Created attachment 1242270 [details] screen of app window after the error Usage: # gnome-disks (opens GUI of the application) > select devices > SD card (click in the left collumn) > restore from disk image OR create image (right top corner, applies for whole device instead of parition) > choose image, run recovery, ok, provide root password Error: Error while .... (selected operation) Message recipient disconnected from message bus without replying (g-dbus-error-quark, 4) Then the window goes grey (see attachement). The only resolution is to restart the utility. Reproducible: always
Same here, although I discovered it in attempt to benchmark my SD card.
Same here, but with eMMC.
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Still happens on Fedora 27 here.
Oops, actually it works! But segfaults if run on disk ChromeOS partitions, but that's another story.
It is still an issue. A week ago, i tried it again on F27. Exactly same result. I gave up on 'gnome-disks' with SD cards. Using pure 'dd' for such purposes now.
I'm encountering this problem still on F27 too. When asked to do some tasks (like Benchmarking), udisksd exits with SIGTERM. I can't see what's wrong, but it works if I do setenforce 0, so it's something related to selinux policies.
I can confirm this problem on F27 as well. No AVC in audit.log, but disabling of selinux helps as Jan said.
This is still an issue in Fedora 28 (pre-)beta. Also confirmed: Running 'sudo setenforce 0' and restarting gnome-disks is a workaround to make "restoring" an image to an SD card work. (This is necessary when imaging a disk image to an SD or microSD card for ARM devices.) As setting SELinux to permissive is a workaround, it appears to be an SELinux policy problem.
Maintainers, can we get some quick response, please? It has been a year ...
I really don't know what info I should provide as I'm not gnome-disk's maintainer.
Same problem here with Fedora 28. Set SELinux to permissive stop the problem.
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Still happens on version 29
Still happens on Fedora 30.
This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Still happens on fedora 32 $ sudo setenforce permissive is a workaround
Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
This bug still exists (see my last comment)
Reopening and updating the version field per comment #19
To make the devices accessible again, after running into the error described above, execute: # systemctl restart udisks2 Thw following command is a workaround for people who do not want to disable SELinux altogether, yet want to use `gnome-disks` on MMC block devices (i.e. `/dev/mmcblk0`): 1. Insert MMC into drive. 2. Execute: # chcon -t fixed_disk_device_t /dev/mmcblk0 3. Open gnome-disks to write an image to /dev/mmcblk0 AFAICT a proper fix should go into SELinux policies.
This is still an issue on Fedora 34
This seems like an SELinux policy issue, changing component and updating to track for F34, since it's still an issue.
Neal, Will you be able to gather all denials with full auditing enabled? 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
@Zdenek, I've been encountering the same scenario today on F34 Here's what I gathered: [root@Cordelia chris]# service auditd restart Stopping logging: [ OK ] Redirecting start to /bin/systemctl start auditd.service [root@Cordelia chris]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=AVC msg=audit(09/08/2021 12:51:50.325:231) : avc: denied { read } for pid=1276 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=AVC msg=audit(09/08/2021 12:51:50.325:232) : avc: denied { read } for pid=1276 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 34 entered end-of-life (EOL) status on 2022-06-07. Fedora Linux 34 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. Thank you for reporting this bug and we are sorry it could not be fixed.
Have faced this issue in Fedora 36 Silverblue recently. Hot Fix mentioned at https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 worked
I can still reproduce this on Fedora 37 Workstation. Applying the fixed_disk_device_t label as suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 does temporarily fix this for me. I can provide additional details as requested.
Dalton, Can you provide some more data? rpm -qa selinux-policy matchpathcon /dev/mmblk* ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today The key permissions were added in selinux-policy-37.9-1
Sure Zdenek, here's what I have: dminer $ rpm -qa selinux-policy selinux-policy-37.19-1.fc37.noarch ~ dminer $ matchpathcon /dev/mmcblk* /dev/mmcblk0 system_u:object_r:removable_device_t:s0 ~ dminer $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today <no matches> I can confirm that I can still reproduce the bug described in the ticket as of today. I'm also using the auditd settings that you suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c26.
(In reply to Dalton Miner from comment #33) > dminer $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts > today > <no matches> > > I can confirm that I can still reproduce the bug described in the ticket as > of today. I'm also using the auditd settings that you suggested in > https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c26. These two seem to be contradictory tome, please show the AVC denials using current selinux-policy. I cannot see any problem with your settings.
This bug still exists in fc38. $ rpm -qa selinux-policy selinux-policy-38.12-1.fc38.noarch $ matchpathcon /dev/mmcblk* /dev/mmcblk0 system_u:object_r:removable_device_t:s0 $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today <no matches> Workaround was to use `setenforce 0`.
Do I read it correctly there are no AVC denials audited nor they are in journal, but setenforce 0 makes the scenario working? In that case, can you temporarily enable dontaudit rules? semodule -DB <reproduce> ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent semodule -B
Can reproduce in Fedora Silverblue 38. Steps are slightly different due to the change in UI (now: open gnome disks, select the SD card from the sidebar, and then "Create disk image" from the menu). Can also reproduce when trying to write to the disk with the Fedora Media Writer. My system: [kabisala@fedora ~]$ matchpathcon /dev/mmcblk0 /dev/mmcblk0 system_u:object_r:removable_device_t:s0 [kabisala@fedora ~]$ rpm -qa selinux-policy selinux-policy-38.22-1.fc38.noarch [kabisala@fedora ~]$ semodule -DB [kabisala@fedora ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=AVC msg=audit(08/19/2023 11:47:53.140:964) : avc: denied { noatsecure } for pid=99562 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.141:965) : avc: denied { rlimitinh } for pid=99562 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.141:966) : avc: denied { siginh } for pid=99562 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.166:967) : avc: denied { noatsecure } for pid=99571 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.167:968) : avc: denied { rlimitinh } for pid=99571 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.167:969) : avc: denied { siginh } for pid=99571 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.387:970) : avc: denied { noatsecure } for pid=99580 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.387:971) : avc: denied { rlimitinh } for pid=99580 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.387:972) : avc: denied { siginh } for pid=99580 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.415:973) : avc: denied { noatsecure } for pid=99583 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.415:974) : avc: denied { rlimitinh } for pid=99583 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:53.415:975) : avc: denied { siginh } for pid=99583 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.442:978) : avc: denied { read } for pid=914 comm=dbus-broker path=/dev/mmcblk0 dev="devtmpfs" ino=1948 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.452:979) : avc: denied { noatsecure } for pid=99595 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.453:980) : avc: denied { rlimitinh } for pid=99595 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.453:981) : avc: denied { siginh } for pid=99595 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.499:983) : avc: denied { noatsecure } for pid=99598 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.499:984) : avc: denied { rlimitinh } for pid=99598 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.499:985) : avc: denied { siginh } for pid=99598 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.538:986) : avc: denied { noatsecure } for pid=99601 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.538:987) : avc: denied { rlimitinh } for pid=99601 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.538:988) : avc: denied { siginh } for pid=99601 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.562:989) : avc: denied { noatsecure } for pid=99604 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.562:990) : avc: denied { rlimitinh } for pid=99604 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.562:991) : avc: denied { siginh } for pid=99604 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.583:992) : avc: denied { noatsecure } for pid=99607 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.583:993) : avc: denied { rlimitinh } for pid=99607 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.583:994) : avc: denied { siginh } for pid=99607 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.620:995) : avc: denied { noatsecure } for pid=99610 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.620:996) : avc: denied { rlimitinh } for pid=99610 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.620:997) : avc: denied { siginh } for pid=99610 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.644:998) : avc: denied { noatsecure } for pid=99613 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.645:999) : avc: denied { rlimitinh } for pid=99613 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:55.645:1000) : avc: denied { siginh } for pid=99613 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:58.386:1001) : avc: denied { noatsecure } for pid=99621 comm=polkitd scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:58.387:1002) : avc: denied { rlimitinh } for pid=99621 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(08/19/2023 11:47:58.387:1003) : avc: denied { siginh } for pid=99621 comm=pkla-check-auth scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:policykit_auth_t:s0 tclass=process permissive=0 Can also confirm that `chcon -t fixed_disk_device_t /dev/mmcblk0` solves the issue without the need of disabling selinux
I'm not an expert (or a beginner really) on selinux policies at all, so I might be completely off. Documenting what I found so far, will see if I manage to find some time to investigate further. I believe the policy that is supposed to give the read/write permission is configured here (https://github.com/fedora-selinux/selinux-policy/blob/77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/contrib/dbus.te#L118C1-L118C38). The interface (?) itself, in contrast with it's name, consist of a single dontaudit rule https://github.com/fedora-selinux/selinux-policy/blob/77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/kernel/storage.if#L866 instead of a allow rules (compare it with storage_rw_inherited_fixed_disk_dev).
(In reply to Kabir from comment #38) > I'm not an expert (or a beginner really) on selinux policies at all, so I > might be completely off. Documenting what I found so far, will see if I > manage to find some time to investigate further. > > I believe the policy that is supposed to give the read/write permission is > configured here > (https://github.com/fedora-selinux/selinux-policy/blob/ > 77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/contrib/dbus. > te#L118C1-L118C38). > > The interface (?) itself, in contrast with it's name, consist of a single > dontaudit rule > https://github.com/fedora-selinux/selinux-policy/blob/ > 77e7428bf98c645389b8efaf61a2c3ed6e2441d8/policy/modules/kernel/storage. > if#L866 instead of a allow rules (compare it with > storage_rw_inherited_fixed_disk_dev). Thank you for the interesting findings, indeed the interface name does not match the content.
This message is a reminder that Fedora Linux 37 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '37'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 37 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 37 entered end-of-life (EOL) status on None. Fedora Linux 37 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.
Hello, This issue exists in Fedora 39. It is possible to reopen this issue, or do I have to open a new ticket about it? The steps in the workaround https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 (change selinux context for device mmcblk0 to "fixed_disk_device_t") are currently valid. Thanks.
Hi, This issue is currently active in Fedora 40, but there's no SELinux denial associated with the tries to write by the software that uses the udisks2 service. I tested with gnome-disks and a fresh build from source of the rpi-imager, and the results are the same: error - cannot open storage device. $ matchpathcon /dev/mmcblk* /dev/mmcblk0 system_u:object_r:removable_device_t:s0 Changing the device label to `fixed_disk_device_t` still a workaround. But even enabling full audit, there's no SELinux denial related. Maybe this should be addressed as an udisks bug? Logs from my journalctl: [using gnome-disks] ... Jul 16 18:14:57 t460 polkitd[1332]: Operator of unix-session:2 successfully authenticated as unix-user:allan to gain TEMPORARY authorization for action org.freedesktop.udisks2.open-device for system-bus-name::1.104 [/usr/bin/gnome-disks --gapplication-service] (owned by unix-user:allan) Jul 16 18:14:57 t460 gnome-disks[3397]: Error wiping device on error path: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name is not activatable (g-dbus-error-quark, 2) Jul 16 18:14:57 t460 gnome-disks[3397]: Error rescanning device: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name is not activatable (g-dbus-error-quark, 2) Jul 16 18:14:57 t460 systemd[1]: udisks2.service: Deactivated successfully. Jul 16 18:14:57 t460 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=udisks2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jul 16 18:14:57 t460 kernel: mmcblk0: p1 Jul 16 18:14:57 t460 systemd-homed[1340]: block device /sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/rtsx_pci_sdmmc.0/mmc_host/mmc0/mmc0:aaaa/block/mmcblk0/mmcblk0p1 has been removed. Jul 16 18:14:57 t460 gnome-disks[3397]: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed Jul 16 18:14:57 t460 gnome-disks[3397]: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed Jul 16 18:14:57 t460 gnome-disks[3397]: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed Jul 16 18:14:57 t460 gnome-disks[3397]: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed [using rpi-imager] ... Jul 16 18:36:21 t460 polkitd[1332]: Operator of unix-session:2 successfully authenticated as unix-user:allan to gain TEMPORARY authorization for action org.freedesktop.udisks2.open-device for system-bus-name::1.167 [./rpi-imager] (owned by unix-user:allan) Jul 16 18:36:21 t460 systemd[1]: udisks2.service: Deactivated successfully. Jul 16 18:36:21 t460 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=udisks2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jul 16 18:36:21 t460 kernel: mmcblk0: p1 Jul 16 18:36:21 t460 systemd-homed[1340]: block device /sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/rtsx_pci_sdmmc.0/mmc_host/mmc0/mmc0:aaaa/block/mmcblk0/mmcblk0p1 has been removed.
This message is a reminder that Fedora Linux 39 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 39 on 2024-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '39'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 39 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
As said in comment 43, this issue is currently active in Fedora 40. Please, can some maintainer change the "version" from 39 to 40? Thanks
Same problem with Fedora Silverblue 41, workaround at https://bugzilla.redhat.com/show_bug.cgi?id=1414539#c23 worked
Reproduced with F41 Workstation Live on a Mac Mini with selinux updated to selinux-policy-41.26-1.fc41.noarch: $ sudo ausearch -i -ts boot -m avc | fgrep -B3 -A1 mmc ---- type=PROCTITLE msg=audit(11/23/2024 20:46:26.617:1947) : proctitle=dbus-broker --log 4 --controller 9 --machine-id aad98a81379d44deae68fa5c264413cd --max-bytes 536870912 --max-fds 4096 --max-matc type=SYSCALL msg=audit(11/23/2024 20:46:26.617:1947) : arch=x86_64 syscall=recvmsg success=yes exit=60 a0=0x61 a1=0x7ffc955f4020 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x10 items=0 ppid=1380 pid=1381 auid=unset uid=dbus gid=dbus euid=dbus suid=dbus fsuid=dbus egid=dbus sgid=dbus fsgid=dbus tty=(none) ses=unset comm=dbus-broker exe=/usr/bin/dbus-broker subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/23/2024 20:46:26.617:1947) : avc: denied { read } for pid=1381 comm=dbus-broker path=/dev/mmcblk0 dev="devtmpfs" ino=972 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0 ---- Procedure: Disable dontaudit rules: $ sudo semodule -DB Enable full auditing: $ sudo auditctl -w /etc/shadow -p w $ sudo auditctl -l -w /etc/shadow -p w Verify selinux labels: $ ls -lZ /dev/mmc* brw-rw----. 1 root disk system_u:object_r:removable_device_t:s0 179, 0 Nov 23 19:44 /dev/mmcblk0 brw-rw----. 1 root disk system_u:object_r:removable_device_t:s0 179, 1 Nov 23 19:45 /dev/mmcblk0p1 Unmount, if the device is auto-mounted: $ lsblk -mf /dev/mmcblk0 NAME SIZE OWNER GROUP MODE FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS mmcblk0 483.9M root disk brw-rw---- └─mmcblk0p1 483.7M root disk brw-rw---- vfat FAT16 Follow the procedure in Comment 0 except attempt to *create* a disk image of the SD card: $ gnome-disks (gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.026: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed (gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.026: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed (gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.027: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed (gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.027: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed (gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.027: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed (gnome-disks:6995): GLib-GIO-CRITICAL **: 19:57:43.027: g_dbus_interface_get_object: assertion 'G_IS_DBUS_INTERFACE (interface_)' failed Tested with F41 Workstation Live on a Mac Mini with selinux updated: $ rpm -q selinux-policy dbus-broker dbus-common gnome-disk-utility systemd selinux-policy-41.26-1.fc41.noarch dbus-broker-36-4.fc41.x86_64 dbus-common-1.14.10-4.fc41.noarch gnome-disk-utility-46.1-1.fc41.x86_64 systemd-256.7-1.fc41.x86_64 $ uname -r 6.11.4-301.fc41.x86_64 $ cat /proc/cmdline BOOT_IMAGE=/images/pxeboot/vmlinuz root=live:CDLABEL=Fedora-WS-Live-41-1-4 rd.live.image quiet rhgb $ inxi --machine Machine: Type: Laptop System: Apple product: Macmini7,1 v: 1.0 serial: <superuser required> Mobo: Apple model: Mac-35C5E08120C7EEAF v: Macmini7,1 serial: <superuser required> UEFI: Apple v: 483.0.0.0.0 date: 10/07/2023
(In reply to Steve from comment #47) > type=AVC msg=audit(11/23/2024 20:46:26.617:1947) : avc: denied { read } for pid=1381 comm=dbus-broker path=/dev/mmcblk0 dev="devtmpfs" ino=972 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0 Here is why we don't see that AVC: $ sesearch --dontaudit -s system_dbusd_t | fgrep removable dontaudit system_dbusd_t removable_device_t:blk_file { read write }; $ rpm -q selinux-policy selinux-policy-41.26-1.fc41.noarch
Here is a possible workaround using audit2allow. Not tested beyond running these commands in an F41 Workstation VM: $ echo 'type=AVC msg=audit(11/23/2024 20:46:26.617:1947) : avc: denied { read } for pid=1381 comm=dbus-broker path=/dev/mmcblk0 dev="devtmpfs" ino=972 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0' > avc-1.txt $ audit2allow -i avc-1.txt -M my-dbusbroker ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-dbusbroker.pp NB: That semodule command should be modified to set a higher priority for the custom module: $ sudo semodule -X 300 -i my-dbusbroker.pp # Not tested, but based on other selinux bug reports, such as Bug 2279276. $ ll -n total 12 -rw-r--r--. 1 1000 1000 281 Nov 24 17:12 avc-1.txt -rw-r--r--. 1 1000 1000 975 Nov 24 17:33 my-dbusbroker.pp -rw-r--r--. 1 1000 1000 270 Nov 24 17:33 my-dbusbroker.te $ cat my-dbusbroker.te module my-dbusbroker 1.0; require { type system_dbusd_t; type removable_device_t; class blk_file read; } #============= system_dbusd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow system_dbusd_t removable_device_t:blk_file read; Documentation: $ whatis audit2allow semodule audit2allow (1) - generate SELinux policy allow/dontaudit rules from logs of denied operations semodule (8) - Manage SELinux policy modules.
FEDORA-2025-29f873056d (selinux-policy-40.30-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2025-29f873056d
FEDORA-2025-29f873056d has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-29f873056d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-29f873056d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-29f873056d (selinux-policy-40.30-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.