1637676 – SELinux is preventing dbus-daemon from 'write' accesses on the fifo_file /run/boltd/power/2.guard.fifo.

Bug 1637676 - SELinux is preventing dbus-daemon from 'write' accesses on the fifo_file /run/boltd/power/2.guard.fifo.

Summary: SELinux is preventing dbus-daemon from 'write' accesses on the fifo_file /run...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	29
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:643f88ac0611046014f0b4a05cd...
Duplicates (1):	1638754 (view as bug list)
Depends On:
Blocks:	F29FinalFreezeException
TreeView+	depends on / blocked

Reported:	2018-10-09 18:23 UTC by Pavel Roskin
Modified:	2018-10-18 11:07 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.14.2-40.fc29
Clone Of:
Environment:
Last Closed:	2018-10-18 11:07:23 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pavel Roskin 2018-10-09 18:23:04 UTC

Description of problem:
This appears on reboot.
SELinux is preventing dbus-daemon from 'write' accesses on the fifo_file /run/boltd/power/2.guard.fifo.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dbus-daemon should be allowed write access on the 2.guard.fifo fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dbus-daemon' --raw | audit2allow -M my-dbusdaemon
# semodule -X 300 -i my-dbusdaemon.pp

Additional Information:
Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:boltd_var_run_t:s0
Target Objects                /run/boltd/power/2.guard.fifo [ fifo_file ]
Source                        dbus-daemon
Source Path                   dbus-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.12-300.fc29.x86_64 #1 SMP Thu
                              Oct 4 15:01:22 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-10-09 10:49:33 PDT
Last Seen                     2018-10-09 10:49:33 PDT
Local ID                      8084f588-4daf-4e72-b1f5-66b05e63f6a1

Raw Audit Messages
type=AVC msg=audit(1539107373.979:294): avc:  denied  { write } for  pid=763 comm="dbus-daemon" path="/run/boltd/power/2.guard.fifo" dev="tmpfs" ino=51116 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=fifo_file permissive=0


Hash: dbus-daemon,system_dbusd_t,boltd_var_run_t,fifo_file,write


Additional info:
component:      selinux-policy
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.12-300.fc29.x86_64
type:           libreport

Comment 1 Chris Murphy 2018-10-13 19:12:52 UTC

Still seeing this with policy -37

Additional Information:
Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:boltd_var_run_t:s0
Target Objects                /run/boltd/power/2.guard.fifo [ fifo_file ]
Source                        dbus-daemon
Source Path                   dbus-daemon
Port                          <Unknown>
Host                          flap.local
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-37.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     flap.local
Platform                      Linux flap.local 4.18.12-300.fc29.x86_64 #1 SMP
                              Thu Oct 4 15:01:22 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-10-13 13:09:44 MDT
Last Seen                     2018-10-13 13:09:44 MDT
Local ID                      0c2e124c-2d8b-4f22-bd30-cfcf6b6ba6e0

Raw Audit Messages
type=AVC msg=audit(1539457784.367:236): avc:  denied  { write } for  pid=687 comm="dbus-daemon" path="/run/boltd/power/2.guard.fifo" dev="tmpfs" ino=43935 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=fifo_file permissive=0


Hash: dbus-daemon,system_dbusd_t,boltd_var_run_t,fifo_file,write

Comment 2 Lukas Vrabec 2018-10-15 11:16:29 UTC

Hi Chris, 

Do you know why dbus is trying to write to 2.guard pipe? 

Thanks,
Lukas.

Comment 3 Timur Kristóf 2018-10-15 11:21:25 UTC

Description of problem:
This one just appeared out of the blue after upgrading to F29.

Version-Release number of selected component:
selinux-policy-3.14.2-36.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.12-300.fc29.x86_64
type:           libreport

Comment 4 Christian Kellner 2018-10-15 11:22:12 UTC

Hi Lukas,

it is a named pipe, where the boltd opens both sides and then passes the write and of it via dbus to the client. I would guess that is the reason. The whole idea behind it is outlined in the commits of bolt MR 101 (https://gitlab.freedesktop.org/bolt/bolt/merge_requests/101)

Comment 5 Lukas Vrabec 2018-10-15 11:25:14 UTC

*** Bug 1638754 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Vrabec 2018-10-15 12:10:52 UTC

commit e096da420b3e2f2fe1d8d3d3f69651b3da12b9a6 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Oct 15 14:09:21 2018 +0200

    Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)

Comment 7 Chris Murphy 2018-10-15 19:16:52 UTC

Appears to be fixed by 3.14.2-39.fc29

Comment 8 Chris Murphy 2018-10-15 19:20:06 UTC

Proposing freeze exception per blocker review #info to make sure a fix gets pushed to stable. The bug only happens with upgraded systems that still have setroubleshooter.

Comment 9 Fedora Update System 2018-10-15 20:23:33 UTC

selinux-policy-3.14.2-39.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac

Comment 10 Adam Williamson 2018-10-15 22:38:06 UTC

+1 FE for this, we should definitely accept -39 for it and its buddy.

Comment 11 Fedora Update System 2018-10-16 15:52:21 UTC

selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac

Comment 12 Fedora Update System 2018-10-18 11:07:23 UTC

selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.