Bug 1758746 - SELinux is preventing boltd from 'read' accesses on the lnk_file driver.
Summary: SELinux is preventing boltd from 'read' accesses on the lnk_file driver.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: x86_64
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b66c51ff9104d836a4c679eb71e...
: 1758797 1759596 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-05 09:26 UTC by Michael
Modified: 2019-10-11 23:18 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.14.4-37.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-11 23:18:15 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michael 2019-10-05 09:26:52 UTC
Description of problem:
Plugged in USB stick
SELinux is preventing boltd from 'read' accesses on the lnk_file driver.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that boltd should be allowed read access on the driver lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'boltd' --raw | audit2allow -M my-boltd
# semodule -X 300 -i my-boltd.pp

Additional Information:
Source Context                system_u:system_r:boltd_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                driver [ lnk_file ]
Source                        boltd
Source Path                   boltd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.4-36.fc31.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.3.2-300.fc31.x86_64 #1 SMP Tue
                              Oct 1 20:44:46 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-10-05 11:25:57 CEST
Last Seen                     2019-10-05 11:25:57 CEST
Local ID                      2bc23e25-a827-4d86-a222-13701941fe6f

Raw Audit Messages
type=AVC msg=audit(1570267557.411:1076): avc:  denied  { read } for  pid=3799 comm="boltd" name="driver" dev="sysfs" ino=63607 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0


Hash: boltd,boltd_t,sysfs_t,lnk_file,read

Version-Release number of selected component:
selinux-policy-3.14.4-36.fc31.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.3.2-300.fc31.x86_64
type:           libreport

Potential duplicate: bug 1758731

Comment 1 dovla091 2019-10-05 18:29:20 UTC
*** Bug 1758797 has been marked as a duplicate of this bug. ***

Comment 2 Christian Kellner 2019-10-05 18:49:33 UTC

*** This bug has been marked as a duplicate of bug 1754360 ***

Comment 3 Christian Kellner 2019-10-05 19:09:01 UTC
Sorry, I was too quick here, I think the change in bug 1754360 (selinux-policy build 3.14.4-36.fc31) might actually *cause* this.

rpm -qa "selinux-policy*"
selinux-policy-3.14.4-36.fc31.noarch
selinux-policy-targeted-3.14.4-36.fc31.noarch

sudo ausearch -c 'boltd' --start boot --raw
type=AVC msg=audit(1570302004.301:104): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341" dev="sysfs" ino=24557 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:105): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/wmi/devices/05901221-D566-11D1-B2F0-00A0C9062910" dev="sysfs" ino=24687 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:106): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/wmi/devices/8D9DDCBC-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24619 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:107): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/wmi/devices/9DBB5994-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24663 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:108): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/wmi/devices/A80593CE-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24648 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:109): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/thunderbolt/devices/domain0" dev="sysfs" ino=40660 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.301:110): avc:  denied  { getattr } for  pid=1318 comm="boltd" path="/sys/bus/thunderbolt/devices/0-0" dev="sysfs" ino=40678 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:113): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=40679 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:114): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=40661 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:115): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8986 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:116): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8769 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:117): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8702 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1570302004.325:118): avc:  denied  { read } for  pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8305 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0

As a result of this boltd does not work at all anymore:

journalctl -b -u bolt
-- Logs begin at Mon 2019-03-18 16:28:32 CET, end at Sat 2019-10-05 21:08:06 CEST. --
Oct 05 21:00:03 cobalt systemd[1]: Starting Thunderbolt system service...
Oct 05 21:00:03 cobalt boltd[1318]: bolt 0.8 starting up.
Oct 05 21:00:04 cobalt boltd[1318]: store: located at: /var/lib/boltd
Oct 05 21:00:04 cobalt boltd[1318]: config: loading user config
Oct 05 21:00:04 cobalt boltd[1318]: config: user config loaded successfully
Oct 05 21:00:04 cobalt boltd[1318]: config: auth mode set to 'enabled'
Oct 05 21:00:04 cobalt boltd[1318]: bouncer: initializing polkit
Oct 05 21:00:04 cobalt boltd[1318]: udev: initializing udev
Oct 05 21:00:04 cobalt boltd[1318]: store: loading domains
Oct 05 21:00:04 cobalt boltd[1318]: [c9030000-0070-domain?                    ] store: loading domain
Oct 05 21:00:04 cobalt boltd[1318]: journal: opened for 'c9030000-0070'; size: 0 bytes
Oct 05 21:00:04 cobalt boltd[1318]: [c9030000-0070-domain?                    ] domain: registered (bootacl: 9/16)
Oct 05 21:00:04 cobalt boltd[1318]: store: loading devices
Oct 05 21:00:04 cobalt boltd[1318]: [00eb011d-b15f                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [008b61e9-315f                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [10762168-2f5f                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [60515100-0200                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [003299ed-d8a0                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [002b12dc-739d                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: [00d81a34-3824                            ] store: loading device
Oct 05 21:00:04 cobalt boltd[1318]: power: state located at: /run/boltd/power
Oct 05 21:00:04 cobalt boltd[1318]: power: force power support: no
Oct 05 21:00:04 cobalt boltd[1318]: udev: enumerating devices
Oct 05 21:00:04 cobalt boltd[1318]: dbus: exported domain at /org/freedesktop/bolt/domains/c9030000_0070_6f08_23fd_a0485751381d
Oct 05 21:00:04 cobalt boltd[1318]: [00eb011d-b15f-HP Thunderbolt 3Dock       ] dbus: exported device at /org/freedesktop/bolt/devices/00eb011d_b15f...
Oct 05 21:00:04 cobalt boltd[1318]: [008b61e9-315f-Dell Thunderbolt Cable     ] dbus: exported device at /org/freedesktop/bolt/devices/008b61e9_315f...
Oct 05 21:00:04 cobalt boltd[1318]: [10762168-2f5f-Dell Thunderbolt Dock      ] dbus: exported device at /org/freedesktop/bolt/devices/10762168_2f5f...
Oct 05 21:00:04 cobalt boltd[1318]: [60515100-0200-Thunderbolt to Gigabit Ethe] dbus: exported device at /org/freedesktop/bolt/devices/60515100_0200...
Oct 05 21:00:04 cobalt boltd[1318]: [003299ed-d8a0-Thunderbolt3 Graphic Dock  ] dbus: exported device at /org/freedesktop/bolt/devices/003299ed_d8a0...
Oct 05 21:00:04 cobalt boltd[1318]: [002b12dc-739d-ThinkPad Thunderbolt 3 Dock] dbus: exported device at /org/freedesktop/bolt/devices/002b12dc_739d...
Oct 05 21:00:04 cobalt boltd[1318]: [00d81a34-3824-ThinkPad Thunderbolt 3 Dock] dbus: exported device at /org/freedesktop/bolt/devices/00d81a34_3824...
Oct 05 21:00:04 cobalt systemd[1]: Started Thunderbolt system service.
Oct 05 21:00:04 cobalt boltd[1318]: domain: could not find domain for device at '/sys/devices/pci0000:00/0000:00:1c.4/0000:03:00.0/0000:04:00.0/0000:05:00.0/domain0/0-0/0-1'

NB:it can not find any thunderbolt hardware (should appear between "udev: enumerating devices" and "dbus: exported domain at").

Comment 4 Lukas Vrabec 2019-10-07 11:08:44 UTC

*** This bug has been marked as a duplicate of bug 1759019 ***

Comment 5 Fedora Update System 2019-10-09 11:44:14 UTC
FEDORA-2019-5adca37a25 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25

Comment 6 Lukas Vrabec 2019-10-09 15:08:55 UTC
*** Bug 1759596 has been marked as a duplicate of this bug. ***

Comment 7 Fedora Update System 2019-10-09 23:05:37 UTC
selinux-policy-3.14.4-37.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25

Comment 8 Joel Diaz 2019-10-10 14:30:39 UTC
selinux-policy-3.14.4-37.fc31 got things back to working for me

Comment 9 Fedora Update System 2019-10-11 23:18:15 UTC
selinux-policy-3.14.4-37.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.