1300456 – SELinux is preventing fwupd from 'write' accesses on the directory 0000:00:02.0.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1300456 - SELinux is preventing fwupd from 'write' accesses on the directory 0000:00:02.0.

Summary: SELinux is preventing fwupd from 'write' accesses on the directory 0000:00:02.0.

Keywords:
Status:	CLOSED DUPLICATE of bug 1314637
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	24
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:b83942374b9094b38a81442d347...
Duplicates (1):	1312928 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-20 21:29 UTC by Stephen Gallagher
Modified:	2016-04-25 07:58 UTC (History)
CC List:	18 users (show)
Fixed In Version:	selinux-policy-3.13.1-179.fc24
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-16 11:26:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Stephen Gallagher 2016-01-20 21:29:20 UTC

Description of problem:
SELinux is preventing fwupd from 'write' accesses on the directory 0000:00:02.0.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that fwupd should be allowed write access on the 0000:00:02.0 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fwupd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fwupd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                0000:00:02.0 [ dir ]
Source                        fwupd
Source Path                   fwupd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-167.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.5.0-0.rc0.git1.1.fc24.x86_64 #1
                              SMP Tue Jan 12 20:40:44 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-01-20 16:28:37 EST
Last Seen                     2016-01-20 16:28:37 EST
Local ID                      62fdada2-ff68-49e4-ab32-c01085db6068

Raw Audit Messages
type=AVC msg=audit(1453325317.11:2011): avc:  denied  { write } for  pid=7929 comm="fwupd" name="0000:00:02.0" dev="sysfs" ino=6123 scontext=system_u:system_r:fwupd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1


Hash: fwupd,fwupd_t,sysfs_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-167.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc0.git1.1.fc24.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2016-01-21 08:10:35 UTC

Thank you for reporting this issue. fwupd_t is a permissive domain so this access should not be blocked.

Comment 2 Lukas Vrabec 2016-01-21 14:48:33 UTC

Hi Stephen, 
Could you attach also SYSCALL? I believe this is just access check. Maybe we could dontadit this.

Comment 3 Stephen Gallagher 2016-01-21 15:00:54 UTC

(In reply to Lukas Vrabec from comment #2)
> Hi Stephen, 
> Could you attach also SYSCALL? I believe this is just access check. Maybe we
> could dontadit this.

Where would I get that information? I just hit the "Report Bug" button in the troubleshooter. I have no idea what triggered it.

Comment 4 Miroslav Grepl 2016-01-25 07:25:11 UTC

Unfortunately not easy to get the SYSCALL part of audit events. It is turned off by default on Fedora.

# This suppresses syscall auditing for all tasks started
# with this rule in effect.  Remove it if you need syscall
# auditing.
-a task,never

You would need to comment this line, reload audit daemon and try to reproduce it.

Comment 5 Giulio 'juliuxpigface' 2016-01-28 19:26:36 UTC

Description of problem:
This popped up after booting a system installed from Fedora Rawhide 20160121 (not yet updated).

Version-Release number of selected component:
selinux-policy-3.13.1-168.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc0.git7.1.fc24.x86_64
type:           libreport

Comment 6 Stephen Gallagher 2016-02-08 13:31:48 UTC

(In reply to Miroslav Grepl from comment #4)
> Unfortunately not easy to get the SYSCALL part of audit events. It is turned
> off by default on Fedora.
> 
> # This suppresses syscall auditing for all tasks started
> # with this rule in effect.  Remove it if you need syscall
> # auditing.
> -a task,never
> 
> You would need to comment this line, reload audit daemon and try to
> reproduce it.

Where is that line? I can't find it in /etc/selinux anywhere.

Comment 7 Daniel Walsh 2016-02-08 20:00:45 UTC

/etc/audit/audit.rules

Comment 8 P. A. López-Valencia 2016-02-12 00:12:21 UTC

Description of problem:
I'm reporting this error after enabling task watching in auditd.

Version-Release number of selected component:
selinux-policy-3.13.1-169.fc24.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc3.git1.1.fc24.x86_64
type:           libreport

Comment 9 P. A. López-Valencia 2016-02-12 00:16:59 UTC

*Sigh* No attachements upload as it was treated as a duplicate. 

The error, with task auditing enabled, is:

SELinux is preventing /usr/libexec/fwupd/fwupd from write access on the directory 0000:00:02.0.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que de manera predeterminada, fwupd debería permitir acceso write sobre  0000:00:02.0 directory.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep fwupd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fwupd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                0000:00:02.0 [ dir ]
Source                        fwupd
Source Path                   /usr/libexec/fwupd/fwupd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           fwupd-0.6.1-2.fc24.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-169.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux fera 4.5.0-0.rc3.git1.1.fc24.x86_64 #1 SMP
                              Tue Feb 9 22:21:52 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-02-11 19:08:28 COT
Last Seen                     2016-02-11 19:08:28 COT
Local ID                      da0d757a-aa8a-468a-a29c-de7dbd1e7bf6

Raw Audit Messages
type=AVC msg=audit(1455235708.420:383): avc:  denied  { write } for  pid=2258 comm="fwupd" name="0000:00:02.0" dev="sysfs" ino=1793 scontext=system_u:system_r:fwupd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1


type=SYSCALL msg=audit(1455235708.420:383): arch=x86_64 syscall=open success=no exit=EACCES a0=563059001140 a1=c1 a2=1b6 a3=7fff707aa01d items=0 ppid=1 pid=2258 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fwupd exe=/usr/libexec/fwupd/fwupd subj=system_u:system_r:fwupd_t:s0-s0:c0.c1023 key=(null)

Hash: fwupd,fwupd_t,sysfs_t,dir,write

Comment 10 Jan Kurik 2016-02-24 15:52:17 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 11 Lukas Vrabec 2016-03-01 12:26:06 UTC

*** Bug 1312928 has been marked as a duplicate of this bug. ***

Comment 12 Laurent Wandrebeck 2016-03-09 11:52:36 UTC

Description of problem:
appeared when gnome was just launched for the first time after updating from f23 to f24

Version-Release number of selected component:
selinux-policy-3.13.1-176.fc24.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc7.git0.2.fc24.x86_64
type:           libreport

Comment 13 Andrew Cook 2016-03-15 20:59:43 UTC

on my system fwupd is running as a child of dbus instead of in its service

Comment 14 Lukas Vrabec 2016-03-16 11:26:54 UTC


*** This bug has been marked as a duplicate of bug 1314637 ***

Comment 15 mac plox 2016-03-24 12:23:27 UTC

*** Bug 1320989 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.