Bug 1968654

Summary: systemd was denied associating with /dev/dma_heap while booting with selinux-policy-34.10-1.fc34
Product: [Fedora] Fedora Reporter: Matt Fagnani <matt.fagnani>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 34CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-34.11-1.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-11 01:15:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Fagnani 2021-06-07 18:39:07 UTC 
Description of problem:

I updated to selinux-policy-34.10-1.fc34 from koji in a Fedora 34 KDE Plasma installation. I'm using the targeted policy in enforcing mode. I rebooted. The systemd denials of reading and searching /dev/dma_heap didn't happen while booting as reported in https://bugzilla.redhat.com/show_bug.cgi?id=1965743. systemd was denied associating with /dev/dma_heap while booting around when the journal was started on the next 3 boots.

Jun 07 13:18:13 audit[1]: AVC avc:  denied  { associate } for  pid=1 comm="systemd" name="dma_heap" dev="devtmpfs" ino=137 scontext=system_u:object_r:dma_device_dir_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=0

This denial didn't appear with selinux-policy-34.9-1.fc34 or earlier. 

Version-Release number of selected component (if applicable):
selinux-policy-34.10-1.fc34

How reproducible:
systemd was denied associating with /dev/dma_heap while booting with selinux-policy-34.10-1.fc34 on 3/3 boots

Steps to Reproduce:
1. Boot a Fedora 34 KDE Plasma installation updated to 2021-6-7
2. Log in to Plasma on Wayland
3. start konsole
4. sudo dnf upgrade https://kojipkgs.fedoraproject.org//packages/selinux-policy/34.10/1.fc34/noarch/selinux-policy-34.10-1.fc34.noarch.rpm https://kojipkgs.fedoraproject.org//packages/selinux-policy/34.10/1.fc34/noarch/selinux-policy-targeted-34.10-1.fc34.noarch.rpm
5. Reboot

Actual results:
systemd was denied associating with /dev/dma_heap while booting with selinux-policy-34.10-1.fc34

Expected results:
No denials would happen.

Additional info:

The denial message has the source labelled as dma_device_dir_t. The selinux-policy-34.10-1.fc34 changelog at https://koji.fedoraproject.org/koji/buildinfo?buildID=1763228 noted the change
- Label /dev/dma_heap with dma_device_dir_t
Comment 1 Zdenek Pytela 2021-06-07 19:30:22 UTC 
Matt,

Thank you for the early report, should be fixed soon.
https://github.com/fedora-selinux/selinux-policy/pull/774
Comment 2 Fedora Update System 2021-06-09 16:19:07 UTC 
FEDORA-2021-d8e34dbd6e has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-d8e34dbd6e
Comment 3 Fedora Update System 2021-06-10 01:20:25 UTC 
FEDORA-2021-d8e34dbd6e has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-d8e34dbd6e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-d8e34dbd6e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2021-06-11 01:15:25 UTC 
FEDORA-2021-d8e34dbd6e has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.