Description of problem: SELinux is preventing systemd-tty-ask from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-tty-ask should be allowed read access on the SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-tty-ask' --raw | audit2allow -M my-systemdttyask # semodule -X 300 -i my-systemdttyask.pp Additional Information: Source Context system_u:system_r:systemd_passwd_agent_t:s0 Target Context system_u:object_r:efivarfs_t:s0 Target Objects SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c [ file ] Source systemd-tty-ask Source Path systemd-tty-ask Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.5-32.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-32.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.6.8-300.fc32.x86_64 #1 SMP Wed Apr 29 19:01:34 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-05-01 13:08:48 CEST Last Seen 2020-05-01 13:08:48 CEST Local ID 05abfe4f-5e14-4232-a7e5-7f1be0af6a69 Raw Audit Messages type=AVC msg=audit(1588331328.189:208): avc: denied { read } for pid=1906 comm="systemd-tty-ask" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=12847 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 Hash: systemd-tty-ask,systemd_passwd_agent_t,efivarfs_t,file,read Version-Release number of selected component: selinux-policy-targeted-3.14.5-32.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.12.0 hashmarkername: setroubleshoot kernel: 5.6.8-300.fc32.x86_64 type: libreport
Similar problem has been detected: This happens on every boot. I do not have secureboot enabled, so I'm unsure what is going on. But I am using efi. hashmarkername: setroubleshoot kernel: 5.6.8-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-32.fc32.noarch reason: SELinux is preventing systemd-tty-ask from 'read' accesses on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. type: libreport
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/364
commit 9f5cfe46706e04a45960a8c98c08f9d2c637abaa Author: Zdenek Pytela <zpytela> Date: Tue Jun 2 17:59:59 2020 +0200 Introduce systemd_read_efivarfs_type attribute Introduce systemd_read_efivarfs_type attribute for domains to read efivarfs. Create a systemd_read_efivarfs() interface to allow a domain be part of the systemd_read_efivarfs_type attribute. Replace fs_read_efivarfs_files() calls in systemd.te with systemd_read_efivarfs().
FEDORA-2020-5c374f680a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5c374f680a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.