Bug 1833729 - SELinux is preventing loginctl from search, read, open access on the file /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
Summary: SELinux is preventing loginctl from search, read, open access on the file /sy...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 32
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1812955
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-10 02:44 UTC by Ryan
Modified: 2020-05-25 13:50 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-05-25 13:50:27 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Ryan 2020-05-10 02:44:20 UTC 
Description of problem:
noted when the power button was pressed i got a bunch of selinux alerts

Version-Release number of selected component (if applicable):
3.14.5-38.fc32

How reproducible:
every boot (unless you create the policy I will outline below)

Steps to Reproduce:
1. Press the power button while logged in
2. note selinux alerts

Actual results:
alerts for loginctl

Expected results:
no alerts

Additional info:

the below policy resolves this issue:

module my-loginctl 1.0;

require {
        type apmd_t;
        type efivarfs_t;
        class dir search;
        class file { open read };
}

#============= apmd_t ==============

#!!!! This avc is allowed in the current policy
allow apmd_t efivarfs_t:dir search;

#!!!! This avc is allowed in the current policy
allow apmd_t efivarfs_t:file read;
allow apmd_t efivarfs_t:file open;
Comment 1 Ryan 2020-05-10 02:47:35 UTC 
note the comment:


#!!!! This avc is allowed in the current policy

is only there becaue I had to manually create each item to get to the next alert.
Comment 2 Zdenek Pytela 2020-05-25 13:50:27 UTC 
This bug has been resolved in selinux-policy-3.14.5-39.
Note You need to log in before you can comment on or make changes to this bug.