Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1758746
Summary: | SELinux is preventing boltd from 'read' accesses on the lnk_file driver. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael <michael.scheiffler> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 31 | CC: | angelapuget, ckellner, dovla091, dwalsh, jdiaz, lvrabec, mgrepl, plautrba, praiskup, william_wofford, zpytela |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:b66c51ff9104d836a4c679eb71e0e3cdc8397dc74ce67bc76f7fe1657aca3978;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.4-37.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-11 23:18:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael
2019-10-05 09:26:52 UTC
*** Bug 1758797 has been marked as a duplicate of this bug. *** *** This bug has been marked as a duplicate of bug 1754360 *** Sorry, I was too quick here, I think the change in bug 1754360 (selinux-policy build 3.14.4-36.fc31) might actually *cause* this. rpm -qa "selinux-policy*" selinux-policy-3.14.4-36.fc31.noarch selinux-policy-targeted-3.14.4-36.fc31.noarch sudo ausearch -c 'boltd' --start boot --raw type=AVC msg=audit(1570302004.301:104): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/wmi/devices/86CCFD48-205E-4A77-9C48-2021CBEDE341" dev="sysfs" ino=24557 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:105): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/wmi/devices/05901221-D566-11D1-B2F0-00A0C9062910" dev="sysfs" ino=24687 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:106): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/wmi/devices/8D9DDCBC-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24619 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:107): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/wmi/devices/9DBB5994-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24663 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:108): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/wmi/devices/A80593CE-A997-11DA-B012-B622A1EF5492" dev="sysfs" ino=24648 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:109): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/thunderbolt/devices/domain0" dev="sysfs" ino=40660 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.301:110): avc: denied { getattr } for pid=1318 comm="boltd" path="/sys/bus/thunderbolt/devices/0-0" dev="sysfs" ino=40678 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:113): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=40679 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:114): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=40661 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:115): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8986 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:116): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8769 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:117): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8702 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1570302004.325:118): avc: denied { read } for pid=1318 comm="boltd" name="subsystem" dev="sysfs" ino=8305 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 As a result of this boltd does not work at all anymore: journalctl -b -u bolt -- Logs begin at Mon 2019-03-18 16:28:32 CET, end at Sat 2019-10-05 21:08:06 CEST. -- Oct 05 21:00:03 cobalt systemd[1]: Starting Thunderbolt system service... Oct 05 21:00:03 cobalt boltd[1318]: bolt 0.8 starting up. Oct 05 21:00:04 cobalt boltd[1318]: store: located at: /var/lib/boltd Oct 05 21:00:04 cobalt boltd[1318]: config: loading user config Oct 05 21:00:04 cobalt boltd[1318]: config: user config loaded successfully Oct 05 21:00:04 cobalt boltd[1318]: config: auth mode set to 'enabled' Oct 05 21:00:04 cobalt boltd[1318]: bouncer: initializing polkit Oct 05 21:00:04 cobalt boltd[1318]: udev: initializing udev Oct 05 21:00:04 cobalt boltd[1318]: store: loading domains Oct 05 21:00:04 cobalt boltd[1318]: [c9030000-0070-domain? ] store: loading domain Oct 05 21:00:04 cobalt boltd[1318]: journal: opened for 'c9030000-0070'; size: 0 bytes Oct 05 21:00:04 cobalt boltd[1318]: [c9030000-0070-domain? ] domain: registered (bootacl: 9/16) Oct 05 21:00:04 cobalt boltd[1318]: store: loading devices Oct 05 21:00:04 cobalt boltd[1318]: [00eb011d-b15f ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [008b61e9-315f ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [10762168-2f5f ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [60515100-0200 ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [003299ed-d8a0 ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [002b12dc-739d ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: [00d81a34-3824 ] store: loading device Oct 05 21:00:04 cobalt boltd[1318]: power: state located at: /run/boltd/power Oct 05 21:00:04 cobalt boltd[1318]: power: force power support: no Oct 05 21:00:04 cobalt boltd[1318]: udev: enumerating devices Oct 05 21:00:04 cobalt boltd[1318]: dbus: exported domain at /org/freedesktop/bolt/domains/c9030000_0070_6f08_23fd_a0485751381d Oct 05 21:00:04 cobalt boltd[1318]: [00eb011d-b15f-HP Thunderbolt 3Dock ] dbus: exported device at /org/freedesktop/bolt/devices/00eb011d_b15f... Oct 05 21:00:04 cobalt boltd[1318]: [008b61e9-315f-Dell Thunderbolt Cable ] dbus: exported device at /org/freedesktop/bolt/devices/008b61e9_315f... Oct 05 21:00:04 cobalt boltd[1318]: [10762168-2f5f-Dell Thunderbolt Dock ] dbus: exported device at /org/freedesktop/bolt/devices/10762168_2f5f... Oct 05 21:00:04 cobalt boltd[1318]: [60515100-0200-Thunderbolt to Gigabit Ethe] dbus: exported device at /org/freedesktop/bolt/devices/60515100_0200... Oct 05 21:00:04 cobalt boltd[1318]: [003299ed-d8a0-Thunderbolt3 Graphic Dock ] dbus: exported device at /org/freedesktop/bolt/devices/003299ed_d8a0... Oct 05 21:00:04 cobalt boltd[1318]: [002b12dc-739d-ThinkPad Thunderbolt 3 Dock] dbus: exported device at /org/freedesktop/bolt/devices/002b12dc_739d... Oct 05 21:00:04 cobalt boltd[1318]: [00d81a34-3824-ThinkPad Thunderbolt 3 Dock] dbus: exported device at /org/freedesktop/bolt/devices/00d81a34_3824... Oct 05 21:00:04 cobalt systemd[1]: Started Thunderbolt system service. Oct 05 21:00:04 cobalt boltd[1318]: domain: could not find domain for device at '/sys/devices/pci0000:00/0000:00:1c.4/0000:03:00.0/0000:04:00.0/0000:05:00.0/domain0/0-0/0-1' NB:it can not find any thunderbolt hardware (should appear between "udev: enumerating devices" and "dbus: exported domain at"). *** This bug has been marked as a duplicate of bug 1759019 *** FEDORA-2019-5adca37a25 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25 *** Bug 1759596 has been marked as a duplicate of this bug. *** selinux-policy-3.14.4-37.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25 selinux-policy-3.14.4-37.fc31 got things back to working for me selinux-policy-3.14.4-37.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. |