On Sun, May 17, 2020 at 9:45 AM Joseph Wagner <joe@xxxxxxxxxxxxxxxxxx> wrote:
I've tried relabeling, and the problem still persists. Should I report this as a bug, or this a config problem on my end?
Hi Joseph,
This bug has already been reported:
It is a similar bug to the one pointed to by Johannes, but requires a different approach.
_______________________________________________Joseph D. Wagner
SELinux is preventing systemctl from read access on the file SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemctl should be allowed read access on the SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
# semodule -X 300 -i my-systemctl.pp
Additional Information:
Source Context system_u:system_r:logrotate_t:s0
Target Context system_u:object_r:efivarfs_t:s0
Target Objects SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c [
file ]
Source systemctl
Source Path systemctl
Port
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.5-38.fc32.noarch
Local Policy RPM selinux-policy-targeted-3.14.5-38.fc32.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 5.6.11-300.fc32.x86_64
#1 SMP Wed May 6 19:12:19 UTC 2020 x86_64 x86_64
Alert Count 5
First Seen 2020-05-15 03:26:10 PDT
Last Seen 2020-05-17 00:01:02 PDT
Local ID e5acdc0f-f979-4bb7-9889-1fa1e1a1586b
Raw Audit Messages
type=AVC msg=audit(1589698862.374:769): avc: denied { read } for pid=112829 comm="systemctl" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=15503 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0
Hash: systemctl,logrotate_t,efivarfs_t,file,read
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
--
Zdenek Pytela
Security controls team
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx