1993271 – Missing type enforcement allow rule for new fwupd version

Bug 1993271 - Missing type enforcement allow rule for new fwupd version

Summary: Missing type enforcement allow rule for new fwupd version

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	35
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-12 16:33 UTC by Richard Hughes
Modified:	2021-09-29 00:19 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-34.21-1.fc35
Clone Of:
Environment:
Last Closed:	2021-09-29 00:19:41 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Richard Hughes 2021-08-12 16:33:00 UTC

Description of problem:

In fwupd 1.6.3 we connect to NetworkManager at startup to ensure that the USB network interface is up so we can talk to the server BMC controller (which is disabled by default in RHEL). This fails when SELinux is enabled and the daemon fails to start the redfish plugin, which means most of the updatable devices do not show up.

Version-Release number of selected component (if applicable): selinux-policy-34.14-1.fc34.noarch

How reproducible: Always on RHEL, only on Fedora if the USB interface is not set to "auto-connect"

Steps to Reproduce:
1. Update to fwupd 1.6.2 using dnf update
2. Disable autoconnect of the USB network device
3. do "sudo service fwupd restart" on any machine with a BMC

Actual results:
I get an AVC and fwupd startup hangs for 30 seconds.

Expected results:
That fwupd is able to talk to NetworkManager

Additional info:

(This was generated on RHEL 8.4, but the AVC should be the same)

type=USER_AVC msg=audit(1628784233.943:253): pid=1377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.593 spid=1691 tpid=36436 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

Comment 1 Zdenek Pytela 2021-09-22 10:48:31 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/888

Comment 2 Fedora Update System 2021-09-24 10:14:14 UTC

FEDORA-2021-d7a6ae95f1 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-d7a6ae95f1

Comment 3 Fedora Update System 2021-09-24 21:44:35 UTC

FEDORA-2021-d7a6ae95f1 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-d7a6ae95f1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-d7a6ae95f1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2021-09-29 00:19:41 UTC

FEDORA-2021-d7a6ae95f1 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.