Bug 1665580 - SELinux is preventing plymouthd from getattr access on the directory /sys/firmware/efi/efivars
Summary: SELinux is preventing plymouthd from getattr access on the directory /sys/fir...
Keywords:
Status: CLOSED DUPLICATE of bug 1664143
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-11 20:20 UTC by th4949
Modified: 2023-09-14 04:44 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-17 15:36:41 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description th4949 2019-01-11 20:20:40 UTC
Description of problem: On rebooting the system which has a fresh Fedora 29 installation, the following error occurs:
SELinux is preventing plymouthd from getattr access on the directory /sys/firmware/efi/efivars.


Version-Release number of selected component (if applicable): 3.14.2-44.fc29 (current Fedora 29 versions)


How reproducible: Every reboot


Full output from troubleshooting window copied below:




SELinux is preventing plymouthd from getattr access on the directory /sys/firmware/efi/efivars.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/sys/firmware/efi/efivars default label should be sysfs_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /sys/firmware/efi/efivars

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that plymouthd should be allowed getattr access on the efivars directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'plymouthd' --raw | audit2allow -M my-plymouthd
# semodule -X 300 -i my-plymouthd.pp

Additional Information:
Source Context                system_u:system_r:plymouthd_t:s0
Target Context                system_u:object_r:efivarfs_t:s0
Target Objects                /sys/firmware/efi/efivars [ dir ]
Source                        plymouthd
Source Path                   plymouthd
Port                          <Unknown>
Host                          Hostname
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-44.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Hostname
Platform                      Linux Hostname 4.19.10-300.fc29.x86_64 #1 SMP Mon
                              Dec 17 15:34:44 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2019-01-11 14:56:09 EST
Last Seen                     2019-01-11 14:56:09 EST
Local ID                      19785ad5-ce64-4be3-a003-93a15d6119e6

Raw Audit Messages
type=AVC msg=audit(1547236569.468:3462): avc:  denied  { getattr } for  pid=7534 comm="plymouthd" path="/sys/firmware/efi/efivars" dev="efivarfs" ino=1313 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=0


Hash: plymouthd,plymouthd_t,efivarfs_t,dir,getattr

Comment 1 Lukas Vrabec 2019-01-14 17:01:09 UTC
Hi, 

Could you try it with this build? 

https://koji.fedoraproject.org/koji/buildinfo?buildID=1178902

Thanks,
Lukas.

Comment 2 Zdenek Pytela 2019-01-17 15:36:41 UTC
Please continue in discussion in bz 1664143 with further information.

*** This bug has been marked as a duplicate of bug 1664143 ***

Comment 3 Red Hat Bugzilla 2023-09-14 04:44:55 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days


Note You need to log in before you can comment on or make changes to this bug.