Description of problem: created 2nd user (Admin) as test and loggedout logged in to it. Added images to both users icons SELinux is preventing systemd-logind from 'read' accesses on the file OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed read access on the OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:efivarfs_t:s0 Target Objects OsIndicationsSupported-8be4df61-93ca-11d2-aa0d- 00e098032b8c [ file ] Source systemd-logind Source Path systemd-logind Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-136.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.0-0.rc2.git2.1.fc23.x86_64 #1 SMP Fri Jul 17 20:03:47 UTC 2015 x86_64 x86_64 Alert Count 7 First Seen 2015-07-20 15:23:00 PDT Last Seen 2015-07-20 15:49:52 PDT Local ID b9063a65-ea00-4782-abbf-ebac5d3ab0e1 Raw Audit Messages type=AVC msg=audit(1437432592.418:596): avc: denied { read } for pid=863 comm="systemd-logind" name="OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=1270 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 Hash: systemd-logind,systemd_logind_t,efivarfs_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-136.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.0-0.rc2.git2.1.fc23.x86_64 type: libreport
*** Bug 1249291 has been marked as a duplicate of this bug. ***
Description of problem: boot cinnamon install (f23) Version-Release number of selected component: selinux-policy-3.13.1-138.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.0-0.rc4.git1.1.fc23.x86_64 type: libreport
Description of problem: on boot, after relabel Version-Release number of selected component: selinux-policy-3.13.1-146.fc24.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.0-1.fc24.x86_64 type: libreport
Description of problem: 1. dnf upgrade -y in single boot mode, panic otherwise. 2. Reboot 3. Login and first configuration Version-Release number of selected component: selinux-policy-3.13.1-146.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.0-1.fc23.x86_64 type: libreport
*** Bug 1260277 has been marked as a duplicate of this bug. ***
*** Bug 1260276 has been marked as a duplicate of this bug. ***
Description of problem: This prevents me from loging into my system. Please note that I freshly updated the system from F22 to Rawhide. I did also .autorelabel, so this puzzles me what else I am supposed to do to be able to run in enforcing again. Version-Release number of selected component: selinux-policy-3.13.1-148.fc24.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.1-300.fc23.x86_64 type: libreport
I should also note that this is UEFI system.
I have this too on a fresh install of F23 Beta on a Thinkpad 530. I can login without any problems. I understand these are not regular files but variables exported by UEFI. According to this article https://firmware.intel.com/blog/using-os-indications-uefi, OsIndicationsSupported tells the OS about the firmware's updating capabilities. I suspect systemd's attempt to read this variable relates to its new firmware updating feature though I wouldn't know why logind is the requesting service. In any case, I used the SE Troubleshooter to create a policy file to allow access.
Description of problem: happened upon system upgrade (using dnf system-upgrade) to f23 Version-Release number of selected component: selinux-policy-3.13.1-147.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.1-300.fc23.x86_64 type: libreport
Any news on fixing this? I woud say this should be a blocker for Fedora 23 release.
Description of problem: Error appeared a few reboots after running dnf update -y Version-Release number of selected component: selinux-policy-3.13.1-147.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.1-300.fc23.x86_64 type: libreport
*** Bug 1266839 has been marked as a duplicate of this bug. ***
Description of problem: Simply logging on to the system. Version-Release number of selected component: selinux-policy-3.13.1-147.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.1-300.fc23.x86_64 type: libreport
I wasn't able to reproduce the issue, so the resolution is based only on AVC's from this bug and its duplicates (+ #1267207). In case the issue persists, please include any new AVC messages in your report (# ausearch -m avc -ts recent ), use permissive mode for collecting AVC's. commit fe82e5f643c5e396bd79f291f3e9892c8bddca52 Merge: 150f923 ad2ebda Author: Miroslav Grepl <mgrepl> Date: Thu Oct 1 11:43:50 2015 +0200 Merge pull request #43 from vmojzis/rawhide-base Allow systemd-logind read access to efivarfs commit ad2ebdab4061abde7ee3f8b35a2640ca604bb534 Author: root <root.redhat.com> Date: Thu Oct 1 11:35:28 2015 +0200 Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution) commit 150f923a916fb36e447bf3f215f5fbd3d49f70f3 Merge: 7d4259d 863896a Author: Lukas Vrabec <wrabcak.github.com> Date: Thu Oct 1 11:10:04 2015 +0200 Merge pull request #42 from vmojzis/rawhide-base Add interface to allow reading files in efivarfs commit 863896af8dc1af93753c2a1931f14096317e81f9 Author: Vit Mojzis <vmojzis> Date: Thu Oct 1 10:20:01 2015 +0200 Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)
(In reply to Vit Mojzis from comment #16) > I wasn't able to reproduce the issue, so the resolution is based only on > AVC's from this bug and its duplicates (+ #1267207). > In case the issue persists, please include any new AVC messages in your > report (# ausearch -m avc -ts recent ), use permissive mode for collecting > AVC's. Hello Vit, I don't remember anymore where I tested F23 and encountered this bug. One place was my laptop (toshiba l50-a-12w), another was a VM inside vmware workstation 12 on Windows 7. If you still have not, you may try to reproduce it with vmware.
Description of problem: It reports this problem when I just logged in Version-Release number of selected component: selinux-policy-3.13.1-147.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.2-300.fc23.x86_64 type: libreport
Description of problem: upgrade to fedora 23, reboot Version-Release number of selected component: selinux-policy-3.13.1-147.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.1-300.fc23.x86_64 type: libreport
Description of problem: I logged in a default Gnome session, then logged out and logged in a Gnome Wayland session. Played around a bit, then logged out to go back to the default Gnome session. But to accomplish this last step I had to make several login attemps (kind of 4) and I'm sure the password was right (I didn't receive any prompt about a wrong password indeed). I was stuck in an ever-reloading GDM Login screen. Eventually it worked and I've found the SELinux notification. Version-Release number of selected component: selinux-policy-3.13.1-147.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.2-300.fc23.x86_64 type: libreport
I have the same issue that Michele reported in Comment #20: https://bugzilla.redhat.com/show_bug.cgi?id=1267052
Sorry, wrong package version. Please wait for selinux-policy-3.13.1-150.fc23 which should be available in a few days via: dnf update selinux-policy --enablerepo=updates-testing
Description of problem: This avc denial occured when I was switching between two users in cinnamon When I was logged as user1 I switched to the user2 and then back to user1 again. That is when this denial popped up. Version-Release number of selected component: selinux-policy-3.13.1-147.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.2-300.fc23.x86_64 type: libreport
Description of problem: popup just after booting up and logging. Version-Release number of selected component: selinux-policy-3.13.1-147.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.2-300.fc23.x86_64 type: libreport