Description of problem: system_u:system_r:unconfined_service_t:s0 root 2328 1 0 Jul23 ? 00:00:00 /usr/libexec/boltd I think this leads to: type=AVC msg=audit(1532360899.498:312): avc: denied { view } for pid=1180 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0 Version-Release number of selected component (if applicable): selinux-policy-3.14.1-32.fc28.noarch bolt-0.4-1.fc28.x86_64
Hi, After updating to selinux-policy-3.14.1-39.fc28, I got this: "SELinux is preventing boltd from write access on the sock_file socket." type=AVC msg=audit(1533820265.11:268): avc: denied { write } for pid=1551 comm="boltd" name="socket" dev="tmpfs" ino=11117 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=sock_file permissive=1
With selinux-policy-3.14.1-40.fc28, boltd seems to not be able to talk to polkitd: error time=1535530547.127210 sender=org.freedesktop.DBus -> destination=:1.9 error_name=org.freedesktop.DBus.Error.AccessDenied reply_serial=916 string "An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_return", sender=":1.9" (uid=998 pid=1224 comm="/usr/lib/polkit-1/polkitd --no-debug " label="system_u:system_r:policykit_t:s0") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.5" (uid=0 pid=1148 comm="/usr/libexec/boltd " label="system_u:system_r:boltd_t:s0")" I am by no means an selinux expert, but maybe boltd.te it is missing something like: optional_policy(` dbus_system_domain(boltd_t,boltd_exec_t) optional_policy(` policykit_dbus_chat(boltd_t) ') ') Does the interface also need something like the following? ######################################## ## <summary> ## Send and receive messages from ## boltd over dbus. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`boltd_dbus_chat',` gen_require(` type boltd_t; class dbus send_msg; ') allow $1 boltd_t:dbus send_msg; allow boltd_t $1:dbus send_msg; ')
Created attachment 1479415 [details] ausearch -m USER_AVC -ts today
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.