Description of problem: SELinux is preventing (upowerd) from using the 'nnp_transition' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (upowerd) should be allowed nnp_transition access on processes labeled devicekit_power_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(upowerd)' --raw | audit2allow -M my-upowerd # semodule -X 300 -i my-upowerd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:devicekit_power_t:s0 Target Objects Unknown [ process2 ] Source (upowerd) Source Path (upowerd) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-25.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.0-0.rc0.git9.1.fc29.x86_64 #1 SMP Thu Jun 14 18:07:49 UTC 2018 x86_64 x86_64 Alert Count 5 First Seen 2018-06-21 20:30:28 +05 Last Seen 2018-06-21 20:35:57 +05 Local ID 8c33f1c1-53bc-45ca-a12b-7920b5ff6d41 Raw Audit Messages type=AVC msg=audit(1529595357.78:179): avc: denied { nnp_transition } for pid=1193 comm="(upowerd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:devicekit_power_t:s0 tclass=process2 permissive=0 Hash: (upowerd),init_t,devicekit_power_t,process2,nnp_transition Version-Release number of selected component: selinux-policy-3.14.2-25.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.0-0.rc0.git9.1.fc29.x86_64 type: libreport
Reproducible on Fedora 28 too: ---- type=PROCTITLE msg=audit(06/25/2018 08:50:03.990:235) : proctitle=(upowerd) type=PATH msg=audit(06/25/2018 08:50:03.990:235) : item=0 name=/var/lib/upower inode=404929 dev=fc:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devicekit_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(06/25/2018 08:50:03.990:235) : cwd=/ type=SYSCALL msg=audit(06/25/2018 08:50:03.990:235) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x558e85110b40 a1=0x558e85110b40 a2=0x0 a3=MS_BIND|MS_REC items=1 ppid=1 pid=1901 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(upowerd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(06/25/2018 08:50:03.990:235) : avc: denied { mounton } for pid=1901 comm=(upowerd) path=/var/lib/upower dev="vda2" ino=404929 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devicekit_var_lib_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(06/25/2018 08:50:03.995:236) : proctitle=(upowerd) type=PATH msg=audit(06/25/2018 08:50:03.995:236) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=8421218 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(06/25/2018 08:50:03.995:236) : item=0 name=/usr/libexec/upowerd inode=323056 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devicekit_power_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(06/25/2018 08:50:03.995:236) : cwd=/ type=EXECVE msg=audit(06/25/2018 08:50:03.995:236) : argc=1 a0=/usr/libexec/upowerd type=BPRM_FCAPS msg=audit(06/25/2018 08:50:03.995:236) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read old_pi=none old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read old_pa=none pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read pi=none pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read pa=none type=SYSCALL msg=audit(06/25/2018 08:50:03.995:236) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x558e85095660 a1=0x558e84e9a730 a2=0x558e85083de0 a3=0x558e851ba650 items=2 ppid=1 pid=1901 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=upowerd exe=/usr/libexec/upowerd subj=system_u:system_r:init_t:s0 key=(null) type=SELINUX_ERR msg=audit(06/25/2018 08:50:03.995:236) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:devicekit_power_t:s0 type=AVC msg=audit(06/25/2018 08:50:03.995:236) : avc: denied { nnp_transition } for pid=1901 comm=(upowerd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:devicekit_power_t:s0 tclass=process2 permissive=0 ---- type=PROCTITLE msg=audit(06/25/2018 08:50:04.017:237) : proctitle=/usr/libexec/upowerd type=SYSCALL msg=audit(06/25/2018 08:50:04.017:237) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f23e7d4eb20 a2=MSG_CMSG_CLOEXEC a3=0xcf29a79de27ff items=0 ppid=1 pid=1901 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/libexec/upowerd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(06/25/2018 08:50:04.017:237) : avc: denied { write } for pid=1901 comm=gdbus path=/run/systemd/inhibit/7.ref dev="tmpfs" ino=36544 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file permissive=0 ---- # rpm -qa selinux-policy\* upower\* kernel\* | sort kernel-4.17.2-200.fc28.x86_64 kernel-core-4.17.2-200.fc28.x86_64 kernel-headers-4.17.2-200.fc28.x86_64 kernel-modules-4.17.2-200.fc28.x86_64 kernel-tools-4.17.2-200.fc28.x86_64 kernel-tools-libs-4.17.2-200.fc28.x86_64 selinux-policy-3.14.1-32.fc28.noarch selinux-policy-devel-3.14.1-32.fc28.noarch selinux-policy-doc-3.14.1-32.fc28.noarch selinux-policy-minimum-3.14.1-32.fc28.noarch selinux-policy-mls-3.14.1-32.fc28.noarch selinux-policy-targeted-3.14.1-32.fc28.noarch upower-0.99.8-1.fc28.x86_64 #
Same problem here, since 4.17.2-100.fc27.x86_64 kernel update. The upower.service throws the following log: upowerd[1216]: failed to get data: Failed to open file “/var/lib/upower/history-rate-ASUS_Battery-56.dat”: Permission denied upowerd[1216]: failed to get data: Failed to open file “/var/lib/upower/history-charge-ASUS_Battery-56.dat”: Permission denied upowerd[1216]: failed to get data: Failed to open file “/var/lib/upower/history-time-full-ASUS_Battery-56.dat”: Permission denied upowerd[1216]: failed to get data: Failed to open file “/var/lib/upower/history-time-empty-ASUS_Battery-56.dat”: Permission denied upowerd[1216]: cannot open '/dev/input/event0': Permission denied systemd[1]: Started Daemon for power management. upowerd[1216]: Failed to create object manager for BlueZ: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipie upowerd[1216]: failed to set data: Failed to create file “/var/lib/upower/history-rate-ASUS_Battery-56.dat.YG3MLZ”: Permission denied upowerd[1216]: failed to set data: Failed to create file “/var/lib/upower/history-rate-ASUS_Battery-56.dat.MUMMLZ”: Permission denied upowerd[1216]: failed to set data: Failed to create file “/var/lib/upower/history-rate-ASUS_Battery-56.dat.AI59KZ”: Permission denied
Description of problem: On an up-to date rawhide system, after full relabel and another reboot just to be sure Version-Release number of selected component: selinux-policy-3.14.2-26.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.0-0.rc2.git3.1.fc29.x86_64 type: libreport
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.