Bug 1928611 - SELinux is preventing pcscd from 'getattr' accesses on the filesystem /sys.
Summary: SELinux is preventing pcscd from 'getattr' accesses on the filesystem /sys.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:98d9cba8729e2440dc964fb1de8...
: 1931334 1931385 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-15 06:50 UTC by Kamil Páral
Modified: 2021-04-10 09:54 UTC (History)
24 users (show)

Fixed In Version: selinux-policy-3.14.6-35.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-04 20:10:18 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Kamil Páral 2021-02-15 06:50:13 UTC 
Description of problem:
I just logged in.
SELinux is preventing pcscd from 'getattr' accesses on the filesystem /sys.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pcscd should be allowed getattr access on the sys filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pcscd' --raw | audit2allow -M my-pcscd
# semodule -X 300 -i my-pcscd.pp

Additional Information:
Source Context                system_u:system_r:pcscd_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                /sys [ filesystem ]
Source                        pcscd
Source Path                   pcscd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.14-3.fc33.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.6-34.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.10.15-200.fc33.x86_64 #1 SMP Wed
                              Feb 10 17:46:55 UTC 2021 x86_64 x86_64
Alert Count                   3
First Seen                    2021-02-12 14:30:08 CET
Last Seen                     2021-02-15 07:47:29 CET
Local ID                      4ee2856a-6926-46de-9391-8f71d7b84a3e

Raw Audit Messages
type=AVC msg=audit(1613371649.274:288): avc:  denied  { getattr } for  pid=2293 comm="pcscd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=1


Hash: pcscd,pcscd_t,sysfs_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-targeted-3.14.6-34.fc33.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.10.15-200.fc33.x86_64
type:           libreport
Comment 1 Micah Shennum 2021-02-15 12:59:06 UTC 
Similar problem has been detected:

Been hitting this when I first boot up and login the last few days. I use a "Yubico.com Yubikey 4/5 OTP+U2F+CCID" for storing the gpg key used by KDE for the stored password wallet, I am assuming this is related to that. I have not encounted actual issues as I am running in permissive mode at the moment.

hashmarkername: setroubleshoot
kernel:         5.10.15-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing pcscd from 'getattr' accesses on the filesystem /sys.
type:           libreport
Comment 2 vincent 2021-02-17 19:07:11 UTC 
Similar problem has been detected:

Simply logged into Cinnamon

hashmarkername: setroubleshoot
kernel:         5.10.15-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing pcscd from 'getattr' accesses on the filesystem /sys.
type:           libreport
Comment 3 Luca Villa 2021-02-18 09:54:59 UTC 
Hi all,
same problem detected today:

Additional Information:
Source Context                system_u:system_r:pcscd_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                /sys [ filesystem ]
Source                        pcscd
Source Path                   pcscd
Port                          <Unknown>
Host                          xxxxxxx
Source RPM Packages           
Target RPM Packages           filesystem-3.14-3.fc33.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.6-34.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xxxxxx
Platform                      Linux xxxxxx 5.10.15-200.fc33.x86_64
                              #1 SMP Wed Feb 10 17:46:55 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-02-18 10:02:42 CET
Last Seen                     2021-02-18 10:02:42 CET
Local ID                      3cc866b1-8bc9-44b8-b7eb-cbb18d2a0180

Raw Audit Messages
type=AVC msg=audit(1613638962.888:1052): avc:  denied  { getattr } for  pid=2094 comm="pcscd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0


Hash: pcscd,pcscd_t,sysfs_t,filesystem,getattr
Comment 4 Enrique Meléndez 2021-02-19 06:06:04 UTC 
Similar problem has been detected:

I am not e100% sure, but apparently it happens when I first start chrome or Firefox.

hashmarkername: setroubleshoot
kernel:         5.10.15-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing pcscd from 'getattr' accesses on the filesystem /sys.
type:           libreport
Comment 5 Dominik 'Rathann' Mierzejewski 2021-02-19 09:32:55 UTC 
Similar problem has been detected:

Tried to log in to github.com in Firefox with 2FA via Yubikey enabled. The denial occurred when Firefox showed the 2FA pop-up.

hashmarkername: setroubleshoot
kernel:         5.10.15-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing pcscd from 'getattr' accesses on the filesystem /sys.
type:           libreport
Comment 6 Luca Villa 2021-02-19 09:36:12 UTC 
In my case it happens after I insert the USB cable of my old Athena smartcard reader. I think it's regardless of firefox or chrome.
Comment 7 Zdenek Pytela 2021-02-19 21:40:55 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/605
Comment 8 Dmitry 2021-02-22 10:38:09 UTC 
*** Bug 1931385 has been marked as a duplicate of this bug. ***
Comment 9 CharlieI 2021-02-23 12:50:22 UTC 
Similar problem has been detected:

Occurs at boot

hashmarkername: setroubleshoot
kernel:         5.10.16-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing pcscd from 'getattr' accesses on the filesystem /sys.
type:           libreport
Comment 10 Zdenek Pytela 2021-02-24 20:34:59 UTC 
*** Bug 1931334 has been marked as a duplicate of this bug. ***
Comment 11 Chris Kelling 2021-02-28 16:02:05 UTC 
Similar problem has been detected:

This showed up on boot - I already made a policy to allow it run.

hashmarkername: setroubleshoot
kernel:         5.10.18-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing pcscd from 'getattr' accesses on the filesystem /sys.
type:           libreport
Comment 12 Manoel Miranda 2021-03-02 12:36:35 UTC 
Similar problem has been detected:

After starting the session, typing the user's password, and the desktop appears, this error occurred. I've already reported a similar error. My distribution is Fedora Mate 33.

hashmarkername: setroubleshoot
kernel:         5.10.17-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing pcscd from 'getattr' accesses on the sistema de arquivos /sys.
type:           libreport
Comment 13 Marco Hartgring 2021-03-03 02:10:56 UTC 
Similar problem has been detected:

Happens upon inserting a Yubi Key.

hashmarkername: setroubleshoot
kernel:         5.10.19-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing pcscd from 'getattr' accesses on the filesystem /sys.
type:           libreport
Comment 14 Fedora Update System 2021-03-03 16:56:02 UTC 
FEDORA-2021-e9050fdd5c has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c
Comment 15 Fedora Update System 2021-03-03 23:53:05 UTC 
FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e9050fdd5c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 16 Fedora Update System 2021-03-04 20:10:18 UTC 
FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 17 David Auer 2021-04-10 09:54:18 UTC 
Got the same thing on F32 but I'll upgrade once F34 is out and that won't be long. Not sure if that is worth reopening and another update for F32 nearing its EOL, I'll leave that decision to you.
Note You need to log in before you can comment on or make changes to this bug.