Bug 1244973 - SELinux is preventing systemd-logind from 'read' accesses on the file OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c.
Summary: SELinux is preventing systemd-logind from 'read' accesses on the file OsIndic...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: x86_64
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Vit Mojzis
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:2d795f939ae8dc876af1ea9515c...
: 1249291 1260276 1260277 1266839 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-20 22:53 UTC by satellitgo
Modified: 2015-10-28 20:39 UTC (History)
30 users (show)

Fixed In Version: selinux-policy-3.13.1-150.fc23
Clone Of:
Environment:
Last Closed: 2015-10-16 12:13:36 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description satellitgo 2015-07-20 22:53:38 UTC
Description of problem:
created 2nd user (Admin) as test and loggedout logged in to it. Added images to both users icons
SELinux is preventing systemd-logind from 'read' accesses on the file OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-logind should be allowed read access on the OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:object_r:efivarfs_t:s0
Target Objects                OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-
                              00e098032b8c [ file ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-136.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.0-0.rc2.git2.1.fc23.x86_64 #1
                              SMP Fri Jul 17 20:03:47 UTC 2015 x86_64 x86_64
Alert Count                   7
First Seen                    2015-07-20 15:23:00 PDT
Last Seen                     2015-07-20 15:49:52 PDT
Local ID                      b9063a65-ea00-4782-abbf-ebac5d3ab0e1

Raw Audit Messages
type=AVC msg=audit(1437432592.418:596): avc:  denied  { read } for  pid=863 comm="systemd-logind" name="OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=1270 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0


Hash: systemd-logind,systemd_logind_t,efivarfs_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-136.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.0-0.rc2.git2.1.fc23.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2015-08-03 10:42:40 UTC
*** Bug 1249291 has been marked as a duplicate of this bug. ***

Comment 2 satellitgo 2015-08-06 22:56:05 UTC
Description of problem:
boot cinnamon install (f23)

Version-Release number of selected component:
selinux-policy-3.13.1-138.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.0-0.rc4.git1.1.fc23.x86_64
type:           libreport

Comment 3 Nicolas Mailhot 2015-09-02 07:09:05 UTC
Description of problem:
on boot, after relabel

Version-Release number of selected component:
selinux-policy-3.13.1-146.fc24.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.0-1.fc24.x86_64
type:           libreport

Comment 4 fulminemizzega 2015-09-05 13:36:38 UTC
Description of problem:
1. dnf upgrade -y in single boot mode, panic otherwise.
2. Reboot
3. Login and first configuration

Version-Release number of selected component:
selinux-policy-3.13.1-146.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.0-1.fc23.x86_64
type:           libreport

Comment 5 Miroslav Grepl 2015-09-11 12:20:43 UTC
*** Bug 1260277 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2015-09-11 12:20:49 UTC
*** Bug 1260276 has been marked as a duplicate of this bug. ***

Comment 8 Vít Ondruch 2015-09-24 20:38:42 UTC
Description of problem:
This prevents me from loging into my system. Please note that I freshly updated the system from F22 to Rawhide. I did also .autorelabel, so this puzzles me what else I am supposed to do to be able to run in enforcing again.

Version-Release number of selected component:
selinux-policy-3.13.1-148.fc24.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.1-300.fc23.x86_64
type:           libreport

Comment 9 Vít Ondruch 2015-09-24 20:39:49 UTC
I should also note that this is UEFI system.

Comment 10 Andrew Malcolmson 2015-09-26 13:25:13 UTC
I have this too on a fresh install of F23 Beta on a Thinkpad 530. I can login without any problems.

I understand these are not regular files but variables exported by UEFI.  According to this article https://firmware.intel.com/blog/using-os-indications-uefi, OsIndicationsSupported tells the OS about the firmware's updating capabilities.

I suspect systemd's attempt to read this variable relates to its new firmware updating feature though I wouldn't know why logind is the requesting service.

In any case, I used the SE Troubleshooter to create a policy file to allow access.

Comment 11 liam 2015-09-26 22:24:36 UTC
Description of problem:
happened upon system upgrade (using dnf system-upgrade) to f23

Version-Release number of selected component:
selinux-policy-3.13.1-147.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.1-300.fc23.x86_64
type:           libreport

Comment 12 Alexander Bokovoy 2015-09-27 07:36:47 UTC
Any news on fixing this? I woud say this should be a blocker for Fedora 23 release.

Comment 13 Eric Pizzani 2015-09-29 05:33:46 UTC
Description of problem:
Error appeared a few reboots after running dnf update -y

Version-Release number of selected component:
selinux-policy-3.13.1-147.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.1-300.fc23.x86_64
type:           libreport

Comment 14 Lukas Vrabec 2015-09-29 20:09:50 UTC
*** Bug 1266839 has been marked as a duplicate of this bug. ***

Comment 15 Disco Ghost 2015-09-30 17:25:53 UTC
Description of problem:
Simply logging on to the system.

Version-Release number of selected component:
selinux-policy-3.13.1-147.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.1-300.fc23.x86_64
type:           libreport

Comment 16 Vit Mojzis 2015-10-01 10:14:06 UTC
I wasn't able to reproduce the issue, so the resolution is based only on AVC's from this bug and its duplicates (+ #1267207).
In case the issue persists, please include any new AVC messages in your report (# ausearch -m avc -ts recent ), use permissive mode for collecting AVC's.


commit fe82e5f643c5e396bd79f291f3e9892c8bddca52
Merge: 150f923 ad2ebda
Author: Miroslav Grepl <mgrepl>
Date:   Thu Oct 1 11:43:50 2015 +0200

    Merge pull request #43 from vmojzis/rawhide-base
    
    Allow systemd-logind read access to efivarfs

commit ad2ebdab4061abde7ee3f8b35a2640ca604bb534
Author: root <root.redhat.com>
Date:   Thu Oct 1 11:35:28 2015 +0200

    Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution)

commit 150f923a916fb36e447bf3f215f5fbd3d49f70f3
Merge: 7d4259d 863896a
Author: Lukas Vrabec <wrabcak.github.com>
Date:   Thu Oct 1 11:10:04 2015 +0200

    Merge pull request #42 from vmojzis/rawhide-base
    
    Add interface to allow reading files in efivarfs

commit 863896af8dc1af93753c2a1931f14096317e81f9
Author: Vit Mojzis <vmojzis>
Date:   Thu Oct 1 10:20:01 2015 +0200

    Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)

Comment 17 fulminemizzega 2015-10-01 12:08:15 UTC
(In reply to Vit  Mojzis from comment #16)
> I wasn't able to reproduce the issue, so the resolution is based only on
> AVC's from this bug and its duplicates (+ #1267207).
> In case the issue persists, please include any new AVC messages in your
> report (# ausearch -m avc -ts recent ), use permissive mode for collecting
> AVC's.

Hello Vit, I don't remember anymore where I tested F23 and encountered this bug. One place was my laptop (toshiba l50-a-12w), another was a VM inside vmware workstation 12 on Windows 7. If you still have not, you may try to reproduce it with vmware.

Comment 18 Zhenbo Li 2015-10-03 05:56:58 UTC
Description of problem:
It reports this problem when I just logged in

Version-Release number of selected component:
selinux-policy-3.13.1-147.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.2-300.fc23.x86_64
type:           libreport

Comment 19 Adam Goode 2015-10-04 04:34:58 UTC
Description of problem:
upgrade to fedora 23, reboot

Version-Release number of selected component:
selinux-policy-3.13.1-147.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.1-300.fc23.x86_64
type:           libreport

Comment 20 Michele 2015-10-05 01:45:53 UTC
Description of problem:
I logged in a default Gnome session, then logged out and logged in a Gnome Wayland session. Played around a bit, then logged out to go back to the default Gnome session.
But to accomplish this last step I had to make several login attemps (kind of 4) and I'm sure the password was right (I didn't receive any prompt about a wrong password indeed). I was stuck in an ever-reloading GDM Login screen. Eventually it worked and I've found the SELinux notification.

Version-Release number of selected component:
selinux-policy-3.13.1-147.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.2-300.fc23.x86_64
type:           libreport

Comment 21 Martín Cigorraga 2015-10-05 01:49:48 UTC
I have the same issue that Michele reported in Comment #20: https://bugzilla.redhat.com/show_bug.cgi?id=1267052

Comment 22 Vit Mojzis 2015-10-08 12:26:00 UTC
Sorry, wrong package version. Please wait for selinux-policy-3.13.1-150.fc23 which should be available in a few days via:

dnf update selinux-policy --enablerepo=updates-testing

Comment 23 Petr Schindler 2015-10-08 13:17:34 UTC
Description of problem:
This avc denial occured when I was switching between two users in cinnamon

When I was logged as user1 I switched to the user2 and then back to user1 again. That is when this denial popped up.

Version-Release number of selected component:
selinux-policy-3.13.1-147.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.2-300.fc23.x86_64
type:           libreport

Comment 24 Ciaran Doherty 2015-10-10 09:43:09 UTC
Description of problem:
popup just after booting up and logging.

Version-Release number of selected component:
selinux-policy-3.13.1-147.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.2-300.fc23.x86_64
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.