Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1636823 - SELinux is preventing (boltd) from 'mounton' accesses on the directory /run/systemd/unit-root/run/boltd.
Summary: SELinux is preventing (boltd) from 'mounton' accesses on the directory /run/s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:46c911a8f05007638070614ecc1...
: 1636660 (view as bug list)
Depends On:
Blocks: F29FinalFreezeException
TreeView+ depends on / blocked
 
Reported: 2018-10-08 01:55 UTC by Chuck Mattern
Modified: 2018-10-18 11:07 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-3.14.2-40.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-18 11:07:32 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
journalctl log (323.22 KB, text/plain)
2018-10-14 14:28 UTC, Chris Murphy 		no flags Details
View All

Description Chuck Mattern 2018-10-08 01:55:15 UTC 
Description of problem:
Error occurrs at system boot and with systemctl restart bolt
Running on an old Lenovo T410 with no thunderbolt hardware and getting the errors below.

SELinux is preventing (boltd) from 'mounton' accesses on the directory /run/systemd/unit-root/run/boltd.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/run/systemd/unit-root/run/boltd default label should be init_var_run_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /run/systemd/unit-root/run/boltd

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that (boltd) should be allowed mounton access on the boltd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(boltd)' --raw | audit2allow -M my-boltd
# semodule -X 300 -i my-boltd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:boltd_var_run_t:s0
Target Objects                /run/systemd/unit-root/run/boltd [ dir ]
Source                        (boltd)
Source Path                   (boltd)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-36.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.11-301.fc29.x86_64 #1 SMP Mon
                              Oct 1 13:47:10 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-10-07 21:39:41 EDT
Last Seen                     2018-10-07 21:51:35 EDT
Local ID                      e7bd2d98-28f9-4b8c-a713-5f462d3338a2

Raw Audit Messages
type=AVC msg=audit(1538963495.536:297): avc:  denied  { mounton } for  pid=4721 comm="(boltd)" path="/run/systemd/unit-root/run/boltd" dev="tmpfs" ino=56475 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=dir permissive=0


Hash: (boltd),init_t,boltd_var_run_t,dir,mounton

Version-Release number of selected component:
selinux-policy-3.14.2-36.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.11-301.fc29.x86_64
type:           libreport

Potential duplicate: bug 1636660
Comment 1 Pavel Roskin 2018-10-09 19:26:21 UTC 
Description of problem:
Seeing this issue after every reboot.

The suggestion to run "/sbin/restorecon -v /run/systemd/unit-root/run/boltd" didn't help, as /run/systemd/unit-root is an empty directory.

Version-Release number of selected component:
selinux-policy-3.14.2-36.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.12-300.fc29.x86_64
type:           libreport
Comment 2 Lukas Vrabec 2018-10-12 16:08:10 UTC 
*** Bug 1636660 has been marked as a duplicate of this bug. ***
Comment 3 Carwyn Edwards 2018-10-12 16:42:17 UTC 
I'm also getting this, happens to be a system with no thunderbolt interfaces on it at all.
Comment 4 Chris Murphy 2018-10-13 19:15:04 UTC 
Running on battery with nothing connected; I do get notification for this denial in GNOME.


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:boltd_var_run_t:s0
Target Objects                /run/systemd/unit-root/run/boltd [ dir ]
Source                        (boltd)
Source Path                   (boltd)
Port                          <Unknown>
Host                          flap.local
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-37.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     flap.local
Platform                      Linux flap.local 4.18.12-300.fc29.x86_64 #1 SMP
                              Thu Oct 4 15:01:22 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-10-13 13:09:43 MDT
Last Seen                     2018-10-13 13:09:44 MDT
Local ID                      16fa60d7-2c18-4197-986e-94e11c790d3e

Raw Audit Messages
type=AVC msg=audit(1539457784.476:238): avc:  denied  { mounton } for  pid=2080 comm="(boltd)" path="/run/systemd/unit-root/run/boltd" dev="tmpfs" ino=47233 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=dir permissive=0


Hash: (boltd),init_t,boltd_var_run_t,dir,mounton
Comment 5 Zdenek Chmelar 2018-10-14 12:37:15 UTC 
Description of problem:
Appeared right afre the first login on the desktop. System has been upgraded to F29 before.

Version-Release number of selected component:
selinux-policy-3.14.2-36.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.12-300.fc29.x86_64
type:           libreport
Comment 6 Chris Murphy 2018-10-14 14:28:19 UTC 
Created attachment 1493729 [details]
journalctl log

Just in case it's useful to see what all boltd is doing (or at least logging) in relation to the AVC's. Used -o short-monotonic time.
Comment 7 xzj8b3 2018-10-14 15:41:36 UTC 
Description of problem:
# ausearch -c '(boltd)' --raw | audit2allow -M my-boltd
# semodule -X 300 -i my-boltd.pp

Version-Release number of selected component:
selinux-policy-3.14.2-37.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.13-300.fc29.x86_64
type:           libreport
Comment 8 Timur Kristóf 2018-10-15 11:20:27 UTC 
Description of problem:
This showed up at boot after I updaded to Fedora 29. I believe the thunderbolt daemon should be allowed to access its own directory.

Version-Release number of selected component:
selinux-policy-3.14.2-36.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.12-300.fc29.x86_64
type:           libreport
Comment 9 Lukas Vrabec 2018-10-15 12:13:42 UTC 
commit 2d39d24bc2473eac94a5ccdfa373e29db041d3fd (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Oct 15 14:13:06 2018 +0200

    Allow systemd to mount boltd_var_run_t dirs BZ(1636823)
Comment 10 Artem 2018-10-15 17:26:00 UTC 
Description of problem:
This began after i upgraded from F28W to F29W.

Version-Release number of selected component:
selinux-policy-3.14.2-37.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.13-300.fc29.x86_64
type:           libreport
Comment 11 Chris Murphy 2018-10-15 19:16:57 UTC 
Appears to be fixed by 3.14.2-39.fc29
Comment 12 Chris Murphy 2018-10-15 19:20:11 UTC 
Proposing freeze exception per blocker review #info to make sure a fix gets pushed to stable. The bug only happens with upgraded systems that still have setroubleshooter.
Comment 13 Fedora Update System 2018-10-15 20:23:40 UTC 
selinux-policy-3.14.2-39.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac
Comment 14 Adam Williamson 2018-10-15 22:38:01 UTC 
+1 FE for this, we should definitely accept -39 for it and its buddy.
Comment 15 Fedora Update System 2018-10-16 15:52:27 UTC 
selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac
Comment 16 Lukas Ruzicka 2018-10-18 10:09:03 UTC 
I am not experiencing any boltd related selinux messages since 3.14.2-39. Considering verified.
Comment 17 Artem 2018-10-18 10:15:13 UTC 
LGTM too now. selinux-policy-3.14.2-40.fc29
Comment 18 Fedora Update System 2018-10-18 11:07:32 UTC 
selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.