Bug 1645278 - SELinux is preventing systemd-logind from 'read' accesses on the blk_file nvme0n1p1.
Summary: SELinux is preventing systemd-logind from 'read' accesses on the blk_file nvm...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:6fd876b459704392257a2a80d9d...
: 1645902 1646185 1646560 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-01 19:26 UTC by Jonathan Haas
Modified: 2018-12-29 10:03 UTC (History)
16 users (show)

Fixed In Version: selinux-policy-3.14.2-41.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-07 02:42:00 UTC


Attachments (Terms of Use)

Description Jonathan Haas 2018-11-01 19:26:12 UTC
Description of problem:
SELinux is preventing systemd-logind from 'read' accesses on the blk_file nvme0n1p1.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-logind should be allowed read access on the nvme0n1p1 blk_file by default.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
allow this access for now by executing:
# ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind
# semodule -X 300 -i my-systemdlogind.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:object_r:nvme_device_t:s0
Target Objects                nvme0n1p1 [ blk_file ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-40.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.16-300.fc29.x86_64 #1 SMP Sat
                              Oct 20 23:24:08 UTC 2018 x86_64 x86_64
Alert Count                   4
First Seen                    2018-11-01 19:23:51 CET
Last Seen                     2018-11-01 20:24:14 CET
Local ID                      c6eb65b8-3ab3-47ca-9a5a-1b8b488d737a

Raw Audit Messages
type=AVC msg=audit(1541100254.983:210): avc:  denied  { read } for  pid=1151 comm="systemd-logind" name="nvme0n1p1" dev="devtmpfs" ino=18784 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=0


Hash: systemd-logind,systemd_logind_t,nvme_device_t,blk_file,read

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Potential duplicate: bug 1644786

Comment 1 Kamil Páral 2018-11-02 08:11:35 UTC
Description of problem:
Just logged in after a dnf update.

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 2 Braden McDaniel 2018-11-02 14:13:41 UTC
Description of problem:
Not sure exactly what activity triggered this alert. systemd was recently updated, though.

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 3 Jonathan Haas 2018-11-02 14:25:29 UTC
Appeared the same time as https://bugzilla.redhat.com/show_bug.cgi?id=1644313, but not sure if related, also instead of going into standby mode, the system now does a regular boot whenever I close and reopen the lid instead of remembering/restoring the session. (Dell XPS 13 9350).

Comment 4 Lukas Vrabec 2018-11-02 16:29:25 UTC
commit c6e14c8e0fe178b24a59eb98792291c7a42e5df8 (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Fri Nov 2 17:27:57 2018 +0100

    Allow systemd_logind_t domain to read nvme devices BZ(1645567)

Comment 5 Luca Botti 2018-11-02 16:52:32 UTC
Description of problem:
Booting up after last updates

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 6 revoman 2018-11-03 02:09:31 UTC
Description of problem:
Showed up after an upgrade from Fedora 28 -> 29

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 7 Christian Kujau 2018-11-04 03:15:14 UTC
Description of problem:
This alert shows up right after boot, i.e. after logging into Gnome and is reported into syslog too. Example:


# sealert -l 4a3eef04-de90-4896-96ef-b7b5178546e1
/usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated.
Instead, use this sequence:

    from dbus.mainloop.glib import DBusGMainLoop

    DBusGMainLoop(set_as_default=True)

  import dbus.glib
SELinux is preventing systemd-logind from read access on the blk_file nvme0n1p1.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-logind should be allowed read access on the nvme0n1p1 blk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind
# semodule -X 300 -i my-systemdlogind.pp


Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:object_r:nvme_device_t:s0
Target Objects                nvme0n1p1 [ blk_file ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Unknown>
Host                          horus
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-40.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     horus
Platform                      Linux horus 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct
                              20 23:24:08 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-11-03 20:06:04 PDT
Last Seen                     2018-11-03 20:06:04 PDT
Local ID                      4a3eef04-de90-4896-96ef-b7b5178546e1

Raw Audit Messages
type=AVC msg=audit(1541300764.423:258): avc:  denied  { read } for  pid=892 comm="systemd-logind" name="nvme0n1p1" dev="devtmpfs" ino=13714 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=0


Hash: systemd-logind,systemd_logind_t,nvme_device_t,blk_file,read

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 8 Fedora Update System 2018-11-04 10:07:47 UTC
selinux-policy-3.14.2-41.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b

Comment 9 Stepan Broz 2018-11-04 19:04:09 UTC
*** Bug 1645902 has been marked as a duplicate of this bug. ***

Comment 10 Fedora Update System 2018-11-05 04:20:04 UTC
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b

Comment 11 bugzilla 2018-11-05 16:31:48 UTC
*** Bug 1646560 has been marked as a duplicate of this bug. ***

Comment 12 Sjoerd Mullender 2018-11-05 19:09:22 UTC
Description of problem:
I rebooted and then logged in.  Then I saw this report.

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 13 Lukas Vrabec 2018-11-06 10:24:55 UTC
*** Bug 1646185 has been marked as a duplicate of this bug. ***

Comment 14 Mike Detwiler 2018-11-06 13:39:26 UTC
Description of problem:
The problem occurred on first login after a reboot.

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 15 Fedora Update System 2018-11-07 02:42:00 UTC
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Jonathan Haas 2018-12-29 10:03:09 UTC
Description of problem:
Logging in and printing PDF document

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.