Description of problem: Error occurrs at system boot and with systemctl restart bolt Running on an old Lenovo T410 with no thunderbolt hardware and getting the errors below. SELinux is preventing (boltd) from 'mounton' accesses on the directory /run/systemd/unit-root/run/boltd. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /run/systemd/unit-root/run/boltd default label should be init_var_run_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /run/systemd/unit-root/run/boltd ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that (boltd) should be allowed mounton access on the boltd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(boltd)' --raw | audit2allow -M my-boltd # semodule -X 300 -i my-boltd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:boltd_var_run_t:s0 Target Objects /run/systemd/unit-root/run/boltd [ dir ] Source (boltd) Source Path (boltd) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-36.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.11-301.fc29.x86_64 #1 SMP Mon Oct 1 13:47:10 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-10-07 21:39:41 EDT Last Seen 2018-10-07 21:51:35 EDT Local ID e7bd2d98-28f9-4b8c-a713-5f462d3338a2 Raw Audit Messages type=AVC msg=audit(1538963495.536:297): avc: denied { mounton } for pid=4721 comm="(boltd)" path="/run/systemd/unit-root/run/boltd" dev="tmpfs" ino=56475 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=dir permissive=0 Hash: (boltd),init_t,boltd_var_run_t,dir,mounton Version-Release number of selected component: selinux-policy-3.14.2-36.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.11-301.fc29.x86_64 type: libreport Potential duplicate: bug 1636660
Description of problem: Seeing this issue after every reboot. The suggestion to run "/sbin/restorecon -v /run/systemd/unit-root/run/boltd" didn't help, as /run/systemd/unit-root is an empty directory. Version-Release number of selected component: selinux-policy-3.14.2-36.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.12-300.fc29.x86_64 type: libreport
*** Bug 1636660 has been marked as a duplicate of this bug. ***
I'm also getting this, happens to be a system with no thunderbolt interfaces on it at all.
Running on battery with nothing connected; I do get notification for this denial in GNOME. Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:boltd_var_run_t:s0 Target Objects /run/systemd/unit-root/run/boltd [ dir ] Source (boltd) Source Path (boltd) Port <Unknown> Host flap.local Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-37.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name flap.local Platform Linux flap.local 4.18.12-300.fc29.x86_64 #1 SMP Thu Oct 4 15:01:22 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-10-13 13:09:43 MDT Last Seen 2018-10-13 13:09:44 MDT Local ID 16fa60d7-2c18-4197-986e-94e11c790d3e Raw Audit Messages type=AVC msg=audit(1539457784.476:238): avc: denied { mounton } for pid=2080 comm="(boltd)" path="/run/systemd/unit-root/run/boltd" dev="tmpfs" ino=47233 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=dir permissive=0 Hash: (boltd),init_t,boltd_var_run_t,dir,mounton
Description of problem: Appeared right afre the first login on the desktop. System has been upgraded to F29 before. Version-Release number of selected component: selinux-policy-3.14.2-36.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.12-300.fc29.x86_64 type: libreport
Created attachment 1493729 [details] journalctl log Just in case it's useful to see what all boltd is doing (or at least logging) in relation to the AVC's. Used -o short-monotonic time.
Description of problem: # ausearch -c '(boltd)' --raw | audit2allow -M my-boltd # semodule -X 300 -i my-boltd.pp Version-Release number of selected component: selinux-policy-3.14.2-37.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.13-300.fc29.x86_64 type: libreport
Description of problem: This showed up at boot after I updaded to Fedora 29. I believe the thunderbolt daemon should be allowed to access its own directory. Version-Release number of selected component: selinux-policy-3.14.2-36.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.12-300.fc29.x86_64 type: libreport
commit 2d39d24bc2473eac94a5ccdfa373e29db041d3fd (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Oct 15 14:13:06 2018 +0200 Allow systemd to mount boltd_var_run_t dirs BZ(1636823)
Description of problem: This began after i upgraded from F28W to F29W. Version-Release number of selected component: selinux-policy-3.14.2-37.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.13-300.fc29.x86_64 type: libreport
Appears to be fixed by 3.14.2-39.fc29
Proposing freeze exception per blocker review #info to make sure a fix gets pushed to stable. The bug only happens with upgraded systems that still have setroubleshooter.
selinux-policy-3.14.2-39.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac
+1 FE for this, we should definitely accept -39 for it and its buddy.
selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac
I am not experiencing any boltd related selinux messages since 3.14.2-39. Considering verified.
LGTM too now. selinux-policy-3.14.2-40.fc29
selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.