Bug 1429341

Summary: SELinux is preventing (fwupd) from mounton access on the directory /var/lib/fwupd.
Product: [Fedora] Fedora Reporter: Andrey Motoshkov <motoskov>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: awilliam, bugzilla, dominick.grift, dwalsh, gmarr, lvrabec, mgrepl, plautrba, pmoore, robatino, ssekidde, vondruch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker AcceptedFreezeException
Fixed In Version: selinux-policy-3.13.1-247.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-24 21:53:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1349185, 1349188    

Description Andrey Motoshkov 2017-03-06 07:15:40 UTC 
Description of problem:
*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (fwupd) should be allowed mounton access on the fwupd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(fwupd)' --raw | audit2allow -M my-fwupd
# semodule -X 300 -i my-fwupd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:fwupd_var_lib_t:s0
Target Objects                /var/lib/fwupd [ dir ]
Source                        (fwupd)
Source Path                   (fwupd)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           fwupd-0.8.1-1.fc26.x86_64
Policy RPM                    selinux-policy-3.13.1-241.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed)
                              4.11.0-0.rc0.git9.1.fc26.x86_64 #1 SMP Fri Mar 3
                              16:57:16 UTC 2017 x86_64 x86_64
Alert Count                   3
First Seen                    2017-03-05 13:50:39 IST
Last Seen                     2017-03-05 22:16:37 IST
Local ID                      01ff0dbd-275e-4254-acbd-c7776816d08e

Raw Audit Messages
type=AVC msg=audit(1488744997.336:249): avc:  denied  { mounton } for  pid=2465 comm="(fwupd)" path="/var/lib/fwupd" dev="dm-0" ino=1706571 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fwupd_var_lib_t:s0 tclass=dir permissive=1


Hash: (fwupd),init_t,fwupd_var_lib_t,dir,mounton


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Adam Williamson 2017-03-17 23:52:15 UTC 
Just saw this in an openQA test after the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1427312 - seems like with selinux policy <245 in enforcing mode you don't see this, but with 245 or with permissive mode, this one shows up.

Proposing as a Final blocker, as it looks like a violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop" - https://fedoraproject.org/wiki/Fedora_26_Final_Release_Criteria#SELinux_and_crash_notifications
Comment 2 Adam Williamson 2017-03-17 23:54:40 UTC 
Also proposing as Alpha FE.
Comment 3 Geoffrey Marr 2017-03-20 21:07:51 UTC 
Discussed during the 2017-03-20 blocker review meeting: [1]

The decision was made to classify this bug as an AcceptedBlocker (Final) as it violates the following criteria:

"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

This has also been accepted as an Alpha Freeze Exception as this would be gladly welcomed into the Alpha release.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-20/f26-blocker-review.2017-03-20-16.06.txt
Comment 4 Lukas Vrabec 2017-03-21 08:52:19 UTC 
*** Bug 1432759 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2017-03-21 11:32:51 UTC 
selinux-policy-3.13.1-247.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b8ef20ac2b
Comment 6 Fedora Update System 2017-03-21 14:26:45 UTC 
selinux-policy-3.13.1-247.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b8ef20ac2b
Comment 7 Fedora Update System 2017-03-24 21:53:08 UTC 
selinux-policy-3.13.1-247.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Vít Ondruch 2017-06-06 06:10:58 UTC 
*** Bug 1433884 has been marked as a duplicate of this bug. ***