On Sun, May 17, 2020 at 9:45 AM Joseph Wagner <j...@josephdwagner.info> wrote:
> I've tried relabeling, and the problem still persists. Should I report > this as a bug, or this a config problem on my end? > Hi Joseph, This bug has already been reported: https://bugzilla.redhat.com/show_bug.cgi?id=1827972 It is a similar bug to the one pointed to by Johannes, but requires a different approach. > Joseph D. Wagner > > > SELinux is preventing systemctl from read access on the file > SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. > > ***** Plugin catchall (100. confidence) suggests > ************************** > > If you believe that systemctl should be allowed read access on the > SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c file by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl > # semodule -X 300 -i my-systemctl.pp > > Additional Information: > Source Context system_u:system_r:logrotate_t:s0 > Target Context system_u:object_r:efivarfs_t:s0 > Target Objects SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c [ > file ] > Source systemctl > Source Path systemctl > Port > Host localhost.localdomain > Source RPM Packages > Target RPM Packages > SELinux Policy RPM selinux-policy-targeted-3.14.5-38.fc32.noarch > Local Policy RPM selinux-policy-targeted-3.14.5-38.fc32.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Host Name localhost.localdomain > Platform Linux localhost.localdomain 5.6.11-300.fc32.x86_64 > #1 SMP Wed May 6 19:12:19 UTC 2020 x86_64 x86_64 > Alert Count 5 > First Seen 2020-05-15 03:26:10 PDT > Last Seen 2020-05-17 00:01:02 PDT > Local ID e5acdc0f-f979-4bb7-9889-1fa1e1a1586b > > Raw Audit Messages > type=AVC msg=audit(1589698862.374:769): avc: denied { read } for > pid=112829 comm="systemctl" > name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" > ino=15503 scontext=system_u:system_r:logrotate_t:s0 > tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 > > > Hash: systemctl,logrotate_t,efivarfs_t,file,read > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > -- Zdenek Pytela Security controls team
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org