Description of problem: Some processes are denied send_msg to dbus by selinux type=USER_AVC msg=audit(1494603889.524:9388): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.1992 spid=1 tpid=11277 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1494603889.531:9390): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=11278 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1494603889.531:9391): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.1993 spid=1 tpid=11278 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1494603889.609:9395): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=11283 tpid=1 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1494603889.610:9396): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.1995 spid=1 tpid=11283 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1495114002.668:11678): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=29152 tpid=1071 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1495114002.669:11679): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.2375 spid=1071 tpid=29152 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1495351921.712:12735): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=9451 tpid=1071 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1495351921.713:12736): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.2573 spid=1071 tpid=9451 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1495547440.369:14846): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=1997 tpid=1071 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1495547440.369:14847): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.2665 spid=1071 tpid=1997 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1496931062.479:161): pid=1220 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=2010 tpid=1257 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1496931062.479:162): pid=1220 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.20 spid=1257 tpid=2010 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Updated to latest 2. Set selinux in permissive 3. Reboot 4. Look at denied logs Actual results: Denied Expected results: Allowed or hidden Additional info:
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
Fedora 26 WorkStation is also affected. audit[1075]: USER_AVC pid=1075 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=3663 tpid=1 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
This is still an issue. Any update on this?
selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
Not fixed for F26 or F27. selinux-policy-3.13.1-260.17.fc26 selinux-policy-3.13.1-283.17.fc27
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
I'm getting thousands of these a day so I've written up a type enforcement file that allows, and silences, these audit messages. --- module my-dbus 1.0; require { type system_dbusd_var_run_t; type init_t; type sshd_t; type postfix_master_t; type ftpd_t; type saslauthd_t; class dbus send_msg; class sock_file write; } #============= ftpd_t ============== allow ftpd_t init_t:dbus send_msg; #============= postfix_master_t ============== allow postfix_master_t system_dbusd_var_run_t:sock_file write; #============= saslauthd_t ============== allow saslauthd_t init_t:dbus send_msg; #============= sshd_t ============== allow sshd_t init_t:dbus send_msg;
I Have also denied accesses to dbus: module local 1.0; require { type avahi_t; type init_t; type saslauthd_t; type smbd_t; class dbus send_msg; } #============= saslauthd_t ============== allow saslauthd_t init_t:dbus send_msg; #============= smbd_t ============== allow smbd_t avahi_t:dbus send_msg;
To give some context: I have relabeled the file system this morning and upgraded to f27 a week or so. selinux-policy-targeted-3.13.1-283.21.fc27.noarch
I'm seeing this on fully updated F28. We use freeipa if that's relevant.
Actually, that was F29. I found that this is causing huge delays on login and logout. I turned selinux enforcing off and login is now quick instead of taking minutes. I will need to disable selinux on this laptop because it still pops up lots of selinux notifications.
Yes this is still an issue.
What does POST status mean?
It's in github sources. Right now, setools breaking build of selinux-policy rpm package. When setools rpm package will be in buildroot, I'll create new update of selinux-policy package for F29 and build will contain also fix for this ticket
selinux-policy-3.14.2-36.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-43e11a7feb
selinux-policy-3.14.2-36.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-43e11a7feb
selinux-policy-3.14.2-36.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Lukas Vrabec from comment #15) > It's in github sources. Right now, setools breaking build of selinux-policy > rpm package. When setools rpm package will be in buildroot, I'll create new > update of selinux-policy package for F29 and build will contain also fix for > this ticket Lukas, would you also be able to backport this to at least F28 as well?
I believe I'm having this issue with F29. I have selinux-policy-3.14.2-44.fc29.noarch. USER_AVC pid=744 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.677 spid=2536 tpid=6369 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' I was able to get firmware updates working with fwupd in GNOME software after disabling SELinux so I'm pretty sure this AVC error is the reason.
I can confirm the issue mentioned by Máirín Duffy when running the newest version of F29. In my case, it only happens when system firmware upgrades for end users and the TPM2 chip are enabled in BIOS. When launching the fwupd daemon manually within a terminal, everything works smoothly. However, when launching the fwupd daemon through systemd, the execution of /usr/bin/tpm2_pcrlist hangs due to the AVC error mentioned above. Switching SELinux to permissive or disabling the TPM2 chip is an (ugly) workaround.