Attachment 1481889 Details for Bug 1626840 – Detailed SELinux messages when trying to install snapd and simple "hello" package.

Detailed SELinux messages when trying to install snapd and simple "hello" package.

selinux-snap-messages.txt (text/plain), 8.17 KB, created by psg_nm on 2018-09-09 15:36:47 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: psg_nm

Created: 2018-09-09 15:36:47 UTC

Size: 8.17 KB

patch

obsolete

>------ First message
>
>SELinux is preventing snap-confine from getattr access on the filesystem /.
>
>*****  Plugin catchall (100. confidence) suggests   **************************
>
>If you believe that snap-confine should be allowed getattr access on the  filesystem by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># ausearch -c 'snap-confine' --raw | audit2allow -M my-snapconfine
># semodule -X 300 -i my-snapconfine.pp
>
>Additional Information:
>Source Context                system_u:system_r:snappy_t:s0
>Target Context                system_u:object_r:fs_t:s0
>Target Objects                / [ filesystem ]
>Source                        snap-confine
>Source Path                   snap-confine
>Port                          <Unknown>
>Host                          tiggertoo.localdomain
>Source RPM Packages           
>Target RPM Packages           filesystem-3.8-2.fc28.x86_64
>Policy RPM                    selinux-policy-3.14.1-40.fc28.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     tiggertoo.localdomain
>Platform                      Linux tiggertoo.localdomain
>                              4.17.19-200.fc28.x86_64 #1 SMP Fri Aug 24 15:47:41
>                              UTC 2018 x86_64 x86_64
>Alert Count                   4
>First Seen                    2018-07-29 21:13:19 MDT
>Last Seen                     2018-09-09 09:09:44 MDT
>Local ID                      b406bea4-ac54-4e1d-a5c6-b318028a773a
>
>Raw Audit Messages
>type=AVC msg=audit(1536505784.713:329): avc:  denied  { getattr } for  pid=3285 comm="umount" name="/" dev="loop1" ino=2 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
>
>
>Hash: snap-confine,snappy_t,fs_t,filesystem,getattr
>
>
>------ Second message
>
>
>SELinux is preventing snapd from getattr access on the directory /home/username/snap.
>
>*****  Plugin restorecon (99.5 confidence) suggests   ************************
>
>If you want to fix the label. 
>/home/username/snap default label should be snappy_home_t.
>Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
>Do
># /sbin/restorecon -v /home/username/snap
>
>*****  Plugin catchall (1.49 confidence) suggests   **************************
>
>If you believe that snapd should be allowed getattr access on the snap directory by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># ausearch -c 'snapd' --raw | audit2allow -M my-snapd
># semodule -X 300 -i my-snapd.pp
>
>Additional Information:
>Source Context                system_u:system_r:snappy_t:s0
>Target Context                unconfined_u:object_r:user_home_t:s0
>Target Objects                /home/username/snap [ dir ]
>Source                        snapd
>Source Path                   snapd
>Port                          <Unknown>
>Host                          tiggertoo.localdomain
>Source RPM Packages           
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.14.1-40.fc28.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     tiggertoo.localdomain
>Platform                      Linux tiggertoo.localdomain
>                              4.17.19-200.fc28.x86_64 #1 SMP Fri Aug 24 15:47:41
>                              UTC 2018 x86_64 x86_64
>Alert Count                   1
>First Seen                    2018-09-09 09:14:54 MDT
>Last Seen                     2018-09-09 09:14:54 MDT
>Local ID                      59ce76aa-af8e-40de-a5a0-a062dbdf6048
>
>Raw Audit Messages
>type=AVC msg=audit(1536506094.547:334): avc:  denied  { getattr } for  pid=3274 comm="snapd" path="/home/username/snap" dev="dm-2" ino=102760890 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
>
>
>Hash: snapd,snappy_t,user_home_t,dir,getattr
>
>------ Third message
>
>SELinux is preventing snapd from read access on the directory snap.
>
>*****  Plugin catchall (100. confidence) suggests   **************************
>
>If you believe that snapd should be allowed read access on the snap directory by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># ausearch -c 'snapd' --raw | audit2allow -M my-snapd
># semodule -X 300 -i my-snapd.pp
>
>Additional Information:
>Source Context                system_u:system_r:snappy_t:s0
>Target Context                unconfined_u:object_r:user_home_t:s0
>Target Objects                snap [ dir ]
>Source                        snapd
>Source Path                   snapd
>Port                          <Unknown>
>Host                          tiggertoo.localdomain
>Source RPM Packages           
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.14.1-40.fc28.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     tiggertoo.localdomain
>Platform                      Linux tiggertoo.localdomain
>                              4.17.19-200.fc28.x86_64 #1 SMP Fri Aug 24 15:47:41
>                              UTC 2018 x86_64 x86_64
>Alert Count                   1
>First Seen                    2018-09-09 09:14:54 MDT
>Last Seen                     2018-09-09 09:14:54 MDT
>Local ID                      a05d8d5d-6b38-4d47-8024-566467d20fb1
>
>Raw Audit Messages
>type=AVC msg=audit(1536506094.547:335): avc:  denied  { read } for  pid=3274 comm="snapd" name="snap" dev="dm-2" ino=102760890 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
>
>
>Hash: snapd,snappy_t,user_home_t,dir,read
>
>------ Fourth message
>
>SELinux is preventing snapd from open access on the directory /home/username/snap.
>
>*****  Plugin restorecon (99.5 confidence) suggests   ************************
>
>If you want to fix the label. 
>/home/username/snap default label should be snappy_home_t.
>Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
>Do
># /sbin/restorecon -v /home/username/snap
>
>*****  Plugin catchall (1.49 confidence) suggests   **************************
>
>If you believe that snapd should be allowed open access on the snap directory by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># ausearch -c 'snapd' --raw | audit2allow -M my-snapd
># semodule -X 300 -i my-snapd.pp
>
>Additional Information:
>Source Context                system_u:system_r:snappy_t:s0
>Target Context                unconfined_u:object_r:user_home_t:s0
>Target Objects                /home/username/snap [ dir ]
>Source                        snapd
>Source Path                   snapd
>Port                          <Unknown>
>Host                          tiggertoo.localdomain
>Source RPM Packages           
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.14.1-40.fc28.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     tiggertoo.localdomain
>Platform                      Linux tiggertoo.localdomain
>                              4.17.19-200.fc28.x86_64 #1 SMP Fri Aug 24 15:47:41
>                              UTC 2018 x86_64 x86_64
>Alert Count                   1
>First Seen                    2018-09-09 09:14:54 MDT
>Last Seen                     2018-09-09 09:14:54 MDT
>Local ID                      5482ab35-3ef2-4624-bfd1-d87abd913a3c
>
>Raw Audit Messages
>type=AVC msg=audit(1536506094.547:336): avc:  denied  { open } for  pid=3274 comm="snapd" path="/home/username/snap" dev="dm-2" ino=102760890 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
>
>
>Hash: snapd,snappy_t,user_home_t,dir,open

Actions: View

Attachments on bug 1626840: 1481889