Description of problem: I ran: $ boltctl enroll 00f1e138-016a-0801-ffff-ffffffffffff ● Lenovo ThinkPad Thunderbolt 3 Dock ├─ type: peripheral ├─ name: ThinkPad Thunderbolt 3 Dock ├─ vendor: Lenovo ├─ uuid: 00f1e138-016a-0801-ffff-ffffffffffff ├─ dbus path: /org/freedesktop/bolt/devices/00f1e138_016a_0801_ffff_ffffffffffff ├─ status: authorized │ ├─ domain: c7010000-0070-7518-a3e8-26148892a921 │ ├─ parent: c7010000-0070-7518-a3e8-26148892a921 │ ├─ syspath: /sys/devices/pci0000:00/0000:00:1d.0/0000:05:00.0/0000:06:00.0/0000:07:00.0/domain0/0-0/0-3 │ └─ authflags: none ├─ authorized: Fri 15 Mar 2019 03:22:58 PM UTC ├─ connected: Fri 15 Mar 2019 03:21:30 PM UTC └─ stored: Fri 15 Mar 2019 03:22:58 PM UTC ├─ policy: auto └─ key: no SELinux is preventing boltd from 'write' accesses on the directory domain0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that boltd should be allowed write access on the domain0 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'boltd' --raw | audit2allow -M my-boltd # semodule -X 300 -i my-boltd.pp Additional Information: Source Context system_u:system_r:boltd_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects domain0 [ dir ] Source boltd Source Path boltd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-49.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.20.14-200.fc29.x86_64 #1 SMP Tue Mar 5 19:55:32 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-03-15 11:22:58 EDT Last Seen 2019-03-15 11:22:58 EDT Local ID 426abdad-7175-4eb6-974a-00ab82005b6f Raw Audit Messages type=AVC msg=audit(1552663378.496:1048): avc: denied { write } for pid=4385 comm="boltd" name="domain0" dev="sysfs" ino=31458 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 Hash: boltd,boltd_t,sysfs_t,dir,write Version-Release number of selected component: selinux-policy-3.14.2-49.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.20.14-200.fc29.x86_64 type: libreport
commit ef0c1e086e735f3a3864091e610914bc85a067dc (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Mar 20 21:55:50 2019 +0100 Allow boltd_t domain to write to sysfs_t dirs BZ(1689287)
selinux-policy-3.14.2-53.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.