Description of problem: SELinux is preventing (boltd) from 'create' accesses on the directory boltd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (boltd) should be allowed create access on the boltd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(boltd)' --raw | audit2allow -M my-boltd # semodule -X 300 -i my-boltd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:boltd_var_lib_t:s0 Target Objects boltd [ dir ] Source (boltd) Source Path (boltd) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-35.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.9-300.fc29.x86_64 #1 SMP Thu Sep 20 02:32:53 UTC 2018 x86_64 Alert Count 10 First Seen 2018-09-27 14:33:19 EDT Last Seen 2018-09-27 14:38:53 EDT Local ID d4255d4d-9f17-423f-9a1c-e4a0e4578c15 Raw Audit Messages type=AVC msg=audit(1538073533.47:325): avc: denied { create } for pid=3536 comm="(boltd)" name="boltd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boltd_var_lib_t:s0 tclass=dir permissive=0 Hash: (boltd),init_t,boltd_var_lib_t,dir,create Version-Release number of selected component: selinux-policy-3.14.2-35.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.9-300.fc29.x86_64 type: libreport
Don't know what this boltd is now,
Description of problem: fc27 workstation upgraded to fc29 Version-Release number of selected component: selinux-policy-3.14.2-34.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.11-301.fc29.x86_64 type: libreport
Proposed as a Blocker for 29-final by Fedora user jlanda using the blocker tracking app because: I Installed a new fc27 workstation with everything iso, default options. After upgrading to fc29 with dnf I'm hitting this selinux-policy bug
criterion: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." And actually there's a bunch of other boltd selinux AVC's I see on each boot that trigger the gnome-shell notification banner thingy... 1636823 1632230 1636660 1636539 1636538 1635436 1633725
Discussed during the 2018-10-08 blocker review meeting: [1] The decision to classify this bug as an AcceptedBlocker was made: "This is accepted as a violation of the criterion "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."" [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-10-08/f29-blocker-review.2018-10-08-16.00.log.txt
commit fdc0a2e0c507704fdfb15644cdbab41532411df2 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Tue Oct 9 17:45:23 2018 +0200 Allow boltd_t to be activated by init socket activation Resolves: rhbz#1633786
With selinux-policy-3.14.2-37.fc29.noarch I'm still getting denials, and notifications for them in GNOME shell for these two boltd related bugs: Bug 1636823 Bug 1637676
Lukas, can you please submit an update for -39 (or a later build with further fixes) to fix this plus the subsequent denials Chris noted, plus the cron stuff, for F29 Final? Thanks!
After upgrading to selinux-policy-targeted-3.14.2-39.fc29.noarch I'm no longer seeing any AVC denial notifications by GNOME. I see one in the journal: Oct 15 13:08:48 flap.local audit[659]: USER_AVC pid=659 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.411 spid=1951 tpid=1941 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=1 [chris@flap ~]$ Tested with and without a thunderbolt device connected; and also connected and disconnected after startup/login.
Adam, Everything should be included in -39.fc29 except SELinux denial from comment#9. I can fix it and create the build but it is after midnight in my timezone, could you create update from that build and include it to the rc compose? Thanks, Lukas
commit a69f9e63d83dd5f603147ddf7a349e075c80959d (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Tue Oct 16 00:15:11 2018 +0200 Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)
I can confirm comment 9, AVCs seem to be fixed in -39 except the one mentioned. Lukas, Adam is on vacation now, can you please make the build and submit to Bodhi? Thanks.
Build is in bodhi. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac
Thanks, can you please modify it and mark it to fix this bug? I just tested it and all the boltd AVCs seem to be gone.
Update FEDORA-2018-ce273879ac wasn't marked as fixing this bug. It has been pushed to stable, closing.
*** Bug 1650364 has been marked as a duplicate of this bug. ***