In openQA testing, colord-1.4.7-1.fc40 failed due to its service (colord.service) failing to start up. The journal shows this: Jan 22 09:23:44 fedora systemd[1]: Starting colord.service - Manage, Install and Generate Color Profiles... Jan 22 09:23:44 fedora audit[1159]: AVC avc: denied { nnp_transition } for pid=1159 comm="(colord)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process2 permissive=0 Jan 22 09:23:44 fedora audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:colord_t:s0 Jan 22 09:23:44 fedora audit[1159]: AVC avc: denied { read write } for pid=1159 comm="colord" name="mapping.db" dev="vda3" ino=170631 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=file permissive=0 Jan 22 09:23:44 fedora audit[1159]: AVC avc: denied { read } for pid=1159 comm="colord" name="mapping.db" dev="vda3" ino=170631 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=file permissive=0 Jan 22 09:23:44 fedora colord[1159]: CdMain: failed to load mapping database: Can't open database: unable to open database file Jan 22 09:23:44 fedora systemd[1]: colord.service: Main process exited, code=exited, status=1/FAILURE Jan 22 09:23:44 fedora systemd[1]: colord.service: Failed with result 'exit-code'. Jan 22 09:23:44 fedora systemd[1]: Failed to start colord.service - Manage, Install and Generate Color Profiles. i.e. it's failing because it can't open its database due to an SELinux denial. Assigning to selinux-policy for now but we can move it to colord if this is a colord bug.
Note the update is gated by the failed test so the issue isn't reproducible in regular Rawhide. You'd have to install the update manually to test. https://koji.fedoraproject.org/koji/search?terms=colord-1.4.7-1.fc40&type=build&match=exact
The following SELinux denials appear in enforcing mode: ---- type=PROCTITLE msg=audit(01/23/2024 04:54:50.985:586) : proctitle=/usr/libexec/colord type=PATH msg=audit(01/23/2024 04:54:50.985:586) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139563 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(01/23/2024 04:54:50.985:586) : item=0 name=/usr/libexec/colord inode=203766 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:colord_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/23/2024 04:54:50.985:586) : cwd=/ type=EXECVE msg=audit(01/23/2024 04:54:50.985:586) : argc=1 a0=/usr/libexec/colord type=SYSCALL msg=audit(01/23/2024 04:54:50.985:586) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55f24d7b4100 a1=0x55f24d7aaf30 a2=0x55f24c9b0f60 a3=0x55f24d7aae40 items=2 ppid=1 pid=1844 auid=unset uid=colord gid=colord euid=colord suid=colord fsuid=colord egid=colord sgid=colord fsgid=colord tty=(none) ses=unset comm=colord exe=/usr/libexec/colord subj=system_u:system_r:init_t:s0 key=(null) type=SELINUX_ERR msg=audit(01/23/2024 04:54:50.985:586) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:colord_t:s0 type=AVC msg=audit(01/23/2024 04:54:50.985:586) : avc: denied { nnp_transition } for pid=1844 comm=(colord) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process2 permissive=0 ---- type=PROCTITLE msg=audit(01/23/2024 04:54:50.989:587) : proctitle=/usr/libexec/colord type=PATH msg=audit(01/23/2024 04:54:50.989:587) : item=1 name=/var/lib/colord/mapping.db inode=262269 dev=fc:02 mode=file,644 ouid=colord ogid=colord rdev=00:00 obj=system_u:object_r:colord_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(01/23/2024 04:54:50.989:587) : item=0 name=/var/lib/colord/ inode=262265 dev=fc:02 mode=dir,755 ouid=colord ogid=colord rdev=00:00 obj=system_u:object_r:colord_var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/23/2024 04:54:50.989:587) : cwd=/ type=SYSCALL msg=audit(01/23/2024 04:54:50.989:587) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x562d1647b02c a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x1a4 items=2 ppid=1 pid=1844 auid=unset uid=colord gid=colord euid=colord suid=colord fsuid=colord egid=colord sgid=colord fsgid=colord tty=(none) ses=unset comm=colord exe=/usr/libexec/colord subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(01/23/2024 04:54:50.989:587) : avc: denied { read write } for pid=1844 comm=colord name=mapping.db dev="vda2" ino=262269 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(01/23/2024 04:54:50.990:588) : proctitle=/usr/libexec/colord type=PATH msg=audit(01/23/2024 04:54:50.990:588) : item=0 name=/var/lib/colord/mapping.db inode=262269 dev=fc:02 mode=file,644 ouid=colord ogid=colord rdev=00:00 obj=system_u:object_r:colord_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/23/2024 04:54:50.990:588) : cwd=/ type=SYSCALL msg=audit(01/23/2024 04:54:50.990:588) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x562d1647b02c a2=O_RDONLY|O_NOFOLLOW|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1844 auid=unset uid=colord gid=colord euid=colord suid=colord fsuid=colord egid=colord sgid=colord fsgid=colord tty=(none) ses=unset comm=colord exe=/usr/libexec/colord subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(01/23/2024 04:54:50.990:588) : avc: denied { read } for pid=1844 comm=colord name=mapping.db dev="vda2" ino=262269 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=file permissive=0 ---- The denials appear after upgrade to the 1.4.7-1.fc40 version and restart of the colord service.
The following SELinux denial appeared in permissive mode: ---- type=PROCTITLE msg=audit(01/23/2024 04:58:21.754:592) : proctitle=/usr/libexec/colord type=PATH msg=audit(01/23/2024 04:58:21.754:592) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139563 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(01/23/2024 04:58:21.754:592) : item=0 name=/usr/libexec/colord inode=203766 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:colord_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/23/2024 04:58:21.754:592) : cwd=/ type=EXECVE msg=audit(01/23/2024 04:58:21.754:592) : argc=1 a0=/usr/libexec/colord type=SYSCALL msg=audit(01/23/2024 04:58:21.754:592) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55909e052b20 a1=0x55909e052a90 a2=0x55909d259020 a3=0x55909e05ff00 items=2 ppid=1 pid=1864 auid=unset uid=colord gid=colord euid=colord suid=colord fsuid=colord egid=colord sgid=colord fsgid=colord tty=(none) ses=unset comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null) type=AVC msg=audit(01/23/2024 04:58:21.754:592) : avc: denied { nnp_transition } for pid=1864 comm=(colord) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process2 permissive=1 ----
# rpm -qa | grep color color-filesystem-1-31.fc39.noarch colord-libs-1.4.7-1.fc40.x86_64 colord-1.4.7-1.fc40.x86_64 # grep -i nonew /usr/lib/systemd/system/colord.service NoNewPrivileges=true #
NoNewPrivileges=true was added in https://github.com/hughsie/colord/commit/d7352455075f6a6eb32e7d256dadb436cbd15ae8 . Is it a problem? hughsie is already CCed.
(In reply to Adam Williamson from comment #5) > NoNewPrivileges=true was added in > https://github.com/hughsie/colord/commit/ > d7352455075f6a6eb32e7d256dadb436cbd15ae8 . Is it a problem? hughsie is > already CCed. Not a problem, just needs an explicit rule, PR which adds it is already on github. We expect more reports like this given https://discussion.fedoraproject.org/t/f40-change-proposal-systemd-security-hardening-system-wide/96423 PrivateTmp is another example. We will try to find a generic solution.
Test coverage for this bug exists in a form of PR: * https://src.fedoraproject.org/tests/selinux/pull-request/467 The PR waits for a review.