Bug 1554776

Summary: SELinux is preventing (ostnamed) from 'remount' accesses on the souborový systém .
Product: [Fedora] Fedora Reporter: Zdenek Chmelar <chmelarz>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: awilliam, bugzilla, dwalsh, genes1122, jsmith.fedora, kevin, lvrabec, mgrepl, miabbott, plautrba, pmoore, robatino
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:f193ad26d301d884228d49a13287fa499f4f2b857876272ad27745661a3d9bb4;VARIANT_ID=workstation; AcceptedFreezeException
Fixed In Version: selinux-policy-3.14.1-14.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-18 00:53:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1469205, 1469206    

Description Zdenek Chmelar 2018-03-13 10:55:32 UTC 
Description of problem:
right after login on desktop
SELinux is preventing (ostnamed) from 'remount' accesses on the souborový systém .

*****  Plugin catchall (100. confidence) suggests   **************************

Pokud jste přesvědčeni, že má (ostnamed) mít ve výchozím stavu přístup remount na  filesystem.
Then toto byste měli nahlásit jako chybu.
Abyste přístup povolili, můžete vygenerovat lokální modul pravidel.
Do
prozatím tento přístup povolíte příkazy:
# ausearch -c '(ostnamed)' --raw | audit2allow -M my-ostnamed
# semodule -X 300 -i my-ostnamed.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                 [ filesystem ]
Source                        (ostnamed)
Source Path                   (ostnamed)
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-11.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.0-0.rc4.git0.1.fc28.x86_64 #1
                              SMP Mon Mar 5 04:54:32 UTC 2018 x86_64 x86_64
Alert Count                   20
First Seen                    2018-03-13 11:34:35 CET
Last Seen                     2018-03-13 11:51:12 CET
Local ID                      08d59971-90df-4097-a9ce-e5929809f238

Raw Audit Messages
type=AVC msg=audit(1520938272.489:206): avc:  denied  { remount } for  pid=1787 comm="(fprintd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0


Hash: (ostnamed),init_t,unlabeled_t,filesystem,remount

Version-Release number of selected component:
selinux-policy-3.14.1-11.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.6-300.fc27.x86_64
type:           libreport
Comment 1 Gene Snider 2018-03-13 18:54:42 UTC 
Description of problem:
I was downloading packages with firefox from koji.

Version-Release number of selected component:
selinux-policy-3.14.1-13.fc28.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.16.0-0.rc4.git0.1.fc28.x86_64
type:           libreport
Comment 2 Heiko Adams 2018-03-13 20:53:24 UTC 
Description of problem:
Just logged into a new gnome session

Version-Release number of selected component:
selinux-policy-3.14.1-13.fc28.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.16.0-0.rc5.git0.1.fc28.x86_64
type:           libreport
Comment 3 Adam Williamson 2018-03-16 10:13:00 UTC 
This is hitting almost all openQA tests lately. Nominating as an F28 Final blocker: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."
Comment 4 Fedora Update System 2018-03-16 10:18:26 UTC 
selinux-policy-3.14.1-14.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
Comment 5 Fedora Update System 2018-03-16 14:43:18 UTC 
selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
Comment 6 Adam Williamson 2018-03-16 22:56:51 UTC 
*** Bug 1555328 has been marked as a duplicate of this bug. ***
Comment 7 Adam Williamson 2018-03-16 22:58:02 UTC 
I am +1 Beta FE on this, it's clearly good to avoid AVCs out of the box (and it avoids an ocean of soft failures in openQA, and failures in some tests of Dusty's).
Comment 8 Patrick Uiterwijk 2018-03-16 23:05:56 UTC 
+1 final blocker and +1 beta FE.
Comment 9 Dennis Gilmore 2018-03-16 23:44:09 UTC 
+1 Beta FE and +1 Final Blocker
Comment 10 Kevin Fenzi 2018-03-16 23:48:36 UTC 
+1 Beta FE
Comment 11 Zdenek Chmelar 2018-03-16 23:53:19 UTC 
Update selinux-policy-3.14.1-14.fc28 fixed this issue. I didn't get any error so far.
Comment 12 Adam Williamson 2018-03-17 00:08:39 UTC 
That's +4 FE, setting accepted.
Comment 13 Fedora Update System 2018-03-18 00:53:50 UTC 
selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.