Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1460244
Summary: | Some processes are denied send_msg to dbus by selinux | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Hill <dhill> |
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | alvin, bence, dan, duffy, dwalsh, fedoraproject, jflorian, jk, mesquunclub, mike, samuel-rhbugs |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-08 15:39:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Hill
2017-06-09 13:11:23 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. Fedora 26 WorkStation is also affected. audit[1075]: USER_AVC pid=1075 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=3663 tpid=1 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' This is still an issue. Any update on this? selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9 selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9 Not fixed for F26 or F27. selinux-policy-3.13.1-260.17.fc26 selinux-policy-3.13.1-283.17.fc27 selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. I'm getting thousands of these a day so I've written up a type enforcement file that allows, and silences, these audit messages. --- module my-dbus 1.0; require { type system_dbusd_var_run_t; type init_t; type sshd_t; type postfix_master_t; type ftpd_t; type saslauthd_t; class dbus send_msg; class sock_file write; } #============= ftpd_t ============== allow ftpd_t init_t:dbus send_msg; #============= postfix_master_t ============== allow postfix_master_t system_dbusd_var_run_t:sock_file write; #============= saslauthd_t ============== allow saslauthd_t init_t:dbus send_msg; #============= sshd_t ============== allow sshd_t init_t:dbus send_msg; I Have also denied accesses to dbus: module local 1.0; require { type avahi_t; type init_t; type saslauthd_t; type smbd_t; class dbus send_msg; } #============= saslauthd_t ============== allow saslauthd_t init_t:dbus send_msg; #============= smbd_t ============== allow smbd_t avahi_t:dbus send_msg; To give some context: I have relabeled the file system this morning and upgraded to f27 a week or so. selinux-policy-targeted-3.13.1-283.21.fc27.noarch I'm seeing this on fully updated F28. We use freeipa if that's relevant. Actually, that was F29. I found that this is causing huge delays on login and logout. I turned selinux enforcing off and login is now quick instead of taking minutes. I will need to disable selinux on this laptop because it still pops up lots of selinux notifications. Yes this is still an issue. What does POST status mean? It's in github sources. Right now, setools breaking build of selinux-policy rpm package. When setools rpm package will be in buildroot, I'll create new update of selinux-policy package for F29 and build will contain also fix for this ticket selinux-policy-3.14.2-36.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-43e11a7feb selinux-policy-3.14.2-36.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-43e11a7feb selinux-policy-3.14.2-36.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. (In reply to Lukas Vrabec from comment #15) > It's in github sources. Right now, setools breaking build of selinux-policy > rpm package. When setools rpm package will be in buildroot, I'll create new > update of selinux-policy package for F29 and build will contain also fix for > this ticket Lukas, would you also be able to backport this to at least F28 as well? I believe I'm having this issue with F29. I have selinux-policy-3.14.2-44.fc29.noarch. USER_AVC pid=744 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.677 spid=2536 tpid=6369 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' I was able to get firmware updates working with fwupd in GNOME software after disabling SELinux so I'm pretty sure this AVC error is the reason. I can confirm the issue mentioned by Máirín Duffy when running the newest version of F29. In my case, it only happens when system firmware upgrades for end users and the TPM2 chip are enabled in BIOS. When launching the fwupd daemon manually within a terminal, everything works smoothly. However, when launching the fwupd daemon through systemd, the execution of /usr/bin/tpm2_pcrlist hangs due to the AVC error mentioned above. Switching SELinux to permissive or disabling the TPM2 chip is an (ugly) workaround. |