Bug 1484566
Summary: | Multiple 'map' denials prevent Cockpit from working | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | dwalsh, kparal, mpitt, robatino, sgallagh, stefw |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | AcceptedBlocker | ||
Fixed In Version: | selinux-policy-3.13.1-279.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-09-09 04:11:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1396702 |
Description
Adam Williamson
2017-08-23 21:08:46 UTC
Note for Cockpit folks: just CCing you on this for information. SELinux has added a new 'map' permission recently, and we're getting tons of denials for it, breaking all kinds of stuff. Discussed during blocker review [1]: AcceptedBlocker (Beta) - clear violation of Alpha criterion "Unless explicitly specified otherwise, after system installation the Cockpit web management interface must be running and accessible on its default port (9090)" [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-09-04/ Cockpit still fails to start with selinux-policy-3.13.1-277.fc27 , with these denials: Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/login.po.html" dev="dm-0" ino=4573538 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/login.min.html" dev="dm-0" ino=4573529 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Regular-webfont.woff" dev="dm-0" ino=8560638 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Light-webfont.woff" dev="dm-0" ino=8560636 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=4558008 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc: denied { map } for pid=1715 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=4558008 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 selinux-policy-3.13.1-279.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-bf736ee273 selinux-policy-3.13.1-280.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |