On Fri, 2021-09-03 at 15:57 -0600, Chris Murphy wrote:
> On Fri, Sep 3, 2021 at 1:32 PM Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote:
>
> > So it appears to be an SELinux issue. I suspect but cannot prove that
> > it's related to a number of AVCs related to DBUS that I see in
> > selinux-troubleshooter.
>
> I'm only seeing two AVC's which repeat but not a lot...
>
> Sep 03 14:27:09 fovo.local audit[6300]: AVC avc: denied { write }
> for pid=6300 comm="fprintd" name="wakeup" dev="sysfs" ino=28044
> scontext=system_u:system_r:fprintd_t:s0
> tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
> Sep 03 14:27:09 fovo.local audit[6300]: AVC avc: denied { write }
> for pid=6300 comm="fprintd" name="persist" dev="sysfs" ino=28037
> scontext=system_u:system_r:fprintd_t:s0
> tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
>
> But enforcing=0 makes the boot time under 9s which is... awesome.
> Better than 34.
Those fprintd denials shouldn't cause any issues. It just means fprintd
cannot reconfigure the USB devices for its suspend/resume handling. It
would be nice if it worked, but it is *not* a regression if it doesn't
work.
The upstream bug for this is:
https://github.com/fedora-selinux/selinux-policy/issues/840
Benjamin
> I get more AVC's with enforcing=0, in fact... oh my that's a lot of
> selinux bugs reported already against 35
>
> https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&component=selinux-policy&list_id=12120743&product=Fedora&query_format=advanced&version=35
>
> But fprintd doesn't show up in any. So I will change the component to
> selinux-policy.
>
>
>
>
> --
> Chris Murphy
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
