Bug 1931959
| Summary: | SELinux is preventing systemd-hostnam from 'read' accesses on the file +dmi:id. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matt Fagnani <matt.fagnani> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 34 | CC: | bgoncalv, dwalsh, flast, grepl.miroslav, griboedova, lvrabec, mikhail.v.gavrilov, mmalik, omosnace, patrick, plarsen, plautrba, projects.rg, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:e306ff31b8d62486f4c45769200bbc38d31f0abcbd312b2a6858a2af55ae480f;VARIANT_ID=kde; | ||
| Fixed In Version: | selinux-policy-3.14.7-25.fc34 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-16 00:28:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Matt Fagnani
2021-02-23 16:22:28 UTC
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/611 (In reply to Zdenek Pytela from comment #1) > I've submitted a Fedora PR to address the issue: > https://github.com/fedora-selinux/selinux-policy/pull/611 Thanks. I ran the following commands to allow this systemd-hostnamed denial and rebooted. sudo ausearch -c 'systemd-hostnam' --raw | audit2allow -M my-systemdhostnam sudo semodule -X 300 -i my-systemdhostnam.pp The following denial of systemd-hostnamed opening /run/udev/data/+dmi:id happened when systemd-hostnamed was starting during the next boot. type=AVC msg=audit(1614101662.249:277): avc: denied { open } for pid=902 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=1159 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 I ran the ausearch and semodule commands above again and rebooted. The following denial of systemd-hostnamed getattr accesses on /run/udev/data/+dmi:id happened when systemd-hostnamed was starting during the next boot. type=AVC msg=audit(1614102325.443:274): avc: denied { getattr } for pid=898 comm="systemd-hostnam" path="/run/udev/data/+dmi:id" dev="tmpfs" ino=1132 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 The systemd-248-rc1 release notes mentioned a change in systemd-hostnamed reading from DMI tables which might be related to these denials. "systemd-hostnamed now exports the "HardwareVendor" and "HardwareModel" D-Bus properties, which are supposed to contain a pair of cleaned up, human readable strings describing the system's vendor and model. It's typically sourced from the firmware's DMI tables, but may be augmented from a new hwdb database. hostnamectl shows this in the status output." https://github.com/systemd/systemd/blob/v248-rc1/NEWS Thank you, I've updated the commit message. FEDORA-2021-ccd3bb057b has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ccd3bb057b FEDORA-2021-ccd3bb057b has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ccd3bb057b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ccd3bb057b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. *** Bug 1932436 has been marked as a duplicate of this bug. *** *** Bug 1932688 has been marked as a duplicate of this bug. *** *** Bug 1932683 has been marked as a duplicate of this bug. *** *** Bug 1932682 has been marked as a duplicate of this bug. *** FEDORA-2021-1cb3d5cac1 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1cb3d5cac1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1cb3d5cac1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. Similar problem has been detected: Openining "Settings" in GnomeShell 4.0 hashmarkername: setroubleshoot kernel: 5.10.19-200.fc33.x86_64 package: selinux-policy-targeted-3.14.7-22.fc34.noarch reason: SELinux is preventing systemd-hostnam from 'read' accesses on the file +dmi:id. type: libreport FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1e99f2ed79` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |