Bug 1414539 - gnome-disks: SD card break the utility
Summary: gnome-disks: SD card break the utility
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 40
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-18 19:11 UTC by Michal Schorm
Modified: 2025-04-23 01:59 UTC (History)
30 users (show)

Fixed In Version: selinux-policy-40.30-1.fc40
Clone Of:
Environment:
Last Closed: 2025-04-23 01:59:58 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
screen of app window after the error (20.05 KB, image/png)
2017-01-18 19:11 UTC, Michal Schorm
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2617 0 None open Fix the storage_rw_inherited_removable_device() interface 2025-04-02 12:06:00 UTC

Description Michal Schorm 2017-01-18 19:11:28 UTC
Created attachment 1242270 [details]
screen of app window after the error

Usage:

# gnome-disks
 (opens GUI of the application)
> select devices > SD card
 (click in the left collumn)
> restore from disk image OR create image 
 (right top corner, applies for whole device instead of parition)
> choose image, run recovery, ok, provide root password


Error:
Error while .... (selected operation)
Message recipient disconnected from message bus without replying (g-dbus-error-quark, 4)

Then the window goes grey (see attachement).
The only resolution is to restart the utility.

Reproducible: always

Comment 1 George Nikandrov 2017-04-23 04:36:39 UTC
Same here, although I discovered it in attempt to benchmark my SD card.

Comment 2 ojab 2017-05-09 13:31:58 UTC
Same here, but with eMMC.

Comment 3 Fedora End Of Life 2017-11-16 18:52:09 UTC
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 4 ojab 2017-11-16 19:05:48 UTC
Still happens on Fedora 27 here.

Comment 5 ojab 2017-11-16 19:07:44 UTC
Oops, actually it works!
But segfaults if run on disk ChromeOS partitions, but that's another story.

Comment 6 Michal Schorm 2017-11-19 14:21:47 UTC
It is still an issue.
A week ago, i tried it again on F27. Exactly same result.

I gave up on 'gnome-disks' with SD cards. Using pure 'dd' for such purposes now.

Comment 7 Jan Schmidt 2017-12-08 05:11:13 UTC
I'm encountering this problem still on F27 too. When asked to do some tasks (like Benchmarking), udisksd exits with SIGTERM. I can't see what's wrong, but it works if I do setenforce 0, so it's something related to selinux policies.

Comment 8 Martin Korbel 2017-12-16 18:07:48 UTC
I can confirm this problem on F27 as well. No AVC in audit.log, but disabling of selinux helps as Jan said.

Comment 9 Garrett LeSage 2018-03-29 13:07:57 UTC
This is still an issue in Fedora 28 (pre-)beta.

Also confirmed: Running 'sudo setenforce 0' and restarting gnome-disks is a workaround to make "restoring" an image to an SD card work. (This is necessary when imaging a disk image to an SD or microSD card for ARM devices.)

As setting SELinux to permissive is a workaround, it appears to be an SELinux policy problem.

Comment 10 Michal Schorm 2018-03-29 14:16:09 UTC
Maintainers, can we get some quick response, please?
It has been a year ...

Comment 11 Tomas Popela 2018-03-29 18:57:50 UTC
I really don't know what info I should provide as I'm not gnome-disk's maintainer.

Comment 12 seb 2018-06-27 17:15:53 UTC
Same problem here with Fedora 28.

Set SELinux to permissive stop the problem.

Comment 13 Ben Cotton 2018-11-27 14:14:03 UTC
This message is a reminder that Fedora 27 is nearing its end of life.
On 2018-Nov-30  Fedora will stop maintaining and issuing updates for
Fedora 27. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora  'version' of '27'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 27 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 14 Ben Cotton 2018-11-30 23:01:14 UTC
Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 15 Joost van der Sluis 2019-09-08 20:39:55 UTC
Still happens on version 29

Comment 16 Arnis Jaundzeikars 2019-10-13 16:31:06 UTC
Still happens on Fedora 30.

Comment 17 Ben Cotton 2019-10-31 18:46:20 UTC
This message is a reminder that Fedora 29 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '29'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 29 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 18 Ben Cotton 2020-04-30 20:47:40 UTC
This message is a reminder that Fedora 30 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '30'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 30 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 19 maic 2020-05-01 18:15:02 UTC
Still happens on fedora 32

$ sudo setenforce permissive

is a workaround

Comment 20 Ben Cotton 2020-05-26 14:37:45 UTC
Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 21 maic 2020-06-07 00:55:18 UTC
This bug still exists (see my last comment)

Comment 22 Ben Cotton 2020-06-15 14:59:56 UTC
Reopening and updating the version field per comment #19

Comment 23 leif.middelschulte 2020-09-15 14:57:57 UTC
To make the devices accessible again, after running into the error described above, execute:

# systemctl restart udisks2


Thw following command is a workaround for people who do not want to disable SELinux altogether, yet want to use `gnome-disks` on MMC block devices (i.e. `/dev/mmcblk0`):
1. Insert MMC into drive.
2. Execute:
# chcon -t fixed_disk_device_t /dev/mmcblk0
3. Open gnome-disks to write an image to /dev/mmcblk0

AFAICT a proper fix should go into SELinux policies.

Comment 24 Tommy 2021-04-25 17:09:28 UTC
This is still an issue on Fedora 34

Comment 25 Neal Gompa 2021-04-26 14:53:12 UTC
This seems like an SELinux policy issue, changing component and updating to track for F34, since it's still an issue.

Comment 26 Zdenek Pytela 2021-04-26 16:27:37 UTC
Neal,

Will you be able to gather all denials with full auditing enabled?

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Comment 27 Chris Stanley 2021-09-08 19:03:10 UTC
@Zdenek,

I've been encountering the same scenario today on F34

Here's what I gathered:

[root@Cordelia chris]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
[root@Cordelia chris]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(09/08/2021 12:51:50.325:231) : avc:  denied  { read } for  pid=1276 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 
----
type=AVC msg=audit(09/08/2021 12:51:50.325:232) : avc:  denied  { read } for  pid=1276 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0

Comment 28 Ben Cotton 2022-05-12 16:49:03 UTC
This message is a reminder that Fedora Linux 34 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '34'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 34 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 29 Ben Cotton 2022-06-08 06:19:59 UTC
Fedora Linux 34 entered end-of-life (EOL) status on 2022-06-07.

Fedora Linux 34 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 30 Nikolaos Perrakis 2022-12-11 14:33:42 UTC
Have faced this issue in Fedora 36 Silverblue recently.
Hot Fix mentioned at
https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23
worked

Comment 31 Dalton Miner 2023-01-31 21:46:27 UTC
I can still reproduce this on Fedora 37 Workstation. Applying the fixed_disk_device_t label as suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 does temporarily fix this for me. I can provide additional details as requested.

Comment 32 Zdenek Pytela 2023-05-02 15:15:56 UTC
Dalton,

Can you provide some more data?

rpm -qa selinux-policy
matchpathcon /dev/mmblk*
ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

The key permissions were added in selinux-policy-37.9-1

Comment 33 Dalton Miner 2023-05-02 23:41:13 UTC
Sure Zdenek, here's what I have:

dminer $ rpm -qa selinux-policy
selinux-policy-37.19-1.fc37.noarch
~ 
dminer $ matchpathcon /dev/mmcblk*
/dev/mmcblk0	system_u:object_r:removable_device_t:s0
~ 
dminer $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
<no matches>

I can confirm that I can still reproduce the bug described in the ticket as of today. I'm also using the auditd settings that you suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c26.

Comment 34 Zdenek Pytela 2023-05-04 14:53:07 UTC
(In reply to Dalton Miner from comment #33)
> dminer $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts
> today
> <no matches>
> 
> I can confirm that I can still reproduce the bug described in the ticket as
> of today. I'm also using the auditd settings that you suggested in
> https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c26.

These two seem to be contradictory tome, please show the AVC denials using current selinux-policy.
I cannot see any problem with your settings.

Comment 35 starsareblueandfaraway 2023-05-26 23:32:51 UTC
This bug still exists in fc38.

$ rpm -qa selinux-policy
selinux-policy-38.12-1.fc38.noarch

$ matchpathcon /dev/mmcblk*
/dev/mmcblk0	system_u:object_r:removable_device_t:s0

$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
<no matches>

Workaround was to use `setenforce 0`.

Comment 36 Zdenek Pytela 2023-05-29 10:15:23 UTC
Do I read it correctly there are no AVC denials audited nor they are in journal, but setenforce 0 makes the scenario working?

In that case, can you temporarily enable dontaudit rules?

semodule -DB
<reproduce>
ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
semodule -B

Comment 37 Kabir 2023-08-19 11:01:29 UTC
Can reproduce in Fedora Silverblue 38. Steps are slightly different due to the change in UI (now: open gnome disks, select the SD card from the sidebar, and then "Create disk image" from the menu). Can also reproduce when trying to write to the disk with the Fedora Media Writer.

My system:
[kabisala@fedora ~]$ matchpathcon /dev/mmcblk0
/dev/mmcblk0	system_u:object_r:removable_device_t:s0


[kabisala@fedora ~]$ rpm -qa selinux-policy
selinux-policy-38.22-1.fc38.noarch

[kabisala@fedora ~]$ semodule -DB
[kabisala@fedora ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(08/19/2023 11:47:53.140:964) : avc:  denied  { noatsecure } for  pid=99562 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.141:965) : avc:  denied  { rlimitinh } for  pid=99562 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.141:966) : avc:  denied  { siginh } for  pid=99562 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.166:967) : avc:  denied  { noatsecure } for  pid=99571 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.167:968) : avc:  denied  { rlimitinh } for  pid=99571 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.167:969) : avc:  denied  { siginh } for  pid=99571 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.387:970) : avc:  denied  { noatsecure } for  pid=99580 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.387:971) : avc:  denied  { rlimitinh } for  pid=99580 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.387:972) : avc:  denied  { siginh } for  pid=99580 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.415:973) : avc:  denied  { noatsecure } for  pid=99583 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.415:974) : avc:  denied  { rlimitinh } for  pid=99583 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:53.415:975) : avc:  denied  { siginh } for  pid=99583 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.442:978) : avc:  denied  { read } for  pid=914 comm=dbus-broker path=/dev/mmcblk0 dev="devtmpfs" ino=1948 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.452:979) : avc:  denied  { noatsecure } for  pid=99595 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.453:980) : avc:  denied  { rlimitinh } for  pid=99595 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.453:981) : avc:  denied  { siginh } for  pid=99595 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.499:983) : avc:  denied  { noatsecure } for  pid=99598 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.499:984) : avc:  denied  { rlimitinh } for  pid=99598 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.499:985) : avc:  denied  { siginh } for  pid=99598 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.538:986) : avc:  denied  { noatsecure } for  pid=99601 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.538:987) : avc:  denied  { rlimitinh } for  pid=99601 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.538:988) : avc:  denied  { siginh } for  pid=99601 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.562:989) : avc:  denied  { noatsecure } for  pid=99604 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.562:990) : avc:  denied  { rlimitinh } for  pid=99604 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.562:991) : avc:  denied  { siginh } for  pid=99604 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.583:992) : avc:  denied  { noatsecure } for  pid=99607 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.583:993) : avc:  denied  { rlimitinh } for  pid=99607 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.583:994) : avc:  denied  { siginh } for  pid=99607 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.620:995) : avc:  denied  { noatsecure } for  pid=99610 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.620:996) : avc:  denied  { rlimitinh } for  pid=99610 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.620:997) : avc:  denied  { siginh } for  pid=99610 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.644:998) : avc:  denied  { noatsecure } for  pid=99613 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.645:999) : avc:  denied  { rlimitinh } for  pid=99613 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:55.645:1000) : avc:  denied  { siginh } for  pid=99613 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:58.386:1001) : avc:  denied  { noatsecure } for  pid=99621 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:58.387:1002) : avc:  denied  { rlimitinh } for  pid=99621 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(08/19/2023 11:47:58.387:1003) : avc:  denied  { siginh } for  pid=99621 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 


Can also confirm that `chcon -t fixed_disk_device_t /dev/mmcblk0` solves the issue without the need of disabling selinux

Comment 38 Kabir 2023-08-19 18:32:23 UTC
I'm not an expert (or a beginner really) on selinux policies at all, so I might be completely off. Documenting what I found so far, will see if I manage to find some time to investigate further.

I believe the policy that is supposed to give the read/write permission is configured here (https://github.com/fedora-selinux/selinux-policy/blob/77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/contrib/dbus.te#L118C1-L118C38).  

The interface (?) itself, in contrast with it's name, consist of a single dontaudit rule https://github.com/fedora-selinux/selinux-policy/blob/77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/kernel/storage.if#L866 instead of a allow rules (compare it with storage_rw_inherited_fixed_disk_dev).

Comment 39 Zdenek Pytela 2023-08-23 09:11:57 UTC
(In reply to Kabir from comment #38)
> I'm not an expert (or a beginner really) on selinux policies at all, so I
> might be completely off. Documenting what I found so far, will see if I
> manage to find some time to investigate further.
> 
> I believe the policy that is supposed to give the read/write permission is
> configured here
> (https://github.com/fedora-selinux/selinux-policy/blob/
> 77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/contrib/dbus.
> te#L118C1-L118C38).  
> 
> The interface (?) itself, in contrast with it's name, consist of a single
> dontaudit rule
> https://github.com/fedora-selinux/selinux-policy/blob/
> 77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/kernel/storage.
> if#L866 instead of a allow rules (compare it with
> storage_rw_inherited_fixed_disk_dev).

Thank you for the interesting findings, indeed the interface name does not match the content.

Comment 40 Aoife Moloney 2023-11-23 00:01:26 UTC
This message is a reminder that Fedora Linux 37 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '37'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 37 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 41 Aoife Moloney 2023-12-05 20:58:14 UTC
Fedora Linux 37 entered end-of-life (EOL) status on None.

Fedora Linux 37 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 42 Allan 2024-04-23 12:14:54 UTC
Hello,

This issue exists in Fedora 39. It is possible to reopen this issue, or do I have to open a new ticket about it?
The steps in the workaround https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 (change selinux context for device mmcblk0 to "fixed_disk_device_t") are currently valid.

Thanks.

Comment 43 Allan 2024-07-16 21:56:34 UTC
Hi,

This issue is currently active in Fedora 40, but there's no SELinux denial associated with the tries to write by the software that uses the udisks2 service.
I tested with gnome-disks and a fresh build from source of the rpi-imager, and the results are the same: error - cannot open storage device.

$ matchpathcon /dev/mmcblk* 
/dev/mmcblk0    system_u:object_r:removable_device_t:s0

Changing the device label to `fixed_disk_device_t` still a workaround.

But even enabling full audit, there's no SELinux denial related. Maybe this should be addressed as an udisks bug?

Logs from my journalctl:
[using gnome-disks]
...
Jul 16 18:14:57 t460 polkitd[1332]: Operator of unix-session:2 successfully authenticated as unix-user:allan to gain TEMPORARY authorization for action org.freedesktop.udisks2.open-device for system-bus-name::1.104 [/usr/bin/gnome-disks --gapplication-service] (owned by unix-user:allan)
Jul 16 18:14:57 t460 gnome-disks[3397]: Error wiping device on error path: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name is not activatable (g-dbus-error-quark, 2)
Jul 16 18:14:57 t460 gnome-disks[3397]: Error rescanning device: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name is not activatable (g-dbus-error-quark, 2)
Jul 16 18:14:57 t460 systemd[1]: udisks2.service: Deactivated successfully.
Jul 16 18:14:57 t460 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=udisks2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 16 18:14:57 t460 kernel:  mmcblk0: p1
Jul 16 18:14:57 t460 systemd-homed[1340]: block device /sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/rtsx_pci_sdmmc.0/mmc_host/mmc0/mmc0:aaaa/block/mmcblk0/mmcblk0p1 has been removed.
Jul 16 18:14:57 t460 gnome-disks[3397]: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed
Jul 16 18:14:57 t460 gnome-disks[3397]: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed
Jul 16 18:14:57 t460 gnome-disks[3397]: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed
Jul 16 18:14:57 t460 gnome-disks[3397]: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed

[using rpi-imager]
...
Jul 16 18:36:21 t460 polkitd[1332]: Operator of unix-session:2 successfully authenticated as unix-user:allan to gain TEMPORARY authorization for action org.freedesktop.udisks2.open-device for system-bus-name::1.167 [./rpi-imager] (owned by unix-user:allan)
Jul 16 18:36:21 t460 systemd[1]: udisks2.service: Deactivated successfully.
Jul 16 18:36:21 t460 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=udisks2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 16 18:36:21 t460 kernel:  mmcblk0: p1
Jul 16 18:36:21 t460 systemd-homed[1340]: block device /sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/rtsx_pci_sdmmc.0/mmc_host/mmc0/mmc0:aaaa/block/mmcblk0/mmcblk0p1 has been removed.

Comment 44 Aoife Moloney 2024-11-08 10:39:20 UTC
This message is a reminder that Fedora Linux 39 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 39 on 2024-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '39'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 39 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 45 Allan 2024-11-08 13:20:40 UTC
As said in comment 43, this issue is currently active in Fedora 40.

Please, can some maintainer change the "version" from 39 to 40? Thanks

Comment 46 Javier Jardón 2024-11-23 16:47:49 UTC
Same problem with Fedora Silverblue 41, workaround at https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 worked

Comment 47 Steve 2024-11-24 02:29:45 UTC
Reproduced with F41 Workstation Live on a Mac Mini with selinux updated to selinux-policy-41.26-1.fc41.noarch:

$ sudo ausearch -i -ts boot -m avc | fgrep -B3 -A1 mmc
----
type=PROCTITLE msg=audit(11/23/2024 20:46:26.617:1947) : proctitle=dbus-broker --log 4 --controller 9 --machine-id aad98a81379d44deae68fa5c264413cd --max-bytes 536870912 --max-fds 4096 --max-matc 
type=SYSCALL msg=audit(11/23/2024 20:46:26.617:1947) : arch=x86_64 syscall=recvmsg success=yes exit=60 a0=0x61 a1=0x7ffc955f4020 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x10 items=0 ppid=1380 pid=1381 auid=unset uid=dbus gid=dbus euid=dbus suid=dbus fsuid=dbus egid=dbus sgid=dbus fsgid=dbus tty=(none) ses=unset comm=dbus-broker exe=/usr/bin/dbus-broker subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/23/2024 20:46:26.617:1947) : avc:  denied  { read } for  pid=1381 comm=dbus-broker path=/dev/mmcblk0 dev="devtmpfs" ino=972 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0 
----

Procedure:

Disable dontaudit rules:

$ sudo semodule -DB

Enable full auditing:

$ sudo auditctl -w /etc/shadow -p w

$ sudo auditctl -l
-w /etc/shadow -p w

Verify selinux labels:

$ ls -lZ /dev/mmc*
brw-rw----. 1 root disk system_u:object_r:removable_device_t:s0 179, 0 Nov 23 19:44 /dev/mmcblk0
brw-rw----. 1 root disk system_u:object_r:removable_device_t:s0 179, 1 Nov 23 19:45 /dev/mmcblk0p1

Unmount, if the device is auto-mounted:

$ lsblk -mf /dev/mmcblk0
NAME          SIZE OWNER GROUP MODE       FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
mmcblk0     483.9M root  disk  brw-rw----                                        
└─mmcblk0p1 483.7M root  disk  brw-rw---- vfat   FAT16                           

Follow the procedure in Comment 0 except attempt to *create* a disk image of the SD card:

$ gnome-disks 

(gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.026: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed

(gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.026: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed

(gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.027: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed

(gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.027: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed

(gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.027: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed

(gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.027: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed

Tested with F41 Workstation Live on a Mac Mini with selinux updated:

$ rpm -q selinux-policy dbus-broker dbus-common gnome-disk-utility systemd
selinux-policy-41.26-1.fc41.noarch
dbus-broker-36-4.fc41.x86_64
dbus-common-1.14.10-4.fc41.noarch
gnome-disk-utility-46.1-1.fc41.x86_64
systemd-256.7-1.fc41.x86_64

$ uname -r
6.11.4-301.fc41.x86_64

$ cat /proc/cmdline
BOOT_IMAGE=/images/pxeboot/vmlinuz root=live:CDLABEL=Fedora-WS-Live-41-1-4 rd.live.image quiet rhgb

$ inxi --machine
Machine:
  Type: Laptop System: Apple product: Macmini7,1 v: 1.0
    serial: <superuser required>
  Mobo: Apple model: Mac-35C5E08120C7EEAF v: Macmini7,1
    serial: <superuser required> UEFI: Apple v: 483.0.0.0.0 date: 10/07/2023

Comment 48 Steve 2024-11-24 07:07:41 UTC
(In reply to Steve from comment #47)
> type=AVC msg=audit(11/23/2024 20:46:26.617:1947) : avc:  denied  { read } for  pid=1381 comm=dbus-broker path=/dev/mmcblk0 dev="devtmpfs" ino=972 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0 

Here is why we don't see that AVC:

$ sesearch --dontaudit -s system_dbusd_t | fgrep removable
dontaudit system_dbusd_t removable_device_t:blk_file { read write };

$ rpm -q selinux-policy
selinux-policy-41.26-1.fc41.noarch

Comment 49 Steve 2024-11-24 17:45:38 UTC
Here is a possible workaround using audit2allow. Not tested beyond running these commands in an F41 Workstation VM:

$ echo 'type=AVC msg=audit(11/23/2024 20:46:26.617:1947) : avc:  denied  { read } for  pid=1381 comm=dbus-broker path=/dev/mmcblk0 dev="devtmpfs" ino=972 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0' > avc-1.txt

$ audit2allow -i avc-1.txt -M my-dbusbroker
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-dbusbroker.pp

NB: That semodule command should be modified to set a higher priority for the custom module:

$ sudo semodule -X 300 -i my-dbusbroker.pp # Not tested, but based on other selinux bug reports, such as Bug 2279276.

$ ll -n
total 12
-rw-r--r--. 1 1000 1000 281 Nov 24 17:12 avc-1.txt
-rw-r--r--. 1 1000 1000 975 Nov 24 17:33 my-dbusbroker.pp
-rw-r--r--. 1 1000 1000 270 Nov 24 17:33 my-dbusbroker.te

$ cat my-dbusbroker.te

module my-dbusbroker 1.0;

require {
	type system_dbusd_t;
	type removable_device_t;
	class blk_file read;
}

#============= system_dbusd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow system_dbusd_t removable_device_t:blk_file read;

Documentation:

$ whatis audit2allow semodule
audit2allow (1)      - generate SELinux policy allow/dontaudit rules from logs of denied operations
semodule (8)         - Manage SELinux policy modules.

Comment 50 Fedora Update System 2025-04-07 13:34:40 UTC
FEDORA-2025-29f873056d (selinux-policy-40.30-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-29f873056d

Comment 51 Fedora Update System 2025-04-08 02:48:47 UTC
FEDORA-2025-29f873056d has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-29f873056d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-29f873056d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 52 Fedora Update System 2025-04-23 01:59:58 UTC
FEDORA-2025-29f873056d (selinux-policy-40.30-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.