Bug 2184900 - SELinux is preventing plymouthd from 'map' accesses on the chr_file /dev/dri/card0.
Summary: SELinux is preventing plymouthd from 'map' accesses on the chr_file /dev/dri/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: x86_64
OS: Unspecified
medium
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:d17a057bb35bc83b7aa9467ae07...
: 2175351 2181742 2182457 2188713 2189454 2192376 2192377 2193061 2196010 2203039 2203328 2210391 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-04-06 07:10 UTC by Michael
Modified: 2023-05-31 17:32 UTC (History)
19 users (show)

Fixed In Version: selinux-policy-38.15-1.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-31 17:32:12 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: description (1.90 KB, text/plain)
2023-04-06 07:10 UTC, Michael 		no flags Details
File: os_info (756 bytes, text/plain)
2023-04-06 07:10 UTC, Michael 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1674 0 None open Allow plymouthd map dri and framebuffer devices 2023-05-04 22:18:35 UTC

Description Michael 2023-04-06 07:10:02 UTC 
Description of problem:
SELinux is preventing plymouthd from 'map' accesses on the chr_file /dev/dri/card0.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that plymouthd should be allowed map access on the card0 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'plymouthd' --raw | audit2allow -M my-plymouthd
# semodule -X 300 -i my-plymouthd.pp

Additional Information:
Source Context                system_u:system_r:kernel_t:s0
Target Context                system_u:object_r:dri_device_t:s0
Target Objects                /dev/dri/card0 [ chr_file ]
Source                        plymouthd
Source Path                   plymouthd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.8-2.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.8-2.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.2.9-300.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Mar 30 22:32:58 UTC 2023
                              x86_64
Alert Count                   62
First Seen                    2023-04-06 09:08:28 CEST
Last Seen                     2023-04-06 09:08:30 CEST
Local ID                      fc5bea17-c8b6-4a25-9510-a460742c9578

Raw Audit Messages
type=AVC msg=audit(1680764910.66:176): avc:  denied  { map } for  pid=459 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=346 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0


Hash: plymouthd,kernel_t,dri_device_t,chr_file,map

Version-Release number of selected component:
selinux-policy-targeted-38.8-2.fc38.noarch

Additional info:
reporter:       libreport-2.17.9
reason:         SELinux is preventing plymouthd from 'map' accesses on the chr_file /dev/dri/card0.
package:        selinux-policy-targeted-38.8-2.fc38.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.2.9-300.fc38.x86_64
component:      selinux-policy
Comment 1 Michael 2023-04-06 07:10:04 UTC 
Created attachment 1956052 [details]
File: description
Comment 2 Michael 2023-04-06 07:10:05 UTC 
Created attachment 1956053 [details]
File: os_info
Comment 3 Zdenek Pytela 2023-04-25 09:15:54 UTC 
*** Bug 2188713 has been marked as a duplicate of this bug. ***
Comment 4 Zdenek Pytela 2023-04-25 10:24:56 UTC 
*** Bug 2189454 has been marked as a duplicate of this bug. ***
Comment 5 Zdenek Pytela 2023-05-02 17:58:53 UTC 
From duplicates:

type=AVC msg=audit(1682928170.643:274): avc:  denied  { map } for  pid=513 comm="plymouthd" path="/dev/fb0" dev="devtmpfs" ino=193 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:framebuf_device_t:s0 tclass=chr_file permissive=0
Comment 6 Zdenek Pytela 2023-05-02 17:59:08 UTC 
*** Bug 2192377 has been marked as a duplicate of this bug. ***
Comment 7 Zdenek Pytela 2023-05-02 17:59:17 UTC 
*** Bug 2192376 has been marked as a duplicate of this bug. ***
Comment 8 Zdenek Pytela 2023-05-02 19:47:31 UTC 
*** Bug 2182457 has been marked as a duplicate of this bug. ***
Comment 9 Zdenek Pytela 2023-05-02 19:48:58 UTC 
*** Bug 2181742 has been marked as a duplicate of this bug. ***
Comment 10 Zdenek Pytela 2023-05-04 09:04:47 UTC 
*** Bug 2193061 has been marked as a duplicate of this bug. ***
Comment 11 Zdenek Pytela 2023-05-04 14:29:54 UTC 
*** Bug 2175351 has been marked as a duplicate of this bug. ***
Comment 12 Zdenek Pytela 2023-05-04 22:18:35 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1674

Please try the scratchbuild
Checks -> Artifacts -> rpms.zip

to see if the fix is complete.
Comment 13 Zdenek Pytela 2023-05-09 08:03:21 UTC 
*** Bug 2196010 has been marked as a duplicate of this bug. ***
Comment 14 Zdenek Pytela 2023-05-11 06:52:29 UTC 
*** Bug 2203039 has been marked as a duplicate of this bug. ***
Comment 15 Zdenek Pytela 2023-05-15 09:57:17 UTC 
*** Bug 2203328 has been marked as a duplicate of this bug. ***
Comment 16 Zdenek Pytela 2023-05-29 07:11:56 UTC 
*** Bug 2210391 has been marked as a duplicate of this bug. ***
Comment 17 Fedora Update System 2023-05-30 19:31:33 UTC 
FEDORA-2023-a19eb5132c has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a19eb5132c
Comment 18 Fedora Update System 2023-05-31 02:50:41 UTC 
FEDORA-2023-a19eb5132c has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a19eb5132c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a19eb5132c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 19 Fedora Update System 2023-05-31 17:32:12 UTC 
FEDORA-2023-a19eb5132c has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.