibi 2020-05-10 08:36:56 UTC 
Similar problem has been detected:

Everytime after booting the system (the system was upgraded to F32 from F31 few days/weeks ago

hashmarkername: setroubleshoot
kernel:         5.6.10-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport
Comment 6 Fahad Alduraibi 2020-05-10 08:51:36 UTC 
(In reply to Zdenek Pytela from comment #1)

> These steps can get more of auditing:
> 
> 1) Open /etc/audit/rules.d/audit.rules file in an editor.
> 2) Remove following line if it exists:
> -a task,never
> 3) Add following line at the end of the file:
> -w /etc/shadow -p w
> 4) Restart the audit daemon:
>   # service auditd restart
> 5) Re-run your scenario or wait until it happens again
> 6) Collect audit denials:
>   # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Here is the my result after following your steps and rebooting the whole system:

---
type=AVC msg=audit(05/10/2020 00:01:01.601:660) : avc:  denied  { read } for  pid=20654 comm=systemctl name=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c dev="efivarfs" ino=1221 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 
---

I don't see any extra information from the original report!

Here are the changes i did to the audit.rules file to verify what i did:
---
#-a task,never
-w /etc/shadow -p w
---
Comment 7 macosguy 2020-05-17 04:01:58 UTC 
Similar problem has been detected:

Running VMware Workstation 15.5.2 for Linux

hashmarkername: setroubleshoot
kernel:         5.6.12-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport
Comment 8 jim.button 2020-05-17 05:40:54 UTC 
Similar problem has been detected:

SELinux alert appears sometimes after wake up from suspend

hashmarkername: setroubleshoot
kernel:         5.6.12-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the Datei SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport
Comment 9 Eric L. 2020-05-17 06:55:12 UTC 
Also here after each reboot, it's a desktop PC, no dock/undock, Cinnamon F32, upgraded from F31 (and other versions before).

SELinux is preventing systemctl from read access on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemctl should be allowed read access on the SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
# semodule -X 300 -i my-systemctl.pp

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0
Target Context                system_u:object_r:efivarfs_t:s0
Target Objects                SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c [
                              file ]
Source                        systemctl
Source Path                   systemctl
Port                          <Unknown>
Host                          xxx
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.5-38.fc32.noarch
Local Policy RPM              selinux-policy-targeted-3.14.5-38.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xxx
Platform                      Linux xxx 5.6.12-300.fc32.x86_64 #1 SMP Mon May
                              11 16:47:13 UTC 2020 x86_64 x86_64
Alert Count                   1
First Seen                    2020-05-17 08:31:42 CEST
Last Seen                     2020-05-17 08:31:42 CEST
Local ID                      71b0b10e-bbd7-4a17-b55e-91139162655d

Raw Audit Messages
type=AVC msg=audit(1589697102.21:142): avc:  denied  { read } for  pid=1042 comm="systemctl" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=1143 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0


Hash: systemctl,logrotate_t,efivarfs_t,file,read
Comment 10 Zdenek Pytela 2020-05-18 06:59:00 UTC 
*** Bug 1836587 has been marked as a duplicate of this bug. ***
Comment 11 Zdenek Pytela 2020-05-19 15:50:13 UTC 
Thank you all for you cooperation, this bug will be resolved with the fix for bz#1824196.

*** This bug has been marked as a duplicate of bug 1824196 ***
Comment 12 Joseph D. Wagner 2020-05-19 17:04:09 UTC 
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=PROCTITLE msg=audit(05/19/2020 00:01:02.472:577) : proctitle=/usr/bin/systemctl --quiet is-active psacct.service 
type=PATH msg=audit(05/19/2020 00:01:02.472:577) : item=0 name=/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c inode=15548 dev=00:1c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:efivarfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/19/2020 00:01:02.472:577) : cwd=/ 
type=SYSCALL msg=audit(05/19/2020 00:01:02.472:577) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5632c2c7fe40 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=10059 pid=10060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null) 
type=AVC msg=audit(05/19/2020 00:01:02.472:577) : avc:  denied  { read } for  pid=10060 comm=systemctl name=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c dev="efivarfs" ino=15548 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0