Bug 1917173
| Summary: | SELinux is preventing colord from 'read' accesses on the Datei /var/lib/flatpak/exports/share/mime/mime.cache. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | bb |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 33 | CC: | david.moore, dwalsh, grepl.miroslav, james, jhaiduce, jorge.fabregas, krinkodot22, lvrabec, michael.scheiffler, mmalik, omosnace, online, plautrba, powerdman.me, relentless.1980, Simon.Gerhards, tony, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:bbc951fe8096a7628480f292c220a11395a48824918f4c7b80f9e58c754b3507;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-04-14 19:08:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Similar problem has been detected: After updating selinux-policy & selinux-policy-targeted to 3.14.6-34, this SELinux alert happens on every boot. I already tried relabeling the system, running `sudo flatpak repair`, and reinstalling selinux-policy & selinux-policy-targeted, but to no avail. Potential duplicates: https://bugzilla.redhat.com/show_bug.cgi?id=1917172 https://bugzilla.redhat.com/show_bug.cgi?id=1917173 https://bugzilla.redhat.com/show_bug.cgi?id=1917174 hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing colord from 'read' accesses on the file /var/lib/flatpak/exports/share/mime/generic-icons. type: libreport Similar problem has been detected: Updated system to colord-1.4.5-1.fc33.x86_64, selinux-policy-targeted-3.14.6-34.fc33.noarch hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing colord from 'read' accesses on the file /var/lib/flatpak/exports/share/mime/generic-icons. type: libreport Similar problem has been detected: This happen on after every single Power On. I have a custim .icc profile installed in ~/.local/share/icc/profile.icc hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing colord from 'read' accesses on the file /var/lib/flatpak/exports/share/mime/generic-icons. type: libreport Similar problem has been detected: Happens every time I log in to Fedora 33 hashmarkername: setroubleshoot kernel: 5.10.17-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing colord from 'read' accesses on the file /var/lib/flatpak/exports/share/mime/generic-icons. type: libreport Not fixed after upgrading to selinux-policy-targeted from 3.14.6-34 to 3.14.6-35. Similar problem has been detected:
Turned computer on after upgrading to flatpak{,-libs,-selinux,-session-helper} from 1.8.2-2 to 1.10.2-1.
hashmarkername: setroubleshoot
kernel: 5.11.7-200.fc33.x86_64
package: selinux-policy-targeted-3.14.6-35.fc33.noarch
reason: SELinux is preventing colord from 'read' accesses on the file /var/lib/flatpak/exports/share/mime/generic-icons.
type: libreport
*** This bug has been marked as a duplicate of bug 1916652 *** |
Description of problem: SELinux is preventing colord from 'read' accesses on the Datei /var/lib/flatpak/exports/share/mime/mime.cache. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* Wenn Sie erlauben wollen, dass colord read Zugriff auf mime.cache file Then sie müssen das Label auf /var/lib/flatpak/exports/share/mime/mime.cache ändern Do # semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/mime/mime.cache' wobei FILE_TYPE einer der folgenen Werte ist: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_home_t, alsa_tmp_t, amanda_tmp_t, antivirus_home_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, audio_home_t, auditadm_sudo_tmp_t, auditd_tmp_t, auth_home_t, autofs_t, automount_tmp_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, cache_home_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, certmonger_tmp_t, cgroup_t, chrome_sandbox_home_t, chrome_sandbox_tmp_t, chronyd_tmp_t, cifs_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_run_t, cobbler_tmp_t, cockpit_tmp_t, cockpit_tmpfs_t, collectd_script_tmp_t, colord_exec_t, colord_tmp_t, colord_tmpfs_t, colord_var_lib_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, config_home_t, conman_tmp_t, container_file_t, container_home_t, container_runtime_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_etc_t, cupsd_lpd_tmp_t, cupsd_rw_etc_t, cupsd_tmp_t, cvs_home_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, data_home_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbus_home_t, dbusd_etc_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dnsmasq_tmp_t, dnssec_trigger_tmp_t, dosfs_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, ecryptfs_t, efivarfs_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fail2ban_var_lib_t, fenced_tmp_t, fetchmail_home_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fonts_cache_t, fonts_t, fprintd_tmp_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, fusefs_t, games_tmp_t, games_tmpfs_t, gconf_home_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_script_tmp_t, git_user_content_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gnome_home_t, gpg_agent_tmp_t, gpg_agent_tmpfs_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpg_secret_t, gpm_tmp_t, gssd_tmp_t, gstreamer_home_t, home_bin_t, home_cert_t, hostname_etc_t, hsqldb_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, icc_data_home_t, iceauth_home_t, ifconfig_exec_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipa_custodia_tmp_t, ipa_tmp_t, ipsec_tmp_t, iptables_tmp_t, irc_home_t, irc_tmp_t, irssi_home_t, iscsi_tmp_t, iso9660_t, jetty_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keepalived_tmp_t, keystone_tmp_t, kismet_home_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, kmod_tmp_t, krb5_conf_t, krb5_home_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, local_login_home_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_home_rw_t, mail_home_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mandb_home_t, mdadm_tmp_t, mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_home_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_home_t, mpd_tmp_t, mpd_user_data_t, mplayer_home_t, mplayer_tmpfs_t, mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_home_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nfs_t, nfsd_tmp_t, nova_tmp_t, nsd_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, opendnssec_tmp_t, openshift_app_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openshift_var_lib_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, oracleasm_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, piranha_web_tmp_t, pkcs11_modules_conf_t, pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_auth_exec_t, policykit_reload_t, policykit_tmp_t, policykit_var_lib_t, polipo_cache_home_t, polipo_config_home_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_home_t, procmail_tmp_t, prosody_tmp_t, psad_tmp_t, pulseaudio_home_t, pulseaudio_tmpfs_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, rabbitmq_tmp_t, racoon_tmp_t, realmd_tmp_t, redis_tmp_t, removable_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_home_t, rlogind_tmp_t, rolekit_tmp_t, rpcbind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rpmdb_tmp_t, rrdcached_tmp_t, rssh_ro_t, rssh_rw_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sandbox_file_t, sbd_tmpfs_t, sblim_tmp_t, screen_home_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_fixit_tmp_t, setroubleshoot_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snappy_home_t, snappy_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_home_t, spamc_tmp_t, spamd_tmp_t, speech_dispatcher_home_t, speech_dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_home_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stapserver_tmpfs_t, stunnel_tmp_t, svirt_home_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_cronjob_var_lib_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, systemd_home_t, systemd_hwdb_etc_t, systemd_importd_tmp_t, systemd_logind_sessions_t, sysv_t, targetd_tmp_t, tcpd_tmp_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_logger_tmp_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_home_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, texlive_home_t, textrel_shlib_t, tgtd_tmp_t, thumb_home_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_home_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, udev_var_run_t, uml_ro_t, uml_rw_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, usbfs_t, user_cron_spool_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_content_t, virt_home_t, virt_qemu_ga_tmp_t, virt_tmp_t, virt_var_lib_t, vmblock_t, vmtools_tmp_t, vmware_conf_t, vmware_file_t, vmware_host_tmp_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, webadm_tmp_t, webalizer_tmp_t, wine_home_t, wireshark_home_t, wireshark_tmp_t, wireshark_tmpfs_t, xauth_home_t, xauth_tmp_t, xdm_home_t, xdm_var_lib_t, xdm_var_run_t, xend_tmp_t, xenfs_t, xenstored_tmp_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t, zoneminder_tmpfs_t. Führen Sie danach Folgendes aus: restorecon -v '/var/lib/flatpak/exports/share/mime/mime.cache' ***** Plugin catchall (17.1 confidence) suggests ************************** Wenn Sie denken, dass es colord standardmäßig erlaubt sein sollte, read Zugriff auf mime.cache file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c 'colord' --raw | audit2allow -M my-colord # semodule -X 300 -i my-colord.pp Additional Information: Source Context system_u:system_r:colord_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak/exports/share/mime/mime.cache [ file ] Source colord Source Path colord Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-33.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-33.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.10.7-200.fc33.x86_64 #1 SMP Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64 Alert Count 4 First Seen 2021-01-16 13:08:41 CET Last Seen 2021-01-17 21:29:46 CET Local ID 0ce42b44-718e-43bc-a13a-c75b89a19409 Raw Audit Messages type=AVC msg=audit(1610915386.118:167): avc: denied { read } for pid=905 comm="colord" name="mime.cache" dev="dm-0" ino=4456476 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 Hash: colord,colord_t,var_lib_t,file,read Version-Release number of selected component: selinux-policy-targeted-3.14.6-33.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 type: libreport Potential duplicate: bug 766032