Description of problem: Plugged in USB stick SELinux is preventing boltd from 'read' accesses on the lnk_file driver. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that boltd should be allowed read access on the driver lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'boltd' --raw | audit2allow -M my-boltd # semodule -X 300 -i my-boltd.pp Additional Information: Source Context system_u:system_r:boltd_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects driver [ lnk_file ] Source boltd Source Path boltd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.4-36.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.3.2-300.fc31.x86_64 #1 SMP Tue Oct 1 20:44:46 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-10-05 11:25:57 CEST Last Seen 2019-10-05 11:25:57 CEST Local ID 2bc23e25-a827-4d86-a222-13701941fe6f Raw Audit Messages type=AVC msg=audit(1570267557.411:1076): avc: denied { read } for pid=3799 comm="boltd" name="driver" dev="sysfs" ino=63607 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 Hash: boltd,boltd_t,sysfs_t,lnk_file,read Version-Release number of selected component: selinux-policy-3.14.4-36.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.3.2-300.fc31.x86_64 type: libreport Potential duplicate: bug 1758731
*** Bug 1758797 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of bug 1754360 ***
Sorry, I was too quick here, I think the change in bug 1754360 (selinux-policy build 3.14.4-36.fc31) might actually *cause* this. rpm -qa "selinux-policy*" selinux-policy-3.14.4-36.fc31.noarch selinux-policy-targeted-3.14.4-36.fc31.noarch sudo ausearch -c 'boltd' --start boot --raw type=AVC msg=audit(1570302004.301:104): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341" dev="sysfs" ino=24557 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:105): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/wmi/devices/05901221-D566-11D1-B2F0-00A0C9062910" dev="sysfs" ino=24687 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:106): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/wmi/devices/8D9DDCBC-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24619 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:107): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/wmi/devices/9DBB5994-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24663 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:108): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/wmi/devices/A80593CE-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24648 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:109): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/thunderbolt/devices/domain0" dev="sysfs" ino=40660 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:110): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/thunderbolt/devices/0-0" dev="sysfs" ino=40678 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:113): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=40679 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:114): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=40661 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:115): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8986 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:116): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8769 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:117): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8702 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:118): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8305 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 As a result of this boltd does not work at all anymore: journalctl -b -u bolt -- Logs begin at Mon 2019-03-18 16:28:32 CET, end at Sat 2019-10-05 21:08:06 CEST. -- Oct 05 21:00:03 cobalt systemd[1]: Starting Thunderbolt system service... Oct 05 21:00:03 cobalt boltd[1318]: bolt 0.8 starting up. Oct 05 21:00:04 cobalt boltd[1318]: store: located at: /var/lib/boltd Oct 05 21:00:04 cobalt boltd[1318]: config: loading user config Oct 05 21:00:04 cobalt boltd[1318]: config: user config loaded successfully Oct 05 21:00:04 cobalt boltd[1318]: config: auth mode set to 'enabled' Oct 05 21:00:04 cobalt boltd[1318]: bouncer: initializing polkit Oct 05 21:00:04 cobalt boltd[1318]: udev: initializing udev Oct 05 21:00:04 cobalt boltd[1318]: store: loading domains Oct 05 21:00:04 cobalt boltd[1318]: [c9030000-0070-domain? ] store: loading domain Oct 05 21:00:04 cobalt boltd[1318]: journal: opened for 'c9030000-0070'; size: 0 bytes Oct 05 21:00:04 cobalt boltd[1318]: [c9030000-0070-domain? ] domain: registered (bootacl: 9/16) Oct 05 21:00:04 cobalt boltd[1318]: store: loading devices Oct 05 21:00:04 cobalt boltd[1318]: [00eb011d-b15f ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [008b61e9-315f ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [10762168-2f5f ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [60515100-0200 ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [003299ed-d8a0 ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [002b12dc-739d ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [00d81a34-3824 ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: power: state located at: /run/boltd/power Oct 05 21:00:04 cobalt boltd[1318]: power: force power support: no Oct 05 21:00:04 cobalt boltd[1318]: udev: enumerating devices Oct 05 21:00:04 cobalt boltd[1318]: dbus: exported domain at /org/freedesktop/bolt/domains/c9030000_0070_6f08_23fd_a0485751381d Oct 05 21:00:04 cobalt boltd[1318]: [00eb011d-b15f-HP Thunderbolt 3Dock ] dbus: exported device at /org/freedesktop/bolt/devices/00eb011d_b15f... Oct 05 21:00:04 cobalt boltd[1318]: [008b61e9-315f-Dell Thunderbolt Cable ] dbus: exported device at /org/freedesktop/bolt/devices/008b61e9_315f... Oct 05 21:00:04 cobalt boltd[1318]: [10762168-2f5f-Dell Thunderbolt Dock ] dbus: exported device at /org/freedesktop/bolt/devices/10762168_2f5f... Oct 05 21:00:04 cobalt boltd[1318]: [60515100-0200-Thunderbolt to Gigabit Ethe] dbus: exported device at /org/freedesktop/bolt/devices/60515100_0200... Oct 05 21:00:04 cobalt boltd[1318]: [003299ed-d8a0-Thunderbolt3 Graphic Dock ] dbus: exported device at /org/freedesktop/bolt/devices/003299ed_d8a0... Oct 05 21:00:04 cobalt boltd[1318]: [002b12dc-739d-ThinkPad Thunderbolt 3 Dock] dbus: exported device at /org/freedesktop/bolt/devices/002b12dc_739d... Oct 05 21:00:04 cobalt boltd[1318]: [00d81a34-3824-ThinkPad Thunderbolt 3 Dock] dbus: exported device at /org/freedesktop/bolt/devices/00d81a34_3824... Oct 05 21:00:04 cobalt systemd[1]: Started Thunderbolt system service. Oct 05 21:00:04 cobalt boltd[1318]: domain: could not find domain for device at '/sys/devices/pci0000:00/0000:00:1c.4/0000:03:00.0/0000:04:00.0/0000:05:00.0/domain0/0-0/0-1' NB:it can not find any thunderbolt hardware (should appear between "udev: enumerating devices" and "dbus: exported domain at").
*** This bug has been marked as a duplicate of bug 1759019 ***
FEDORA-2019-5adca37a25 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25
*** Bug 1759596 has been marked as a duplicate of this bug. ***
selinux-policy-3.14.4-37.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25
selinux-policy-3.14.4-37.fc31 got things back to working for me
selinux-policy-3.14.4-37.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.