Bug 1819161 - SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
Summary: SELinux is preventing systemd-modules from 'read' accesses on the file Secure...
Keywords:
Status: CLOSED DUPLICATE of bug 1824196
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 32
Hardware: x86_64
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1baa31556ae094edcf2495e585c...
: 1838933 (view as bug list)
Depends On: 1812955
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-31 10:55 UTC by Alex Pozharov
Modified: 2021-04-16 16:51 UTC (History)
18 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-05-04 12:54:42 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Alex Pozharov 2020-03-31 10:55:26 UTC 
Description of problem:
Kernel update, may be.
SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-modules should be allowed read access on the SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-modules' --raw | audit2allow -M my-systemdmodules
# semodule -X 300 -i my-systemdmodules.pp

Additional Information:
Source Context                system_u:system_r:systemd_modules_load_t:s0
Target Context                system_u:object_r:efivarfs_t:s0
Target Objects                SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c [
                              file ]
Source                        systemd-modules
Source Path                   systemd-modules
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            <Unknown>
Local Policy RPM              selinux-policy-targeted-3.14.5-32.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.6.0-0.rc7.git0.2.fc32.x86_64 #1
                              SMP Mon Mar 23 18:38:45 UTC 2020 x86_64 x86_64
Alert Count                   5
First Seen                    2020-03-27 22:59:31 MSK
Last Seen                     2020-03-31 13:29:59 MSK
Local ID                      9631dd38-9ae6-4a3a-a6d9-80a1b68be940

Raw Audit Messages
type=AVC msg=audit(1585650599.412:1966): avc:  denied  { read } for  pid=211026 comm="systemd-modules" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=16638 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0


Hash: systemd-modules,systemd_modules_load_t,efivarfs_t,file,read


Additional info:
component:      selinux-policy
reporter:       libreport-2.12.0
hashmarkername: setroubleshoot
kernel:         5.6.0-0.rc7.git0.2.fc32.x86_64
type:           libreport
Comment 1 Zdenek Pytela 2020-03-31 17:37:43 UTC 
Alex,

Thank you for reporting the issue. Are you aware at which moment this denial triggers? Did you also notice any command failing?
Comment 2 Alex Pozharov 2020-03-31 20:35:02 UTC 
Well, I'm not sure. There no failing commands.

I was doing `dnf update`.

`dnf hist` tells me, that `kmod-VirtualBox` was involved:

ID     | Command line                                                                                                                             | Date and time
---------------------------------------------------------------------------------------------------------------------------------------------------------------
   924 | -y install --disablerepo=* /tmp/akmods.isUns5pL/results/kmod-VirtualBox-5.6.0-300.fc32.x86_64-6.1.4-3.fc32.x86_64.rpm                    | 2020-03-31 
   923 | up -y                                                                                                                                    | 2020-03-31
Comment 3 Alex Pozharov 2020-03-31 20:41:04 UTC 
I would be glad to provide additional info, logs or command output, if needed.
Comment 4 Chris Murphy 2020-04-12 02:19:37 UTC 
I see it on Fedora Server. I'm not sure what systemd does with secure boot state, it might only affect sd-boot installations.

$ sudo journalctl -b -o short-monotonic | grep AVC
[   10.867636] fnuc.local audit[513]: AVC avc:  denied  { read } for  pid=513 comm="systemd-modules" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=333 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0
[   10.867984] fnuc.local audit[513]: AVC avc:  denied  { read } for  pid=513 comm="systemd-modules" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=333 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0


selinux-policy-3.14.5-36.fc32.noarch
Comment 5 Michael 2020-04-29 12:08:28 UTC 
Similar problem has been detected:

dnf upgrade

hashmarkername: setroubleshoot
kernel:         5.6.6-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-32.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport
Comment 6 Zdeněk Zikán 2020-04-30 07:00:35 UTC 
Similar problem has been detected:

This happened on the first boot after upgrading Fedora 31 to 32.

hashmarkername: setroubleshoot
kernel:         5.6.6-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-32.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport
Comment 7 Matthias Andree 2020-05-02 22:19:42 UTC 
Similar problem has been detected:

I was updating with dnf upgrade from a terminal, 
and among others, there were kernel updates being deinstalled/installed.

The system was very recently upgraded from F30 via F31 to F32, using
GNOME Software's new operating system proposal.


hashmarkername: setroubleshoot
kernel:         5.6.7-300.fc32.x86_64
reason:         SELinux is preventing systemd-modules from 'read' accesses on the Datei SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport
Comment 8 accounts 2020-05-03 14:15:40 UTC 
Similar problem has been detected:

Just pops in after booting

hashmarkername: setroubleshoot
kernel:         5.6.8-300.fc32.x86_64
reason:         SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport
Comment 9 Roberto Gonzalez 2020-05-04 07:59:21 UTC 
Similar problem has been detected:

Sussedio despues de haber actualizado Fedora 31 a 32

hashmarkername: setroubleshoot
kernel:         5.6.8-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-32.fc32.noarch
reason:         SELinux is preventing systemd-modules from 'read' accesses on the archivo SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
type:           libreport
Comment 10 thunderingexile 2020-05-04 12:33:18 UTC 
I have just noticed the same problem after upgrading to Fedora 32, but not immediately. I think that it may have been triggered by GNOME Software downloading update information (not the updates themselves), but I’m not even sure as I wasn’t doing anything special when the SELinux notification came up
Comment 11 Lukas Vrabec 2020-05-04 12:54:42 UTC 

*** This bug has been marked as a duplicate of bug 1824196 ***
Comment 12 Jubli 2020-05-22 05:58:31 UTC 
*** Bug 1838933 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.