Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1460244 - Some processes are denied send_msg to dbus by selinux
Summary: Some processes are denied send_msg to dbus by selinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-09 13:11 UTC by David Hill
Modified: 2019-03-07 15:47 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-08 15:39:48 UTC
Type: Bug


Attachments (Terms of Use)

Description David Hill 2017-06-09 13:11:23 UTC
Description of problem:
Some processes are denied send_msg to dbus by selinux

type=USER_AVC msg=audit(1494603889.524:9388): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.1992 spid=1 tpid=11277 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1494603889.531:9390): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=11278 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1494603889.531:9391): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.1993 spid=1 tpid=11278 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1494603889.609:9395): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=11283 tpid=1 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1494603889.610:9396): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.1995 spid=1 tpid=11283 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495114002.668:11678): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=29152 tpid=1071 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495114002.669:11679): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2375 spid=1071 tpid=29152 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495351921.712:12735): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=9451 tpid=1071 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495351921.713:12736): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2573 spid=1071 tpid=9451 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495547440.369:14846): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=1997 tpid=1071 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495547440.369:14847): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2665 spid=1071 tpid=1997 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1496931062.479:161): pid=1220 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=2010 tpid=1257 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1496931062.479:162): pid=1220 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.20 spid=1257 tpid=2010 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Updated to latest
2. Set selinux in permissive
3. Reboot
4. Look at denied logs

Actual results:
Denied

Expected results:
Allowed or hidden

Additional info:

Comment 1 Jan Kurik 2017-08-15 09:00:58 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 2 bence 2017-08-23 09:54:33 UTC
Fedora 26 WorkStation is also affected.

audit[1075]: USER_AVC pid=1075 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=3663 tpid=1 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus
                                              exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Comment 3 Michael Cronenworth 2017-11-03 13:17:45 UTC
This is still an issue. Any update on this?

Comment 4 Fedora Update System 2017-11-22 08:56:15 UTC
selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9

Comment 5 Fedora Update System 2017-11-22 21:41:55 UTC
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9

Comment 6 Michael Cronenworth 2017-11-22 21:57:44 UTC
Not fixed for F26 or F27.

selinux-policy-3.13.1-260.17.fc26
selinux-policy-3.13.1-283.17.fc27

Comment 7 Fedora Update System 2017-11-28 23:54:20 UTC
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Michael Cronenworth 2017-12-19 17:51:09 UTC
I'm getting thousands of these a day so I've written up a type enforcement file that allows, and silences, these audit messages.
---

module my-dbus 1.0;

require {
	type system_dbusd_var_run_t;
	type init_t;
	type sshd_t;
	type postfix_master_t;
	type ftpd_t;
	type saslauthd_t;
	class dbus send_msg;
	class sock_file write;
}

#============= ftpd_t ==============
allow ftpd_t init_t:dbus send_msg;

#============= postfix_master_t ==============
allow postfix_master_t system_dbusd_var_run_t:sock_file write;

#============= saslauthd_t ==============
allow saslauthd_t init_t:dbus send_msg;

#============= sshd_t ==============
allow sshd_t init_t:dbus send_msg;

Comment 9 Laurent Jacquot 2018-01-14 19:10:02 UTC
I Have also denied accesses to dbus:
module local 1.0;

require {
	type avahi_t;
	type init_t;
	type saslauthd_t;
	type smbd_t;
	class dbus send_msg;
}

#============= saslauthd_t ==============
allow saslauthd_t init_t:dbus send_msg;

#============= smbd_t ==============
allow smbd_t avahi_t:dbus send_msg;

Comment 10 Laurent Jacquot 2018-01-14 19:11:43 UTC
To give some context: I have relabeled the file system this morning and upgraded to f27 a week or so.
selinux-policy-targeted-3.13.1-283.21.fc27.noarch

Comment 11 Samuel Sieb 2018-09-05 17:53:05 UTC
I'm seeing this on fully updated F28.  We use freeipa if that's relevant.

Comment 12 Samuel Sieb 2018-09-05 18:26:34 UTC
Actually, that was F29.

I found that this is causing huge delays on login and logout.  I turned selinux enforcing off and login is now quick instead of taking minutes.  I will need to disable selinux on this laptop because it still pops up lots of selinux notifications.

Comment 13 Michael Cronenworth 2018-09-05 21:54:00 UTC
Yes this is still an issue.

Comment 14 Samuel Sieb 2018-09-08 05:47:56 UTC
What does POST status mean?

Comment 15 Lukas Vrabec 2018-09-10 09:27:33 UTC
It's in github sources. Right now, setools breaking build of selinux-policy rpm package. When setools rpm package will be in buildroot, I'll create new update of selinux-policy package for F29 and build will contain also fix for this ticket

Comment 16 Fedora Update System 2018-10-05 09:07:00 UTC
selinux-policy-3.14.2-36.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-43e11a7feb

Comment 17 Fedora Update System 2018-10-05 18:23:58 UTC
selinux-policy-3.14.2-36.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-43e11a7feb

Comment 18 Fedora Update System 2018-10-08 15:39:48 UTC
selinux-policy-3.14.2-36.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Michael Cronenworth 2018-10-08 15:42:38 UTC
(In reply to Lukas Vrabec from comment #15)
> It's in github sources. Right now, setools breaking build of selinux-policy
> rpm package. When setools rpm package will be in buildroot, I'll create new
> update of selinux-policy package for F29 and build will contain also fix for
> this ticket

Lukas, would you also be able to backport this to at least F28 as well?

Comment 20 Máirín Duffy 2019-01-08 13:23:27 UTC
I believe I'm having this issue with F29. I have selinux-policy-3.14.2-44.fc29.noarch.

USER_AVC pid=744 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.677 spid=2536 tpid=6369 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:system_r:fwupd_t:s0 tclass=dbus permissive=0
 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

I was able to get firmware updates working with fwupd in GNOME software after disabling SELinux so I'm pretty sure this AVC error is the reason.

Comment 21 Pascal Mathis 2019-01-13 23:47:34 UTC
I can confirm the issue mentioned by Máirín Duffy when running the newest version of F29. In my case, it only happens when system firmware upgrades for end users and the TPM2 chip are enabled in BIOS.

When launching the fwupd daemon manually within a terminal, everything works smoothly. However, when launching the fwupd daemon through systemd, the execution of /usr/bin/tpm2_pcrlist hangs due to the AVC error mentioned above. Switching SELinux to permissive or disabling the TPM2 chip is an (ugly) workaround.


Note You need to log in before you can comment on or make changes to this bug.