FEDORA-2018-bf58a7faec created by lvrabec 2 years ago for Fedora 28
obsolete

Adding support for bolt SELinux policy.

This update has been submitted for testing by lvrabec.

2 years ago
User Icon imabug provided feedback 2 years ago
karma

This update has been pushed to testing.

2 years ago

New denial:

type=AVC msg=audit(1533761577.351:264): avc: denied { write } for pid=1291 comm="boltd" name="socket" dev="tmpfs" ino=515 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=sock_file permissive=1

Not going to give karma at this point.

User Icon filiperosset commented & provided feedback 2 years ago
karma

no regressions noted

User Icon cserpentis commented & provided feedback 2 years ago
karma

works for me

I've been getting many denials since updating to 3.14.1-39 which appear to prevent messages being sent between boltd, polkit, and gdm through dbus. These denials occur in the journal/audit logs each time the system starts gdm then gnome-shell which requests boltd be started on dbus:

type=USER_AVC msg=audit(1533 782415.943:279): pid=715 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method _call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.6 spid=1184 t pid=757 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:policykit t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr= ? terminal=?'

type=USER_AVC msg=audit(1533 782415.952:280): pid=715 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system _r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method _return dest=:1.50 spid=757 tpid=1184 scontext=system_u:system_r:policykit_t:s0 tco ntext=system_u:system_r:boltd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-dae mon" sauid=81 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1533782440.970:297): pid=715 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { acquire_svc } for service=org.freedesktop.bolt spid=1184 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1533782440.979:299): pid=715 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.50 spid=1060 tpid=1184 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:boltd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1533782448.976:306): pid=715 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=757 tpid=1184 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

I'm using the targeted policy in enforcing mode. I don't have any Thunderbolt devices so these denials have no apparent functional effect on my system. The denials might affect those using Thunderbolt though. I updated to dbus-1.12.10-1 at the same time as to 3.14.1-39. dbus seems to be functioning normally otherwise.

User Icon lobocode commented & provided feedback 2 years ago
karma

works

This update has been obsoleted by selinux-policy-3.14.1-40.fc28.

2 years ago

Please login to add feedback.

Metadata
Type
enhancement
Severity
medium
Karma
4
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-2
Stable by Karma
5
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago

Automated Test Results