Bug 1889645

Summary: SELinux is preventing mandb from 'search' accesses on the directory /var/lib/snapd.
Product: [Fedora] Fedora Reporter: ricky.tigg
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 33CC: dwalsh, fry.futurateam, grepl.miroslav, lvrabec, mmalik, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:c9a9b4ab600c92bd44d26c68a659a592b8ede26cb99c4a99891d84eb9dbad315;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-22 09:17:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ricky.tigg 2020-10-20 09:52:44 UTC 
Description of problem:
SELinux is preventing mandb from 'search' accesses on the directory /var/lib/snapd.

*****  Plugin restorecon (68.9 confidence) suggests   ************************

If you want to fix the label. 
/var/lib/snapd default label should be var_lib_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/lib/snapd

*****  Plugin file (21.0 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin file (21.0 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin catchall_labels (3.92 confidence) suggests   *******************

If you want to allow mandb to have search access on the snapd directory
Then you need to change the label on /var/lib/snapd
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/snapd'
where FILE_TYPE is one of the following: abrt_var_run_t, admin_home_t, bin_t, boot_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t, cpu_online_t, default_t, device_t, devpts_t, etc_runtime_t, etc_t, fail2ban_var_lib_t, fonts_cache_t, fonts_t, home_root_t, httpd_sys_content_t, init_var_run_t, lib_t, locale_t, lost_found_t, man_cache_t, man_t, mandb_cache_t, mnt_t, nscd_var_run_t, pkcs11_modules_conf_t, proc_t, rkhunter_var_lib_t, root_t, rpm_log_t, rpm_script_tmp_t, security_t, selinux_config_t, setrans_var_run_t, shell_exec_t, sosreport_tmp_t, src_t, sssd_public_t, sssd_var_lib_t, sysctl_t, sysfs_t, system_conf_t, system_db_t, textrel_shlib_t, tmp_t, tmpfs_t, user_home_dir_t, usr_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_spool_t, var_t.
Then execute:
restorecon -v '/var/lib/snapd'


*****  Plugin catchall (1.18 confidence) suggests   **************************

If you believe that mandb should be allowed search access on the snapd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mandb' --raw | audit2allow -M my-mandb
# semodule -X 300 -i my-mandb.pp

Additional Information:
Source Context                system_u:system_r:mandb_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /var/lib/snapd [ dir ]
Source                        mandb
Source Path                   mandb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-28.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-28.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.8.14-300.fc33.x86_64 #1 SMP Wed
                              Oct 7 21:44:23 UTC 2020 x86_64 x86_64
Alert Count                   4
First Seen                    2020-10-16 14:52:13 EEST
Last Seen                     2020-10-20 12:36:58 EEST
Local ID                      4da3abba-9d2e-458a-9435-0e888ce14460

Raw Audit Messages
type=AVC msg=audit(1603186618.880:332): avc:  denied  { search } for  pid=10816 comm="mandb" name="snapd" dev="sda6" ino=249194 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 trawcon="system_u:object_r:snappy_var_lib_t:s0"


Hash: mandb,mandb_t,unlabeled_t,dir,search

Version-Release number of selected component:
selinux-policy-targeted-3.14.6-28.fc33.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.8.14-300.fc33.x86_64
type:           libreport

Potential duplicate: bug 1782694
Comment 1 Zdenek Pytela 2020-10-20 10:05:35 UTC 
Hi,

Could you please ensure you have the snappy selinux module installed and active?

1. Ensure the subpackage is installed:
rpm -q snapd-selinux
2. Check the active modules:
semodule -lfull|grep -e snappy
3. List all modules with priority 200:
ls -l /var/lib/selinux/targeted/active/modules/200/
4. Check the default context:
matchpathcon /var/lib/snapd
5. List the context of the directory:
ls -lZ /var/lib/snapd
Comment 2 ricky.tigg 2020-10-20 11:03:59 UTC 
I must have brought confusion to this report by omitting mentioning that snapd had previously been uninstalled.

$ rpm -q snapd-selinux
package snapd-selinux is not installed
# semodule -lfull|grep -e snappy
# ls -l /var/lib/selinux/targeted/active/modules/200/ | sed 1d
drwx------. 1 root root 28 Oct 16 12:48 container
drwx------. 1 root root 28 Oct 16 12:48 flatpak
drwx------. 1 root root 28 Oct 16 12:48 mysql
$ matchpathcon /var/lib/snapd
Deprecated, use selabel_lookup
/var/lib/snapd	system_u:object_r:var_lib_t:s0
$ ls -lZ /var/lib/snapd | sed 1d
drwx------. 1 root root system_u:object_r:unlabeled_t:s0  0 Oct 16 12:48 cache
drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 10 Oct 16 12:48 desktop
drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0  0 Oct 16 12:48 sequence
Comment 3 Zdenek Pytela 2020-10-22 09:17:23 UTC 
Hi,

That explains. You should now remove the remnant files/dirs if you don't need them any longer, or relabel if yes with restorecon, and check why mandb wants to go through this directory: /etc/man_db.conf

Closing as NOTABUG. Feel free to reopen the bugzilla if the issues continue.
Comment 4 Zdenek Pytela 2020-10-22 09:25:50 UTC 
*** Bug 1782694 has been marked as a duplicate of this bug. ***