Bug 1645822
| Summary: | SELinux is preventing colord from 'map' accesses on the file /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Christian Kujau <redhat> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 29 | CC: | dade, dwalsh, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:b345ecd0606ea9d3c939fbc4448c057f3fce8ee7d0d1df507b63e7cb883e741c;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.14.2-46.fc29 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-01-17 02:16:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
lvrabec@lvrabec-workstation fedora/repo (rawhide) ยป git show
commit bb32a71dcac5c8f6e022151cc3e32b3b994fa136 (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Sun Nov 4 13:27:51 2018 +0100
Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)
selinux-policy-3.14.2-42.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3129f981d3 selinux-policy-3.14.2-42.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3129f981d3 selinux-policy-3.14.2-42.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. This is still happening with the newest release:
$ rpm -q selinux-policy
selinux-policy-3.14.2-42.fc29.noarch
SELinux is preventing colord from map access on the file /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc.
Additional Information:
Source Context system_u:system_r:colord_t:s0
Target Context system_u:object_r:ecryptfs_t:s0
Target Objects /home/christian/.local/share/icc/edid-4daa39eed413
2dd27967977091f97abe.icc [ file ]
Source colord
Source Path colord
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.2-42.fc29.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux horus 4.18.17-300.fc29.x86_64 #1 SMP Mon Nov
5 17:56:16 UTC 2018 x86_64 x86_64
Alert Count 18
First Seen 2018-11-05 15:02:12 PST
Last Seen 2018-11-12 02:31:49 PST
Local ID 4193ec6f-e33c-4b64-997a-9ee830f0d3ea
Raw Audit Messages
type=AVC msg=audit(1542018709.99:277): avc: denied { map } for pid=4437 comm="colord" path="/home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc" dev="ecryptfs" ino=539871982 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file permissive=0
Hash: colord,colord_t,ecryptfs_t,file,map
commit 1a72c6213b0745f7bead41b151c17ce50986004c (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Mon Dec 17 19:26:21 2018 +0100
Allow colord_t domain to manage ecryptfs_t objects if use_ecryptfs_home_dirs boolean is turned on
Resolves: rhbz#1645822
FWIW, this is still present with selinux-policy-3.14.2-44.fc29. But as this bug is in POST, I assume this will be fixed with a later release of selinux-policy. selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61 selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61 selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. This is still a problem or there was a regression.
$ rpm -q selinux-policy
selinux-policy-3.14.2-49.fc29.noarch
$ sealert -l e60a3926-bf71-4ebf-a6cb-71c27cc30fca
/usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated.
Instead, use this sequence:
from dbus.mainloop.glib import DBusGMainLoop
DBusGMainLoop(set_as_default=True)
import dbus.glib
SELinux is preventing colord from map access on the file /home/xxxx/.local/share/icc/edid-a20fe83342bbb99ba4c4f2bad413b022.icc.
***** Plugin catchall_boolean (89.3 confidence) suggests ******************
If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.
Do
setsebool -P domain_can_mmap_files 1
***** Plugin catchall (11.6 confidence) suggests **************************
If you believe that colord should be allowed map access on the edid-a20fe83342bbb99ba4c4f2bad413b022.icc file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'colord' --raw | audit2allow -M my-colord
# semodule -X 300 -i my-colord.pp
Additional Information:
Source Context system_u:system_r:colord_t:s0
Target Context unconfined_u:object_r:container_file_t:s0
Target Objects /home/xxxx/.local/share/icc/edid-a20fe83342bbb99ba
4c4f2bad413b022.icc [ file ]
Source colord
Source Path colord
Port <Unknown>
Host niv110
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.2-49.fc29.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name niv110
Platform Linux niv110 4.20.14-200.fc29.x86_64 #1 SMP Tue
Mar 5 19:55:32 UTC 2019 x86_64 x86_64
Alert Count 4
First Seen 2019-03-11 12:16:52 CET
Last Seen 2019-03-12 09:28:03 CET
Local ID e60a3926-bf71-4ebf-a6cb-71c27cc30fca
Raw Audit Messages
type=AVC msg=audit(1552379283.823:272): avc: denied { map } for pid=1532 comm="colord" path="/home/xxxx/.local/share/icc/edid-a20fe83342bbb99ba4c4f2bad413b022.icc" dev="dm-3" ino=8388705 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0
Hash: colord,colord_t,container_file_t,file,map
|
Description of problem: Still happening with F29 (upgraded from F28). Example from boot log: # sealert -l e486d3b9-de8f-4b42-af4e-01396d1bfd37 /usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated. Instead, use this sequence: from dbus.mainloop.glib import DBusGMainLoop DBusGMainLoop(set_as_default=True) import dbus.glib SELinux is preventing colord from map access on the file /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc. ***** Plugin restorecon (92.2 confidence) suggests ************************ If you want to fix the label. /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc default label should be icc_data_home_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If you believe that colord should be allowed map access on the edid-4daa39eed4132dd27967977091f97abe.icc file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'colord' --raw | audit2allow -M my-colord # semodule -X 300 -i my-colord.pp Additional Information: Source Context system_u:system_r:colord_t:s0 Target Context system_u:object_r:ecryptfs_t:s0 Target Objects /home/christian/.local/share/icc/edid-4daa39eed413 2dd27967977091f97abe.icc [ file ] Source colord Source Path colord Port <Unknown> Host horus Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name horus Platform Linux horus 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 3 First Seen 2018-11-03 20:06:19 PDT Last Seen 2018-11-03 20:06:19 PDT Local ID e486d3b9-de8f-4b42-af4e-01396d1bfd37 Raw Audit Messages type=AVC msg=audit(1541300779.784:327): avc: denied { map } for pid=1770 comm="colord" path="/home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc" dev="ecryptfs" ino=539871982 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file permissive=0 Hash: colord,colord_t,ecryptfs_t,file,map SELinux is preventing colord from 'map' accesses on the file /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc. ***** Plugin restorecon (92.2 confidence) suggests ************************ If you want to fix the label. /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc default label should be icc_data_home_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If you believe that colord should be allowed map access on the edid-4daa39eed4132dd27967977091f97abe.icc file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'colord' --raw | audit2allow -M my-colord # semodule -X 300 -i my-colord.pp Additional Information: Source Context system_u:system_r:colord_t:s0 Target Context system_u:object_r:ecryptfs_t:s0 Target Objects /home/christian/.local/share/icc/edid-4daa39eed413 2dd27967977091f97abe.icc [ file ] Source colord Source Path colord Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 3 First Seen 2018-11-03 20:06:19 PDT Last Seen 2018-11-03 20:06:19 PDT Local ID e486d3b9-de8f-4b42-af4e-01396d1bfd37 Raw Audit Messages type=AVC msg=audit(1541300779.784:327): avc: denied { map } for pid=1770 comm="colord" path="/home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc" dev="ecryptfs" ino=539871982 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file permissive=0 Hash: colord,colord_t,ecryptfs_t,file,map Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport Potential duplicate: bug 1592640