| Summary: | SELinux won't stop showing alerts about normal snapperd actions | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Audrey Yeena Toskin <audrey> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 25 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore, ssekidde |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-12-12 10:55:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
If I do the ausearch and semodule commands suggested by SELinux Troubleshooter,
# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
# semodule -X 300 -i my-snapperd.pp
...I later get a notification saying "SELinux is preventing snapperd from relabelto access on the directory 10" (which I assume is a snapshot under /.snapshots/).
Raw Audit Messages
type=AVC msg=audit(1480981918.954:374): avc: denied { relabelto } for pid=25515 comm="snapperd" name="10" dev="dm-0" ino=275 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
I generated local policy to allow access again, and then got:
"SELinux is preventing snapperd from relabelto access on the file info.xml" (which is included with every snapshot).
Raw Audit Messages
type=AVC msg=audit(1480982416.691:417): avc: denied { relabelto } for pid=26457 comm="snapperd" name="info.xml" dev="dm-0" ino=276 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
I generated local policy to allow access one more time, because these SELinux alerts are starting to get annoying... But they keep popping up. I'm now able to do manual operations with snapper, and the automated snapshots timer seems to work as it should, but the SELinux alerts won't go away.
Clarification: each new SELinux Alert message is now a duplicate of the third message. I'm getting the same exact SELinux Alert about snapperd every hour. terrycloth, Could you please try it with this policy: $ cat snapperd_local.cil (dontaudit snapperd_t user_home_t (dir (relabelfrom relabelto))) (dontaudit snapperd_t user_home_t (file (relabelfrom relabelto))) # semodule -i snapperd_local.cil Thanks. Sorry for the delayed response. I must have missed the email notification somehow. I copied and installed the .cil file as instructed, then went back to work on my desktop. I have not seen anymore SELinux Alerts since then. So I guess this solves the problem for me -- but of course it would still be nice to figure out some reasonable defaults in the SELinux policies. This is not the first time SELinux has conflicted with normal operation of snapper. In the mean while, thanks for your help, Lukas. Sorry for the delayed response. I must have missed the email notification somehow.
I copied and installed the .cil file as instructed, then went back to work on my desktop. I have not seen anymore SELinux Alerts since then. However, I thought to double check from the commandline, and I still see AVC denials every hour...
$ sudo ausearch --comm snapperd --message AVC
...
time->Wed Dec 14 15:55:10 2016
type=AVC msg=audit(1481759710.210:302): avc: denied { relabelto } for pid=2857 comm="snapperd" name="info.xml" dev="dm-0" ino=518 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Wed Dec 14 16:00:11 2016
type=AVC msg=audit(1481760011.561:320): avc: denied { relabelto } for pid=3445 comm="snapperd" name=".snapshots" dev="dm-0" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----
time->Wed Dec 14 17:00:08 2016
type=AVC msg=audit(1481763608.322:339): avc: denied { relabelto } for pid=10476 comm="snapperd" name=".snapshots" dev="dm-0" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----
time->Wed Dec 14 18:00:08 2016
type=AVC msg=audit(1481767208.621:354): avc: denied { relabelto } for pid=11125 comm="snapperd" name=".snapshots" dev="dm-0" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----
time->Wed Dec 14 19:00:07 2016
type=AVC msg=audit(1481770807.841:401): avc: denied { relabelto } for pid=18936 comm="snapperd" name=".snapshots" dev="dm-0" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----
time->Wed Dec 14 20:00:08 2016
type=AVC msg=audit(1481774408.371:408): avc: denied { relabelto } for pid=20313 comm="snapperd" name=".snapshots" dev="dm-0" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----
time->Wed Dec 14 21:00:03 2016
type=AVC msg=audit(1481778003.566:413): avc: denied { relabelto } for pid=21417 comm="snapperd" name=".snapshots" dev="dm-0" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----
time->Wed Dec 14 22:00:11 2016
type=AVC msg=audit(1481781611.165:427): avc: denied { relabelto } for pid=22707 comm="snapperd" name=".snapshots" dev="dm-0" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----
time->Wed Dec 14 23:01:01 2016
type=AVC msg=audit(1481785261.731:452): avc: denied { relabelto } for pid=23983 comm="snapperd" name=".snapshots" dev="dm-0" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
And actually, today I started seeing desktop notifications from SELinux Troubleshooter again. Weird that it would stop for a few hours, then start up again... So. Any other ideas? The hourly SELinux notifications have never stopped. It's really annoying. Should I report this to the Reference Policy GitHub page? https://github.com/TresysTechnology/refpolicy Or SETools? https://github.com/TresysTechnology/setools Not sure which upstream would be the appropriate place for this... Anyone? The reference policy I linked in the previous comment gets heavily patched before it's used in Fedora, so I'm thinking maybe reposting my issue with them might not be appropriate after all. Problem hasn't gone away yet, with snapper 0.4.1 and selinux-policy 3.13.1. Having to ignore false positives from SELinux all day makes me worry that I'm eventually going to get a real problem and never notice. I tried restoring the normal snapper file context on the snapshots directories. This is absolutely something I've tried before, several times, but with no other feedback, and no working solutions online that I can find, I keep trying the same things over and over.
sudo semanage fcontext --add --type snapperd_data_t /.snapshots**
sudo semanage fcontext --add --type snapperd_data_t /home/.snapshots**
sudo restorecon -Rv /.snapshots
sudo restorecon -Rv /home/.snapshots
This of course produced a lot of errors because the snapshot contents are readonly. But maybe the .snapshots/ directories themselves, or some of the metadata files will reset and that could help? I have no idea.
Also, I re-regenerated a local policy module again, again (again).
sudo ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
semodule -i my-snapperd.pp
Mysteriously, the next day, I started getting a *different* SELinux Alert message about blocking snapperd from performing a perfectly normal function:
---
SELinux is preventing snapperd from rmdir access on the directory 789.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapperd should be allowed rmdir access on the 789 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
# semodule -X 300 -i my-snapperd.pp
Additional Information:
Source Context system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context system_u:object_r:user_home_t:s0
Target Objects 789 [ dir ]
Source snapperd
Source Path snapperd
Port <Unknown>
Host harlow
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-225.6.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name harlow
Platform Linux harlow 4.9.9-200.fc25.x86_64 #1 SMP Thu Feb
9 17:28:13 UTC 2017 x86_64 x86_64
Alert Count 12
First Seen 2017-02-17 13:23:15 PST
Last Seen 2017-02-18 14:40:03 PST
Local ID dd82dba0-59be-42a4-a1e4-1456191268eb
Raw Audit Messages
type=AVC msg=audit(1487457603.745:253): avc: denied { rmdir } for pid=2492 comm="snapperd" name="789" dev="dm-1" ino=1833 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=0
Hash: snapperd,snapperd_t,user_home_t,dir,rmdir
---
...Progress?
The issue persists on a clean installation of Fedora 26 Workstation x86_64 with snapper 0.4.1-3 and 3.13.1-259 From auditd logs:
time->Fri Jul 14 19:18:28 2017
type=AVC msg=audit(1500085108.553:413): avc: denied { relabelfrom } for pid=5790 comm="snapperd" name=".snapshots" dev="dm-1" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir permissive=0
SELinux is preventing snapperd from unlink access on the file info.xml.
(Every snapshot has its own info.xml file under /.snapshots/<SNAPSHOT_NUMBER>/.)
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapperd should be allowed unlink access on the info.xml file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
# semodule -X 300 -i my-snapperd.pp
Additional Information:
Source Context system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context system_u:object_r:user_home_dir_t:s0
Target Objects info.xml [ file ]
Source snapperd
Source Path snapperd
Port <Unknown>
Host jean.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-260.1.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name jean.localdomain
Platform Linux jean.localdomain 4.11.10-300.fc26.x86_64 #1
SMP Wed Jul 12 17:05:39 UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-07-20 12:17:20 PDT
Last Seen 2017-07-20 12:17:20 PDT
Local ID 77600da2-3b10-4980-979a-64127cd07f64
Raw Audit Messages
type=AVC msg=audit(1500578240.811:314): avc: denied { unlink } for pid=19818 comm="snapperd" name="info.xml" dev="dm-0" ino=275 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=0
Hash: snapperd,snapperd_t,user_home_dir_t,file,unlink
SELinux is preventing snapperd from relabelto access on the file info.xml.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapperd should be allowed relabelto access on the info.xml file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
# semodule -X 300 -i my-snapperd.pp
Additional Information:
Source Context system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects info.xml [ file ]
Source snapperd
Source Path snapperd
Port <Unknown>
Host jean.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-260.1.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name jean.localdomain
Platform Linux jean.localdomain 4.11.10-300.fc26.x86_64 #1
SMP Wed Jul 12 17:05:39 UTC 2017 x86_64 x86_64
Alert Count 35
First Seen 2017-07-18 19:00:00 PDT
Last Seen 2017-07-20 12:17:18 PDT
Local ID 64f0029b-c12c-4224-be43-fa6643042b7a
Raw Audit Messages
type=AVC msg=audit(1500578238.861:313): avc: denied { relabelto } for pid=19818 comm="snapperd" name="info.xml" dev="dm-0" ino=287 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
Hash: snapperd,snapperd_t,user_home_t,file,relabelto
SELinux is preventing snapperd from relabelto access on the directory 18.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapperd should be allowed relabelto access on the 18 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
# semodule -X 300 -i my-snapperd.pp
Additional Information:
Source Context system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects 18 [ dir ]
Source snapperd
Source Path snapperd
Port <Unknown>
Host jean.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-260.1.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name jean.localdomain
Platform Linux jean.localdomain 4.11.10-300.fc26.x86_64 #1
SMP Wed Jul 12 17:05:39 UTC 2017 x86_64 x86_64
Alert Count 170
First Seen 2017-07-17 20:25:45 PDT
Last Seen 2017-07-20 12:17:18 PDT
Local ID 1383c909-13a5-4075-b899-2f6d7f364264
Raw Audit Messages
type=AVC msg=audit(1500578238.861:312): avc: denied { relabelto } for pid=19818 comm="snapperd" name="18" dev="dm-0" ino=286 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
Hash: snapperd,snapperd_t,user_home_t,dir,relabelto
Some combination of installing the snapperd_local.cil file, recommended by Lukas in Comment #3, and generating/installing my-snapperd.pp over and over does make the problem go away *eventually*. But it takes a few days of repetition. I've needed to reinstall Fedora several times in the last couple months, "because reasons", though, so I've also had to start over several times :( This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |
I have snapper 0.3.3 and selinux-policy 3.13.1 on a newly installed Fedora 25 Workstation. I'd reinstalled Fedora, reinstalled all my applications, configured snapper, rebooted, and then restored backups of my home directory, and a few things in /var/ and /etc/. During this last step, apparently the SELinux context of something important got messed up, because my computer wouldn't finish rebooting, with several startup services failing. Relabeling the file system (with `touch /.autorelabel`) fixed the startup problem. However, now I get SELinux Troubleshoot notifications every time I try to do anything with snapper: I cannot create new snapshots or even list existing snapshots. This sounds pretty similar to Issue #1379179, except Jonas has SELinux set to permissive, while I have kept it at enforcing. So I thought I'd post a new issue in case that means Jonas and I have unrelated problems. --- SELinux is preventing snapperd from using the fowner capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that snapperd should have the fowner capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd # semodule -X 300 -i my-snapperd.pp Additional Information: Source Context system_u:system_r:snapperd_t:s0-s0:c0.c1023 Target Context system_u:system_r:snapperd_t:s0-s0:c0.c1023 Target Objects Unknown [ capability ] Source snapperd Source Path snapperd Port <Unknown> Host harlow Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-224.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name harlow Platform Linux harlow 4.8.10-300.fc25.x86_64 #1 SMP Mon Nov 21 18:59:16 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-12-04 16:32:14 PST Last Seen 2016-12-04 16:33:46 PST Local ID a601b1ef-0bf3-485f-876e-51f82312ef5c Raw Audit Messages type=AVC msg=audit(1480898026.528:551): avc: denied { fowner } for pid=14483 comm="snapperd" capability=3 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0 Hash: snapperd,snapperd_t,snapperd_t,capability,fowner