+++ This bug was initially created as a clone of Bug #1517405 +++ Description of problem: SELinux is preventing plymouthd from 'map' accesses on the chr_file /dev/fb0. ***** Plugin catchall (100. confidence) suggests ************************** If plymouthd는 디폴트로 fb0 chr_file에서 map 액세스를 허용해야 합니다. Then 이 버그를 보고해야 합니다. 이러한 액세스를 허용하기 위해 로컬 정채 모듈을 생성할 수 있습니다. Do allow this access for now by executing: # ausearch -c 'plymouthd' --raw | audit2allow -M my-plymouthd # semodule -X 300 -i my-plymouthd.pp Additional Information: Source Context system_u:system_r:plymouthd_t:s0 Target Context system_u:object_r:framebuf_device_t:s0 Target Objects /dev/fb0 [ chr_file ] Source plymouthd Source Path plymouthd Port <알려지지 않음> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.16.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.13.13-300.fc27.x86_64 #1 SMP Wed Nov 15 15:47:50 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-11-24 21:19:51 KST Last Seen 2017-11-24 21:19:51 KST Local ID 93ac0d30-0f1f-434d-a776-2f79a8fad532 Raw Audit Messages type=AVC msg=audit(1511525991.715:281): avc: denied { map } for pid=11983 comm="plymouthd" path="/dev/fb0" dev="devtmpfs" ino=1035 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:framebuf_device_t:s0 tclass=chr_file permissive=0 Hash: plymouthd,plymouthd_t,framebuf_device_t,chr_file,map Version-Release number of selected component: selinux-policy-3.13.1-283.16.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.9-300.fc27.x86_64 type: libreport Potential duplicate: bug 1482350 --- Additional comment from Lukas Vrabec on 2017-12-11 10:19:26 EST --- --- Additional comment from Fedora Update System on 2017-12-13 03:25:49 EST --- selinux-policy-3.13.1-283.18.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502 --- Additional comment from Fedora Update System on 2017-12-14 06:11:43 EST --- selinux-policy-3.13.1-283.18.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502 --- Additional comment from Fedora Update System on 2017-12-20 06:23:38 EST --- selinux-policy-3.13.1-283.19.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502 --- Additional comment from Fedora Update System on 2017-12-21 15:20:50 EST --- selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502 --- Additional comment from Fedora Update System on 2018-01-02 11:47:35 EST --- selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. --- Additional comment from Marc Jadoul on 2018-01-06 05:44:04 EST --- Hello, I have the same error. Actually I am using NVIDIA driver because Nouveau locked several time on my laptop. My laptop boot. Wayland is disabled in GSM config. After boot when I log in, my graphical interface freeze including the mouse . After reboot I can see this selinux error.... But there may be other errors. --- Additional comment from Marc Jadoul on 2018-01-06 05:45:47 EST --- NB: I have the right selinux policy installed. --- Additional comment from Benjamin Masse on 2018-01-11 17:19:03 EST --- Description of problem: selinux-policy-3.13.1-283.21.fc27.noarch with proprietary NVIDIA drivers installed. Version-Release number of selected component: selinux-policy-3.13.1-283.19.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.11-300.fc27.x86_64 type: libreport --- Additional comment from on 2018-02-03 20:31:27 EST --- --- Additional comment from Chad on 2018-02-20 13:54:10 EST --- Description of problem: type=AVC msg=audit(1519152096.009:449): avc: denied { map } for pid=3998 comm="plymouthd" path="/dev/fb0" dev="devtmpfs" ino=2076 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:framebuf_device_t:s0 tclass=chr_file permissive=0 Version-Release number of selected component: selinux-policy-3.13.1-283.24.fc27.noarch
bug 1517405 was CLOSED ERRATA, claiming a fix in selinux-policy-3.13.1-283.18.fc27 or perhaps selinux-policy-3.13.1-283.19.fc27. As reported in comments on that bug, people were still seeing this in 283.21 and 283.24. I myself see exactly the same error in the journal on shutdown (and plymouth doesn't appear to work at boot or at shutdown, though I'm sure is was working earlier in the year): Mar 05 02:51:04 kanargh.hell audit[14824]: AVC avc: denied { map } for pid=14824 comm="plymouthd" path="/dev/fb0" dev="devtmpfs" ino=14372 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:framebuf_device_t:s0 tclass=chr_file permissive=0 That's with 283.24, and I can't see any mention of a later fix in the 283.26 changelog on koji.
selinux-policy-3.13.1-283.27.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424
Tried 283.27. Don't think I'm getting the map denial any more. plymouth still isn't working, but that's almost certainly a bug in either plymouthd or a configuration problem. (There is a very brief flicker of life from it during boot, which sounds like bug 1396767.) *However*, when I add "plymouth:debug" to the kernel commandline, I now see: Mar 08 03:18:10 kanargh.hell audit[548]: AVC avc: denied { write } for pid=548 comm="plymouthd" name="plymouth-debug.log" dev="sda7" ino=2490727 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 ...which is probably less than helpful. (There's enough information that makes it to the journal for me to be getting on with, but asking it to do direct logging ought to work too.)
selinux-policy-3.13.1-283.27.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424
And can we get a change to allow plymouth-debug.log too?
This appears to do the trick: --- serefpolicy-3.13.1/policy/modules/contrib/plymouthd.fc-orig 2018-03-08 23:44:40.044908194 +0000 +++ serefpolicy-3.13.1/policy/modules/contrib/plymouthd.fc 2018-03-08 23:45:29.347150334 +0000 @@ -8,6 +8,7 @@ /var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) /var/log/boot\.log.* gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) +/var/log/plymouth-debug\.log.* gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) /usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
selinux-policy-3.13.1-283.28.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424
Ping. 283.28 doesn't appear to have changed. Can we please allow plymouth-debug.log for the next release?
selinux-policy-3.13.1-283.28.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424
selinux-policy-3.13.1-283.28.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.