Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1593816
Summary: | SELinux is preventing (upowerd) from 'mounton' accesses on the directory /var/lib/upower. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | alex.ploumistos, alexus_m, dwalsh, franco.geller, lslebodn, lvrabec, mgrepl, nicolas.mailhot, paul.destefano-redhat2, plautrba, pmoore, pretomisturado, redhat-bugzilla |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:eccb92e6c4b0dcf2286cc3d89cc6f81c79c2659013af05f14e32c83cede60185;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.2-34.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-12 02:56:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mikhail
2018-06-21 15:46:54 UTC
Same problem here, since 4.17.2-100.fc27.x86_64 kernel update. The upower.service throws the following log: upowerd[1216]: failed to get data: Failed to open file “/var/lib/upower/history-rate-ASUS_Battery-56.dat”: Permission denied upowerd[1216]: failed to get data: Failed to open file “/var/lib/upower/history-charge-ASUS_Battery-56.dat”: Permission denied upowerd[1216]: failed to get data: Failed to open file “/var/lib/upower/history-time-full-ASUS_Battery-56.dat”: Permission denied upowerd[1216]: failed to get data: Failed to open file “/var/lib/upower/history-time-empty-ASUS_Battery-56.dat”: Permission denied upowerd[1216]: cannot open '/dev/input/event0': Permission denied systemd[1]: Started Daemon for power management. upowerd[1216]: Failed to create object manager for BlueZ: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipie upowerd[1216]: failed to set data: Failed to create file “/var/lib/upower/history-rate-ASUS_Battery-56.dat.YG3MLZ”: Permission denied upowerd[1216]: failed to set data: Failed to create file “/var/lib/upower/history-rate-ASUS_Battery-56.dat.MUMMLZ”: Permission denied upowerd[1216]: failed to set data: Failed to create file “/var/lib/upower/history-rate-ASUS_Battery-56.dat.AI59KZ”: Permission denied Description of problem: On an up-to date rawhide system, after full relabel and another reboot just to be sure Version-Release number of selected component: selinux-policy-3.14.2-26.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.0-0.rc2.git3.1.fc29.x86_64 type: libreport I can still see similar AVC on rawhide type=PROCTITLE msg=audit(08/01/2018 11:20:41.773:4536) : proctitle=(upowerd) type=PATH msg=audit(08/01/2018 11:20:41.773:4536) : item=1 name=/run/systemd/inaccessible/reg inode=16407 dev=00:17 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(08/01/2018 11:20:41.773:4536) : item=0 name=/run/systemd/unit-root/proc/kallsyms inode=4026532080 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_map_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(08/01/2018 11:20:41.773:4536) : cwd=/ type=SYSCALL msg=audit(08/01/2018 11:20:41.773:4536) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x7f3ec3ddf845 a1=0x5606937d9f30 a2=0x0 a3=MS_BIND|MS_REC items=2 ppid=1 pid=4185 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(upowerd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(08/01/2018 11:20:41.773:4536) : avc: denied { mounton } for pid=4185 comm=(upowerd) path=/run/systemd/unit-root/proc/kallsyms dev="proc" ino=4026532080 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:system_map_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(08/01/2018 11:20:41.788:4537) : proctitle=(upowerd) type=PATH msg=audit(08/01/2018 11:20:41.788:4537) : item=1 name=/run/systemd/unit-root/var/lib/upower inode=100400 dev=00:29 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devicekit_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(08/01/2018 11:20:41.788:4537) : item=0 name=/run/systemd/unit-root/var/lib/upower inode=100400 dev=00:29 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devicekit_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(08/01/2018 11:20:41.788:4537) : cwd=/ type=SYSCALL msg=audit(08/01/2018 11:20:41.788:4537) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x56069376d450 a1=0x56069376d450 a2=0x0 a3=MS_BIND|MS_REC items=2 ppid=1 pid=4185 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(upowerd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(08/01/2018 11:20:41.788:4537) : avc: denied { mounton } for pid=4185 comm=(upowerd) path=/run/systemd/unit-root/var/lib/upower dev="dm-1" ino=100400 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devicekit_var_lib_t:s0 tclass=dir permissive=1 But I cannot see directory /run/systemd/unit-root/var/lib/upower even in permissive mode. This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'. *** Bug 1622112 has been marked as a duplicate of this bug. *** *** Bug 1622110 has been marked as a duplicate of this bug. *** *** Bug 1618514 has been marked as a duplicate of this bug. *** *** Bug 1594018 has been marked as a duplicate of this bug. *** selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726 selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |