| Summary: | SELinux is preventing udisksd from 'search' accesses on the directory .cache. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nivag <gavinflower> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | alex.vizor, bugzilla, csamyn, dominick.grift, dwalsh, esm, jfrieben, juliux.pigface, kparal, lvrabec, mgrepl, mikhail.v.gavrilov, motoskov, palopezv, plautrba, samuel.rakitnican, tikis.tarkan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:b9f8568d505c44ba5c1ebb04877a78e6b0b865bd56615c29fb5f0fc648ef3b66; | ||
| Fixed In Version: | selinux-policy-3.13.1-214.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-21 00:36:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Same, and additional one:
SELinux is preventing udisksd from wake_alarm access on the capability2 Unknown.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that udisksd should be allowed wake_alarm access on the Unknown capability2 by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'udisksd' --raw | audit2allow -M my-udisksd
# semodule -X 300 -i my-udisksd.pp
Additional Information:
Source Context system_u:system_r:udisks2_t:s0
Target Context system_u:system_r:udisks2_t:s0
Target Objects Unknown [ capability2 ]
Source udisksd
Source Path udisksd
Port <Unknown>
Host rawhide
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-211.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rawhide
Platform Linux rawhide 4.8.0-0.rc2.git3.1.fc25.x86_64 #1
SMP Fri Aug 19 14:24:04 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-08-30 22:50:47 CEST
Last Seen 2016-08-30 22:50:47 CEST
Local ID bff4dfa1-1526-442e-8591-53c88783cb39
Raw Audit Messages
type=AVC msg=audit(1472590247.567:201): avc: denied { wake_alarm } for pid=1337 comm="udisksd" capability=35 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:system_r:udisks2_t:s0 tclass=capability2 permissive=0
Hash: udisksd,udisks2_t,udisks2_t,capability2,wake_alarm
Description of problem: SELinux warning appears at the boot. udiskd try an access to .cache dir Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.x86_64 type: libreport Description of problem: Seems to occur on boot. Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.x86_64 type: libreport And one more:
SELinux is preventing udisksd from write access on the blk_file sda.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that udisksd should be allowed write access on the sda blk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'udisksd' --raw | audit2allow -M my-udisksd
# semodule -X 300 -i my-udisksd.pp
Additional Information:
Source Context system_u:system_r:udisks2_t:s0
Target Context system_u:object_r:fixed_disk_device_t:s0
Target Objects sda [ blk_file ]
Source udisksd
Source Path udisksd
Port <Unknown>
Host dragonfly.XXX.net
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-211.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name dragonfly.XXX.net
Platform Linux dragonfly.XXX.net
4.8.0-0.rc4.git0.1.fc25.x86_64 #1 SMP Mon Aug 29
19:28:01 UTC 2016 x86_64 x86_64
Alert Count 7
First Seen 2016-09-07 00:01:56 IDT
Last Seen 2016-09-07 10:04:57 IDT
Local ID 0eb4e00c-302f-4d86-a72c-0ec12faae91d
Raw Audit Messages
type=AVC msg=audit(1473231897.223:228): avc: denied { write } for pid=1943 comm="udisksd" name="sda" dev="devtmpfs" ino=10295 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
Hash: udisksd,udisks2_t,fixed_disk_device_t,blk_file,write
Description of problem: I've found this right after loggin' in to a Xfce session (Fedora Workstation x86_64, as qemu-guest). Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.x86_64 type: libreport selinux-policy-3.13.1-214.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: possibly related to a dnf upgrade involving SELInux? SELinux is preventing udisksd from 'search' accesses on the directory .cache. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that udisksd should be allowed search access on the .cache directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'udisksd' --raw | audit2allow -M my-udisksd # semodule -X 300 -i my-udisksd.pp Additional Information: Source Context system_u:system_r:udisks2_t:s0 Target Context system_u:object_r:cache_home_t:s0 Target Objects .cache [ dir ] Source udisksd Source Path udisksd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-208.fc25.noarch selinux- policy-3.13.1-211.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.0-0.rc2.git3.1.fc25.x86_64 #1 SMP Fri Aug 19 14:24:04 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-08-26 20:18:32 NZST Last Seen 2016-08-26 20:18:32 NZST Local ID 75243d79-4f87-43ad-8248-afa313e86079 Raw Audit Messages type=AVC msg=audit(1472199512.819:197): avc: denied { search } for pid=1634 comm="udisksd" name=".cache" dev="dm-0" ino=134328 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=0 Hash: udisksd,udisks2_t,cache_home_t,dir,search Version-Release number of selected component: selinux-policy-3.13.1-208.fc25.noarch selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc2.git3.1.fc25.x86_64 type: libreport