Bug 1993271

Summary: Missing type enforcement allow rule for new fwupd version
Product: [Fedora] Fedora Reporter: Richard Hughes <rhughes>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 35CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.21-1.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-29 00:19:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard Hughes 2021-08-12 16:33:00 UTC
Description of problem:

In fwupd 1.6.3 we connect to NetworkManager at startup to ensure that the USB network interface is up so we can talk to the server BMC controller (which is disabled by default in RHEL). This fails when SELinux is enabled and the daemon fails to start the redfish plugin, which means most of the updatable devices do not show up.

Version-Release number of selected component (if applicable): selinux-policy-34.14-1.fc34.noarch

How reproducible: Always on RHEL, only on Fedora if the USB interface is not set to "auto-connect"

Steps to Reproduce:
1. Update to fwupd 1.6.2 using dnf update
2. Disable autoconnect of the USB network device
3. do "sudo service fwupd restart" on any machine with a BMC

Actual results:
I get an AVC and fwupd startup hangs for 30 seconds.

Expected results:
That fwupd is able to talk to NetworkManager

Additional info:

(This was generated on RHEL 8.4, but the AVC should be the same)

type=USER_AVC msg=audit(1628784233.943:253): pid=1377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.593 spid=1691 tpid=36436 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

Comment 1 Zdenek Pytela 2021-09-22 10:48:31 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/888

Comment 2 Fedora Update System 2021-09-24 10:14:14 UTC
FEDORA-2021-d7a6ae95f1 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-d7a6ae95f1

Comment 3 Fedora Update System 2021-09-24 21:44:35 UTC
FEDORA-2021-d7a6ae95f1 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-d7a6ae95f1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-d7a6ae95f1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2021-09-29 00:19:41 UTC
FEDORA-2021-d7a6ae95f1 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.