1266635 – selinux preventing systemd-logind from reading efi variables

Bug 1266635 - selinux preventing systemd-logind from reading efi variables

Summary: selinux preventing systemd-logind from reading efi variables

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-25 23:37 UTC by Kevin Fenzi
Modified:	2015-10-12 12:26 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-10-12 12:26:08 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kevin Fenzi 2015-09-25 23:37:37 UTC

On boot I am seeing: 

Sep 25 17:26:38 voldemort.scrye.com audit[1221]: AVC avc:  denied  { read } for  pid=1221 comm="systemd-logind" name="OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:38 voldemort.scrye.com audit[1221]: AVC avc:  denied  { open } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:38 voldemort.scrye.com audit[1221]: AVC avc:  denied  { getattr } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:39 voldemort.scrye.com audit[1221]: AVC avc:  denied  { read } for  pid=1221 comm="systemd-logind" name="OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:39 voldemort.scrye.com audit[1221]: AVC avc:  denied  { open } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:39 voldemort.scrye.com audit[1221]: AVC avc:  denied  { getattr } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:42 voldemort.scrye.com audit[1221]: AVC avc:  denied  { read } for  pid=1221 comm="systemd-logind" name="OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:42 voldemort.scrye.com audit[1221]: AVC avc:  denied  { open } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:42 voldemort.scrye.com audit[1221]: AVC avc:  denied  { getattr } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:44 voldemort.scrye.com audit[1221]: AVC avc:  denied  { read } for  pid=1221 comm="systemd-logind" name="OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:44 voldemort.scrye.com audit[1221]: AVC avc:  denied  { open } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:44 voldemort.scrye.com audit[1221]: AVC avc:  denied  { getattr } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:44 voldemort.scrye.com audit[1221]: AVC avc:  denied  { read } for  pid=1221 comm="systemd-logind" name="OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:44 voldemort.scrye.com audit[1221]: AVC avc:  denied  { open } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:44 voldemort.scrye.com audit[1221]: AVC avc:  denied  { getattr } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:58 voldemort.scrye.com audit[1221]: AVC avc:  denied  { read } for  pid=1221 comm="systemd-logind" name="OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:58 voldemort.scrye.com audit[1221]: AVC avc:  denied  { open } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:58 voldemort.scrye.com audit[1221]: AVC avc:  denied  { getattr } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:58 voldemort.scrye.com audit[1221]: AVC avc:  denied  { read } for  pid=1221 comm="systemd-logind" name="OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:58 voldemort.scrye.com audit[1221]: AVC avc:  denied  { open } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:58 voldemort.scrye.com audit[1221]: AVC avc:  denied  { getattr } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:59 voldemort.scrye.com audit[1221]: AVC avc:  denied  { read } for  pid=1221 comm="systemd-logind" name="OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:59 voldemort.scrye.com audit[1221]: AVC avc:  denied  { open } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
Sep 25 17:26:59 voldemort.scrye.com audit[1221]: AVC avc:  denied  { getattr } for  pid=1221 comm="systemd-logind" path="/sys/firmware/efi/efivars/OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=10917 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1

Comment 1 Miroslav Grepl 2015-10-12 12:26:08 UTC

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 8209291..92de375 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -106,6 +106,9 @@ files_delete_tmpfs_files(systemd_logind_t)
 fs_mount_tmpfs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
 fs_list_tmpfs(systemd_logind_t)
+
+fs_read_efivarfs_files(systemd_logind_t)


Please update to the latest rawhide. Thank you.

Note You need to log in before you can comment on or make changes to this bug.