Description of problem: Booted & launched KDE. Started after upgrading from F31 to F32. SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-resolved should be allowed read access on the SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-resolve' --raw | audit2allow -M my-systemdresolve # semodule -X 300 -i my-systemdresolve.pp Additional Information: Source Context system_u:system_r:systemd_resolved_t:s0 Target Context system_u:object_r:efivarfs_t:s0 Target Objects /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca -11d2-aa0d-00e098032b8c [ file ] Source systemd-resolve Source Path /usr/lib/systemd/systemd-resolved Port <Unknown> Host (removed) Source RPM Packages systemd-245.4-1.fc32.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-3.14.5-32.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-32.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.6.4-300.fc32.x86_64 #1 SMP Mon Apr 13 14:31:58 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-04-14 17:53:23 EDT Last Seen 2020-04-15 10:05:15 EDT Local ID c2a250f2-a565-41ca-b854-a4ebd0349110 Raw Audit Messages type=AVC msg=audit(1586959515.439:141): avc: denied { read } for pid=1053 comm="systemd-resolve" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=19536 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1586959515.439:141): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=56088d28dae0 a2=80100 a3=0 items=1 ppid=1 pid=1053 auid=4294967295 uid=193 gid=193 euid=193 suid=193 fsuid=193 egid=193 sgid=193 fsgid=193 tty=(none) ses=4294967295 comm=systemd-resolve exe=/usr/lib/systemd/systemd-resolved subj=system_u:system_r:systemd_resolved_t:s0 key=(null) type=CWD msg=audit(1586959515.439:141): cwd=/ type=PATH msg=audit(1586959515.439:141): item=0 name=/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c inode=19536 dev=00:1e mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:efivarfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Hash: systemd-resolve,systemd_resolved_t,efivarfs_t,file,read Version-Release number of selected component: selinux-policy-3.14.5-32.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.12.0 hashmarkername: setroubleshoot kernel: 5.6.4-300.fc32.x86_64 type: libreport
*** Bug 1823035 has been marked as a duplicate of this bug. ***
commit 94e50ba442ae8792587879a18d714c10747e7de6 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Apr 20 16:54:13 2020 +0200 Allow read efivarfs_t files by domains executing systemctl file Resolves: rhbz#1824196
FEDORA-2020-3ffe9fdf42 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-3ffe9fdf42
FEDORA-2020-3ffe9fdf42 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-3ffe9fdf42` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-3ffe9fdf42 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Lukasi, This bug was reported not fixed with the update. I cannot see the permission either: # sesearch -A -s systemd_resolved_t -t efivarfs_t -c file -p read # sesearch -A -s systemd_modules_load_t -t efivarfs_t -c file allow domain file_type:file map; [ domain_can_mmap_files ]:True I even cannot find the commit. Has the commit reached the github repo?
commit ff8b5f9c119a828e92036f86e3d82c898412db59 (HEAD -> rawhide, origin/rawhide) Author: Lukas Vrabec <lvrabec> Date: Thu Apr 30 10:06:21 2020 +0200 Allow read efivarfs_t files by domains executing systemctl file Resolves: rhbz#1824196 https://github.com/fedora-selinux/selinux-policy/commit/ff8b5f9c119a828e92036f86e3d82c898412db59 Thanks for heads-up.
*** Bug 1819161 has been marked as a duplicate of this bug. ***
just noted this happening for me too. following.
FEDORA-2020-a6cd8de2ed has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a6cd8de2ed
Fixed with the following: # cat efivars-systemd-resolved-fix.te module efivars-systemd-resolved-fix 1.0; require { type efivarfs_t; type systemd_resolved_t; class file { getattr open read }; } #============= systemd_resolved_t ============== allow systemd_resolved_t efivarfs_t:file getattr; #!!!! This avc is allowed in the current policy allow systemd_resolved_t efivarfs_t:file { open read }; --- # sesearch -A -s systemd_resolved_t -t efivarfs_t -c file -p read allow systemd_resolved_t efivarfs_t:file { getattr open read };
Similar problem has been detected: It happens when I tried to install some third-party kernel modules hashmarkername: setroubleshoot kernel: 5.6.8-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-32.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
FEDORA-2020-a6cd8de2ed has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
Similar problem has been detected: It happens every time when I install a third-party kernel module (probably ashmem?) hashmarkername: setroubleshoot kernel: 5.6.10-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
Similar problem has been detected: Install a third party software called xDroid (a proprietary Android compatibility layer developed by Chinese people) During the installation process the warning pops up several times. hashmarkername: setroubleshoot kernel: 5.6.10-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
This issue is not resolved with this update, even after a manual relabel. Also note #1827466 in the first AVC. ~]# ausearch -m avc -ts boot ---- time->Wed May 6 17:57:42 2020 type=AVC msg=audit(1588805862.874:118): avc: denied { read } for pid=815 comm="sssd" name="systemd" dev="tmpfs" ino=256 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 ---- time->Wed May 6 17:57:44 2020 type=AVC msg=audit(1588805864.772:163): avc: denied { read } for pid=925 comm="systemd-resolve" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 ---- time->Wed May 6 17:57:44 2020 type=AVC msg=audit(1588805864.772:164): avc: denied { open } for pid=925 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1 ---- time->Wed May 6 17:57:44 2020 type=AVC msg=audit(1588805864.772:165): avc: denied { getattr } for pid=925 comm="systemd-resolve" path="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=239 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
I am also getting: SELinux is preventing systemd-resolve from read access on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c selinux-policy 3.14.5-8.fc32 audit2allow generates the following module my-systemdresolve 1.0; require { type efivarfs_t; type systemd_resolved_t; class file read; } #============= systemd_resolved_t ============== allow systemd_resolved_t efivarfs_t:file read;
edit: selinux-policy version is 3.14.5-38.fc32
after applying the above policy (2 comments up) I now get: SELinux is preventing systemd-resolve from open access on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c audit2allow module updated: module my-systemdresolve 1.0; require { type efivarfs_t; type systemd_resolved_t; class file { open read }; } #============= systemd_resolved_t ============== #!!!! This avc is allowed in the current policy allow systemd_resolved_t efivarfs_t:file read; allow systemd_resolved_t efivarfs_t:file open;
after applying the above policy I get SELinux is preventing systemd-resolve from getattr access on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c audit2allow policy now looks like: module my-systemdresolve 1.0; require { type systemd_resolved_t; type efivarfs_t; class file { getattr open read }; } #============= systemd_resolved_t ============== allow systemd_resolved_t efivarfs_t:file getattr; #!!!! This avc is allowed in the current policy allow systemd_resolved_t efivarfs_t:file { open read }; this resolves the whole issue
Similar problem has been detected: dnf distro-sync --allowerasing --best --refresh Happend during 'Running scriptlet: kernel-core-5.6.10-300.fc32.x86_64' phase. hashmarkername: setroubleshoot kernel: 5.6.8-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
I'm not sure if relevant, but I did `fixfiles onboot` in previous session, rebooted, and now had the issue popup during new kernel-core install.
Similar problem has been detected: This SELinux alert was present on first boot after upgrading from Fedora 31 to Fedora 32. hashmarkername: setroubleshoot kernel: 5.6.10-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
Similar problem has been detected: this happened while updating packages (among them kernel packages) hashmarkername: setroubleshoot kernel: 5.6.8-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the Datei SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
Similar problem has been detected: This happened after waking up my laptop from suspend. Reason unknown. hashmarkername: setroubleshoot kernel: 5.6.10-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the Datei SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
Similar problem has been detected: In boot show message "Failed to start Load Kernel Modules" hashmarkername: setroubleshoot kernel: 5.6.12-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the arquivo SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
*** Bug 1827972 has been marked as a duplicate of this bug. ***
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=PROCTITLE msg=audit(05/19/2020 00:01:02.472:577) : proctitle=/usr/bin/systemctl --quiet is-active psacct.service type=PATH msg=audit(05/19/2020 00:01:02.472:577) : item=0 name=/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c inode=15548 dev=00:1c mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:efivarfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/19/2020 00:01:02.472:577) : cwd=/ type=SYSCALL msg=audit(05/19/2020 00:01:02.472:577) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5632c2c7fe40 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=10059 pid=10060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null) type=AVC msg=audit(05/19/2020 00:01:02.472:577) : avc: denied { read } for pid=10060 comm=systemctl name=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c dev="efivarfs" ino=15548 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0
FEDORA-2020-886cc9af08 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-886cc9af08
FEDORA-2020-886cc9af08 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-886cc9af08` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-886cc9af08 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Similar problem has been detected: Happened after dnf update command. hashmarkername: setroubleshoot kernel: 5.6.12-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing /usr/lib/systemd/systemd-modules-load from 'read' accesses on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
Changing status to assigned, the reported issue has not been resolved, neither was the similar for systemd_modules_load_t.
Similar problem has been detected: Restarted nfs sudo systemctl restart rpcbind nfs-server the error suddenly appeared hashmarkername: setroubleshoot kernel: 5.6.13-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing systemctl from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
Similar problem has been detected: This occurs upon rebooting and whenever I resume (power on) from a hybrid suspend. This started after upgrading from Fedora 31 to 32. The same occurs with systemd-modules: SELinux is preventing systemd-modules from read access on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. Plugin: catchall SELinux denied access requested by systemd-modules. It is not expected that this access is required by systemd-modules and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. If you believe that systemd-modules should be allowed read access on the SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c file by default. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # ausearch -c 'systemd-modules' --raw | audit2allow -M my-systemdmodules # semodule -X 300 -i my-systemdmodules.pp hashmarkername: setroubleshoot kernel: 5.6.13-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing systemctl from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
FEDORA-2020-886cc9af08 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
Similar problem has been detected: A bateria do Notebook acabou no momento da instalação de programas hashmarkername: setroubleshoot kernel: 5.6.14-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-39.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the arquivo SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
Similar problem has been detected: This just popped up after dnf update hashmarkername: setroubleshoot kernel: 5.6.8-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-39.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
I've submitted a new Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/361
commit 8c4ffe785f5278ca5399563df5091487041d9257 (HEAD -> rawhide, origin/rawhide) Author: Zdenek Pytela <zpytela> Date: Wed Jun 3 16:00:48 2020 +0200 Allow systemd_resolved_t to read efivarfs Resolves: rhbz#1824196
FEDORA-2020-ca8855e4de has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de
FEDORA-2020-ca8855e4de has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-ca8855e4de` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Similar problem has been detected: This error gets reported after logging on. I suspect it occurs at startup time. But I do not know what software causes this violation. hashmarkername: setroubleshoot kernel: 5.6.16-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-39.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
gbonnema, see bz#1833502, should be resolved in the same policy package version.
Zdenek Pytela, thanks for the pointer.
Similar problem has been detected: Just logged in and received this error message hashmarkername: setroubleshoot kernel: 5.6.16-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-39.fc32.noarch reason: SELinux is preventing systemd-modules from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
selinux-policy-3.14.5-40.fc32 has been pushed to the Fedora 32 stable repository. If problems still persist, please make note of it in this bug report.