Bug 1581812
| Summary: | SELinux is preventing snapd from 'execute_no_trans' accesses on the fichier /usr/libexec/snapd/snap-seccomp. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | gerald.goemaere |
| Component: | snapd | Assignee: | Zygmunt Krynicki <me> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | dwalsh, lvrabec, me, mgrepl, ngompa13, plautrba, pmoore |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:1b73e5a15a4c1c39184668db5b22964bf1ff468563b46b8ab6bbefe4171350b2;VARIANT_ID=workstation; | ||
| Fixed In Version: | snapd-2.33.1-1.fc27 snapd-2.33.1-1.fc28 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-07-01 22:23:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
snapd-2.33.1-1.fc27 snapd-glib-1.41-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1330056acb snapd-2.33.1-1.fc28 snapd-glib-1.41-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-942eec912c snapd-2.33.1-1.fc27, snapd-glib-1.41-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. snapd-2.33.1-1.fc28, snapd-glib-1.41-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: SELinux is preventing snapd from 'execute_no_trans' accesses on the fichier /usr/libexec/snapd/snap-seccomp. ***** Plugin catchall (100. confidence) suggests ************************** Si vous pensez que snapd devrait être autorisé à accéder execute_no_trans sur snap-seccomp file par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # ausearch -c "snapd" --raw | audit2allow -M my-snapd # semodule -X 300 -i my-snapd.pp Additional Information: Source Context system_u:system_r:snappy_t:s0 Target Context system_u:object_r:snappy_exec_t:s0 Target Objects /usr/libexec/snapd/snap-seccomp [ file ] Source snapd Source Path snapd Port <Inconnu> Host (removed) Source RPM Packages Target RPM Packages snap-confine-2.32.4-1.fc28.x86_64 Policy RPM selinux-policy-3.14.1-24.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.9-300.fc28.x86_64 #1 SMP Thu May 17 06:39:18 UTC 2018 x86_64 x86_64 Alert Count 4 First Seen 2018-05-23 18:27:20 CEST Last Seen 2018-05-23 18:30:50 CEST Local ID 040a979e-9a5f-4f03-9fb4-a52066efaf67 Raw Audit Messages type=AVC msg=audit(1527093050.614:423): avc: denied { execute_no_trans } for pid=5634 comm="snapd" path="/usr/libexec/snapd/snap-seccomp" dev="dm-0" ino=1182907 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_exec_t:s0 tclass=file permissive=1 Hash: snapd,snappy_t,snappy_exec_t,file,execute_no_trans Version-Release number of selected component: selinux-policy-3.14.1-24.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.9-300.fc28.x86_64 type: libreport Potential duplicate: bug 1514809