| Summary: | SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /dev/loop-control. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Anass Ahmed <anass.1430> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 25 | CC: | ahmedtal3t.at, ali.sherif10, anass.1430, bill_chatfield, bittechnl, bugzilla.redhat, bugzilla, c.steinseifer, danie.dejager, dominick.grift, d.sastre.medina, dwalsh, elleander86, fredoche, hx, jan.public, jfrieben, jkonecny, jorti, kmoriwak, lesintho, luisfradique, lvrabec, makruiten, mgrepl, mguynn08, mikhail.v.gavrilov, mszpak, pfrields, plautrba, pmoore, thebeardedhermit, trevor.davenport, warmaximus, woberts, youjinuser | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | abrt_hash:3a897f72a654e43570dd880920af30491e960e4245b4bb556944c7099ae868c3;VARIANT_ID=workstation; | ||||||
| Fixed In Version: | selinux-policy-3.13.1-225.13.fc25 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1462925 (view as bug list) | Environment: | |||||
| Last Closed: | 2017-04-25 02:24:10 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1462925 | ||||||
| Attachments: |
|
||||||
Description of problem: Steps to reproduce: - insert usb drive (ext4 in my case) Version-Release number of selected component: selinux-policy-3.13.1-220.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.6-300.fc25.x86_64 type: libreport Description of problem: By mounting iso file by gnome auto mount, its starting to complain about this problem - note that mount is working and can be unmounted in normal way. Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.8-300.fc25.x86_64 type: libreport Hi, Could you try to reproduce it in permissive mode and collect all SELinux denials? Thanks. I don't know if I can reproduce it again (this means installing F24, then upgrading to F25, which I've done already and applied the policy to be able to login Wayland). Created attachment 1226552 [details]
selinux-log-loopback
Logs you can get even on new installation.
Just mount iso by build in gnome application e.g. Fedora 25 iso.
Hope it helps.
Description of problem: mounting a win 10 iso by clicking on it Version-Release number of selected component: selinux-policy-3.13.1-225.6.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.3-200.fc25.x86_64 type: libreport Description of problem: - Mounted an ISO file in my home directory by double-clicking the file in the Files manager. Version-Release number of selected component: selinux-policy-3.13.1-225.6.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.9-200.fc25.x86_64 type: libreport type=USER_AVC msg=audit(1487425836.848:859): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1487425836.849:860): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1487425855.196:861): avc: denied { getattr } for pid=1488 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=16870 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
type=MAC_STATUS msg=audit(1487425866.169:862): enforcing=1 old_enforcing=0 auid=1000 ses=3
type=USER_AVC msg=audit(1487425866.180:863): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=1) exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1487425866.184:864): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=1) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Description of problem: i was installing KDevelop using the appimage Version-Release number of selected component: selinux-policy-3.13.1-225.6.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.10-200.fc25.x86_64 type: libreport Description of problem: I simply tried to double click on a .iso image. That does an "Open with Disk Image Mounter" in the Gnome Shell. Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.14-200.fc25.i686+PAE type: libreport Description of problem: This error appeared spontaneously. Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.10.5-200.fc25.x86_64 type: libreport Description of problem: 1. Two clicks on an Appimage file 2. The app gets mounted, but SELinux alert appears Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.10.5-200.fc25.x86_64 type: libreport Actually the problem was, that archive mounter tried to mount it as a disk image. When giving proper executable rights to the Appimage file, it was run properly without mounting. Description of problem: I couldn't burn in a CD, which already has data burnt in it, but it isn't full. Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.10.8-200.fc25.x86_64 type: libreport Description of problem: Laptop (Lenovo X240) awoke from sleep mode and displayed error Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.10.9-200.fc25.x86_64 type: libreport Description of problem: Connected external HDD through USB 3.0 Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.10.9-200.fc25.x86_64 type: libreport selinux-policy-3.13.1-225.13.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Just Upgraded to F25 from F24, and tried to login to GNOME (Wayland Session). SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /dev/loop-control. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gnome-shell should be allowed getattr access on the loop-control chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell # semodule -X 300 -i my-gnomeshell.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:loop_control_device_t:s0 Target Objects /dev/loop-control [ chr_file ] Source gnome-shell Source Path gnome-shell Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.1-1.fc25.x86_64 #1 SMP Fri Oct 7 14:38:22 UTC 2016 x86_64 x86_64 Alert Count 18 First Seen 2016-10-14 19:01:25 EET Last Seen 2016-10-14 19:16:22 EET Local ID 5f0dc318-66dc-4bfe-a072-4a685618b00e Raw Audit Messages type=AVC msg=audit(1476465382.549:205): avc: denied { getattr } for pid=1344 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=17414 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=0 Hash: gnome-shell,xdm_t,loop_control_device_t,chr_file,getattr Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.1-1.fc25.x86_64 type: libreport