1803513 – Multiple denial messages

Bug 1803513 - Multiple denial messages

Summary: Multiple denial messages

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-02-16 14:47 UTC by Andrey Motoshkov
Modified:	2020-09-07 13:03 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.14.5-28.fc32
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-07 13:03:57 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Andrey Motoshkov 2020-02-16 14:47:26 UTC

Description of problem:
Multiple denial messages

Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-24.fc32.noarch
kernel-5.6.0-0.rc1.git2.1.fc32.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
      5  AVC avc:  denied  { connectto } for  comm="agetty" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:plymouthd_t:s0 tclass=unix_stream_socket permissive=1
      4  AVC avc:  denied  { create } for  comm="systemd-user-ru" name="blk" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      4  AVC avc:  denied  { create } for  comm="systemd-user-ru" name="chr" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
      3  AVC avc:  denied  { dac_override } for  comm="plymouthd" capability=1  scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability permissive=1
      1  AVC avc:  denied  { getattr } for  comm="login" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
      4  AVC avc:  denied  { getattr } for  comm="systemd-hostnam" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      4  AVC avc:  denied  { getattr } for  comm="systemd-localed" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { getattr } for  comm="systemd-machine" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { getattr } for  comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      2  AVC avc:  denied  { getattr } for  comm="systemd-rfkill" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { getattr } for  comm="systemd-sysctl" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { getattr } for  comm="systemd-timedat" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      2  AVC avc:  denied  { getattr } for  comm="systemd-tty-ask" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      4  AVC avc:  denied  { mknod } for  comm="systemd-user-ru" capability=27  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1
      4  AVC avc:  denied  { open } for  comm="systemd-hostnam" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      4  AVC avc:  denied  { open } for  comm="systemd-localed" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { open } for  comm="systemd-machine" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { open } for  comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      2  AVC avc:  denied  { open } for  comm="systemd-rfkill" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { open } for  comm="systemd-sysctl" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { open } for  comm="systemd-timedat" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      2  AVC avc:  denied  { open } for  comm="systemd-tty-ask" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { read } for  comm="avahi-daemon" name="userdb" dev="tmpfs" ino=1321 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
     44  AVC avc:  denied  { read } for  comm="pkla-check-auth" name="userdb" dev="tmpfs" ino=1321 scontext=system_u:system_r:policykit_auth_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
      4  AVC avc:  denied  { read } for  comm="systemd-hostnam" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:at-spi-dbus-bus.service" dev="tmpfs" ino=125908 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:at-spi-dbus-bus.service" dev="tmpfs" ino=71101 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-:1.19-org.a11y.atspi.Registry" dev="tmpfs" ino=103897 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-:1.19-org.a11y.atspi.Registry" dev="tmpfs" ino=51048 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      2  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-:1.1-com.gexperts.Tilix" dev="tmpfs" ino=145403 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-:1.1-com.intel.dleyna-renderer" dev="tmpfs" ino=212436 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.Identity" dev="tmpfs" ino=70557 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.OnlineAccounts" dev="tmpfs" ino=72219 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=147638 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=39712 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=49418 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=86831 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=99476 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      2  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-launched-gnome-software-service.desktop-5954.scope" dev="tmpfs" ino=149567 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-launched-libcanberra-login-sound.desktop-2934.scope" dev="tmpfs" ino=77748 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-launched-org.gnome.Evolution.desktop-7167.scope" dev="tmpfs" ino=152560 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-session-manager" dev="tmpfs" ino=43939 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-session-manager" dev="tmpfs" ino=98437 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-session-manager" dev="tmpfs" ino=69670 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-session-monitor.service" dev="tmpfs" ino=124553 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      4  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=125653 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      2  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=41827 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      3  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=98443 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gsd-color.service" dev="tmpfs" ino=77466 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gsd-media-keys.service" dev="tmpfs" ino=137571 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gsd-media-keys.service" dev="tmpfs" ino=56437 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gsd-media-keys.service" dev="tmpfs" ino=97233 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:obex.service" dev="tmpfs" ino=212093 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:pulseaudio.service" dev="tmpfs" ino=43906 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:tracker-store.service" dev="tmpfs" ino=79411 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      4  AVC avc:  denied  { read } for  comm="systemd-localed" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-machine" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-modules" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      2  AVC avc:  denied  { read } for  comm="systemd-rfkill" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-sysctl" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-timedat" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      2  AVC avc:  denied  { read } for  comm="systemd-tty-ask" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20558 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="blk" dev="tmpfs" ino=39377 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="blk" dev="tmpfs" ino=42872 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="blk" dev="tmpfs" ino=65787 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="blk" dev="tmpfs" ino=98338 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="chr" dev="tmpfs" ino=39376 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="chr" dev="tmpfs" ino=42871 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="chr" dev="tmpfs" ino=65786 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="chr" dev="tmpfs" ino=98337 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
      1  AVC avc:  denied  { setsched } for  comm="accounts-daemon" scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1
      1  AVC avc:  denied  { setsched } for  comm="boltd" scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=process permissive=1
      4  AVC avc:  denied  { setsched } for  comm="colord" scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process permissive=1
      4  AVC avc:  denied  { setsched } for  comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=process permissive=1
      1  AVC avc:  denied  { setsched } for  comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1
      1  AVC avc:  denied  { setsched } for  comm="pcscd" scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=process permissive=1
      1  AVC avc:  denied  { setsched } for  comm="tpm2-abrmd" scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:tabrmd_t:s0 tclass=process permissive=1
      1  AVC avc:  denied  { sys_nice } for  comm="accounts-daemon" capability=23  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
      1  AVC avc:  denied  { sys_nice } for  comm="pcscd" capability=23  scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability permissive=1
      1  AVC avc:  denied  { unlink } for  comm="systemd-user-ru" name="blk" dev="tmpfs" ino=42872 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      1  AVC avc:  denied  { unlink } for  comm="systemd-user-ru" name="blk" dev="tmpfs" ino=65787 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      1  AVC avc:  denied  { unlink } for  comm="systemd-user-ru" name="blk" dev="tmpfs" ino=98338 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      1  AVC avc:  denied  { unlink } for  comm="systemd-user-ru" name="chr" dev="tmpfs" ino=42871 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
      1  AVC avc:  denied  { unlink } for  comm="systemd-user-ru" name="chr" dev="tmpfs" ino=65786 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
      1  AVC avc:  denied  { unlink } for  comm="systemd-user-ru" name="chr" dev="tmpfs" ino=98337 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1


Expected results:


Additional info:

Comment 1 Lukas Vrabec 2020-02-17 13:52:28 UTC

Hi Andrey, 

Could you please reproduce it with the latest selinux-policy build from koji? 

https://koji.fedoraproject.org/koji/buildinfo?buildID=1462575

Thanks,
Lukas.

Comment 2 Andrey Motoshkov 2020-02-18 10:03:31 UTC

rpm -qa | grep selinux-policy
selinux-policy-targeted-3.14.5-26.fc32.noarch
selinux-policy-3.14.5-26.fc32.noarch

      2  AVC avc:  denied  { create } for  comm="systemd-user-ru" name="blk" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      2  AVC avc:  denied  { create } for  comm="systemd-user-ru" name="chr" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
      2  AVC avc:  denied  { dac_override } for  comm="plymouthd" capability=1  scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability permissive=1
      1  AVC avc:  denied  { getattr } for  comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      2  AVC avc:  denied  { getattr } for  comm="systemd-tty-ask" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      2  AVC avc:  denied  { mknod } for  comm="systemd-user-ru" capability=27  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1
      1  AVC avc:  denied  { open } for  comm="systemd-modules" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      2  AVC avc:  denied  { open } for  comm="systemd-tty-ask" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-:1.19-org.a11y.atspi.Registry" dev="tmpfs" ino=56336 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-:1.2-com.gexperts.Tilix" dev="tmpfs" ino=75336 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.Identity" dev="tmpfs" ino=61404 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.OnlineAccounts" dev="tmpfs" ino=60094 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-:1.2-org.gnome.Shell.CalendarServer" dev="tmpfs" ino=59304 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=40230 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:dbus-broker.service" dev="tmpfs" ino=49191 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-launched-gnome-software-service.desktop-2481.scope" dev="tmpfs" ino=65006 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      3  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=48355 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gnome-shell-wayland.service" dev="tmpfs" ino=58761 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:gsd-color.service" dev="tmpfs" ino=64454 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:pulseaudio.service" dev="tmpfs" ino=40219 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:pulseaudio.service" dev="tmpfs" ino=47241 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-journal" name="invocation:tracker-store.service" dev="tmpfs" ino=69869 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
      1  AVC avc:  denied  { read } for  comm="systemd-modules" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      2  AVC avc:  denied  { read } for  comm="systemd-tty-ask" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=20526 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="blk" dev="tmpfs" ino=33735 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="blk" dev="tmpfs" ino=46237 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="chr" dev="tmpfs" ino=33734 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
      1  AVC avc:  denied  { setattr } for  comm="systemd-user-ru" name="chr" dev="tmpfs" ino=46236 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
      1  AVC avc:  denied  { setsched } for  comm="accounts-daemon" scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=process permissive=1
      1  AVC avc:  denied  { setsched } for  comm="boltd" scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=process permissive=1
      2  AVC avc:  denied  { setsched } for  comm="colord" scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process permissive=1
      2  AVC avc:  denied  { setsched } for  comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=process permissive=1
      1  AVC avc:  denied  { setsched } for  comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1
      1  AVC avc:  denied  { setsched } for  comm="pcscd" scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=process permissive=1
      1  AVC avc:  denied  { setsched } for  comm="tpm2-abrmd" scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:tabrmd_t:s0 tclass=process permissive=1
      1  AVC avc:  denied  { sys_nice } for  comm="accounts-daemon" capability=23  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=1
      1  AVC avc:  denied  { sys_nice } for  comm="pcscd" capability=23  scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability permissive=1
      1  AVC avc:  denied  { unlink } for  comm="systemd-user-ru" name="blk" dev="tmpfs" ino=46237 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=blk_file permissive=1
      1  AVC avc:  denied  { unlink } for  comm="systemd-user-ru" name="chr" dev="tmpfs" ino=46236 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1

Comment 3 Lukas Vrabec 2020-02-18 16:54:57 UTC

Hi, 

These issues will be handle by this commit: 

commit 5474b82f5d1280e11a7a47ce7dc2feb50df049cb (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Feb 18 17:53:01 2020 +0100

    Allow systemd_logind_t domain to manage user_tmp_t char and block
    devices
    
    Resolves: rhbz#1798912

Comment 4 Villy Kruse 2020-02-20 09:10:23 UTC

(In reply to Lukas Vrabec from comment #3)
> Hi, 
> 
> These issues will be handle by this commit: 
> 

There are about five or six other SELinux issues unrelated to systemd-logind_t.

> commit 5474b82f5d1280e11a7a47ce7dc2feb50df049cb (HEAD -> rawhide,
> origin/rawhide)
> Author: Lukas Vrabec <lvrabec>
> Date:   Tue Feb 18 17:53:01 2020 +0100
> 
>     Allow systemd_logind_t domain to manage user_tmp_t char and block
>     devices
>     
>     Resolves: rhbz#1798912

Note You need to log in before you can comment on or make changes to this bug.