Bug 1462925

Summary: SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /dev/loop-control.
Product: Red Hat Enterprise Linux 7 Reporter: nate.dailey
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: ahmedtal3t.at, ali.sherif10, anass.1430, bill_chatfield, bittechnl, bugzilla.redhat, bugzilla, c.steinseifer, danie.dejager, dominick.grift, d.sastre.medina, dwalsh, elleander86, extras-qa, fredoche, hx, jan.public, jfrieben, jkonecny, jorti, kmoriwak, lesintho, luisfradique, lvrabec, mgrepl, mguynn08, mikhail.v.gavrilov, mmalik, mszpak, pfrields, plautrba, pmoore, pvrabec, ssekidde, thebeardedhermit, trevor.davenport, warmaximus, woberts, youjinuser
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: abrt_hash:3a897f72a654e43570dd880920af30491e960e4245b4bb556944c7099ae868c3;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.13.1-175.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1385090 Environment:
Last Closed: 2018-04-10 12:32:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1385090    
Bug Blocks:    

Description nate.dailey 2017-06-19 17:19:26 UTC
I see this on RHEL 7.4, as recently as Snap-3:

Jun 15 10:27:42 lin303 setroubleshoot: SELinux is preventing /usr/bin/gnome-shell from getattr access on the chr_file /dev/loop-control. For complete SELinux messages run: sealert -l d60aa90b-6af3-4578-b5d7-91f4498a8acd

I noticed this if I log into the GUI, double-click an ISO file to mount, and then log out. Doesn't seem to cause a problem other than the alert message.


+++ This bug was initially created as a clone of Bug #1385090 +++

Description of problem:
Just Upgraded to F25 from F24, and tried to login to GNOME (Wayland Session).
SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /dev/loop-control.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gnome-shell should be allowed getattr access on the loop-control chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:loop_control_device_t:s0
Target Objects                /dev/loop-control [ chr_file ]
Source                        gnome-shell
Source Path                   gnome-shell
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.1-1.fc25.x86_64 #1 SMP Fri Oct
                              7 14:38:22 UTC 2016 x86_64 x86_64
Alert Count                   18
First Seen                    2016-10-14 19:01:25 EET
Last Seen                     2016-10-14 19:16:22 EET
Local ID                      5f0dc318-66dc-4bfe-a072-4a685618b00e

Raw Audit Messages
type=AVC msg=audit(1476465382.549:205): avc:  denied  { getattr } for  pid=1344 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=17414 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=0


Hash: gnome-shell,xdm_t,loop_control_device_t,chr_file,getattr


Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.1-1.fc25.x86_64
type:           libreport

--- Additional comment from Martijn Kruiten on 2016-11-11 16:00:10 EST ---

Description of problem:
Steps to reproduce:
- insert usb drive (ext4 in my case)

Version-Release number of selected component:
selinux-policy-3.13.1-220.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

--- Additional comment from Krzysztof Troska on 2016-11-27 05:11:55 EST ---

Description of problem:
By mounting iso file by gnome auto mount, its starting to complain about this problem - note that mount is working and can be unmounted in normal way.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.8-300.fc25.x86_64
type:           libreport

--- Additional comment from Lukas Vrabec on 2016-11-30 07:08:26 EST ---

Hi, 
Could you try to reproduce it in permissive mode and collect all SELinux denials? 

Thanks.

--- Additional comment from Anass Ahmed on 2016-11-30 10:12:06 EST ---

I don't know if I can reproduce it again (this means installing F24, then upgrading to F25, which I've done already and applied the policy to be able to login Wayland).

--- Additional comment from Krzysztof Troska on 2016-11-30 16:53 EST ---

Logs you can get even on new installation. 
Just mount iso by build in gnome application e.g. Fedora 25 iso.
Hope it helps.

--- Additional comment from fred on 2017-01-22 07:00:26 EST ---

Description of problem:
mounting a win 10 iso by clicking on it

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.3-200.fc25.x86_64
type:           libreport

--- Additional comment from Shaun Assam on 2017-02-15 17:42:54 EST ---

Description of problem:
- Mounted an ISO file in my home directory by double-clicking the file in the Files manager.

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.9-200.fc25.x86_64
type:           libreport

--- Additional comment from Martijn Kruiten on 2017-02-18 08:54:50 EST ---

type=USER_AVC msg=audit(1487425836.848:859): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1487425836.849:860): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1487425855.196:861): avc:  denied  { getattr } for  pid=1488 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=16870 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
type=MAC_STATUS msg=audit(1487425866.169:862): enforcing=1 old_enforcing=0 auid=1000 ses=3
type=USER_AVC msg=audit(1487425866.180:863): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1487425866.184:864): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

--- Additional comment from  on 2017-02-21 15:50:43 EST ---

Description of problem:
i was installing KDevelop using the appimage

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.10-200.fc25.x86_64
type:           libreport

--- Additional comment from Bill Chatfield on 2017-03-21 21:13:43 EDT ---

Description of problem:
I simply tried to double click on a .iso image. That does an "Open with Disk Image Mounter" in the Gnome Shell.

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.14-200.fc25.i686+PAE
type:           libreport

--- Additional comment from Paul W. Frields on 2017-03-30 16:57:06 EDT ---

Description of problem:
This error appeared spontaneously.

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.5-200.fc25.x86_64
type:           libreport

--- Additional comment from  on 2017-04-05 20:38:30 EDT ---

Description of problem:
1. Two clicks on an Appimage file
2. The app gets mounted, but SELinux alert appears

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.5-200.fc25.x86_64
type:           libreport

--- Additional comment from  on 2017-04-05 20:43:07 EDT ---

Actually the problem was, that archive mounter tried to mount it as a disk image. When giving proper executable rights to the Appimage file, it was run properly without mounting.

--- Additional comment from  on 2017-04-08 13:10:53 EDT ---

Description of problem:
I couldn't burn in a CD, which already has data burnt in it, but it isn't full.

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.8-200.fc25.x86_64
type:           libreport

--- Additional comment from  on 2017-04-15 10:04:53 EDT ---

Description of problem:
Laptop (Lenovo X240) awoke from sleep mode and displayed error

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.9-200.fc25.x86_64
type:           libreport

--- Additional comment from Sebastian Potasiak on 2017-04-17 15:25:22 EDT ---

Description of problem:
Connected external HDD through USB 3.0

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.9-200.fc25.x86_64
type:           libreport

--- Additional comment from Fedora Update System on 2017-04-19 16:36:58 EDT ---

selinux-policy-3.13.1-225.13.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc

--- Additional comment from Fedora Update System on 2017-04-20 14:25:22 EDT ---

selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc

--- Additional comment from Fedora Update System on 2017-04-24 22:24:10 EDT ---

selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 errata-xmlrpc 2018-04-10 12:32:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763