Bug 1932681
| Summary: | SELinux is preventing pool-geoclue from 'getattr' accesses on the filesystem /sys/fs/cgroup. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 34 | CC: | awilliam, dwalsh, grepl.miroslav, kparal, lvrabec, mmalik, mwolf, omosnace, patrick, plautrba, sanjay.ankur, vmojzis, vondruch, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:19889491adea744704742ebcc0b0573f9ec76e573a000aedb965d8cabdf22cac;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-34.2-1.fc34 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-04-24 19:45:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 1936389 has been marked as a duplicate of this bug. *** Similar problem has been detected: I launched redshift-gtk-1.12-11.fc34.x86_64 in LXQt (liblxqt-0.16.0-3.fc34.x86_64) with geoclue2-2.5.7-3.fc35.x86_64. hashmarkername: setroubleshoot kernel: 5.12.0-0.rc2.20210309git144c79ef3353.166.fc35.x86_64 package: selinux-policy-targeted-3.14.8-6.fc35.noarch reason: SELinux is preventing /usr/libexec/geoclue from 'getattr' accesses on the système de fichiers /sys/fs/cgroup/. type: libreport Similar problem has been detected: Happens during boot of current Fedora 34 Workstation. hashmarkername: setroubleshoot kernel: 5.11.6-300.fc34.x86_64 package: selinux-policy-targeted-3.14.7-25.fc34.noarch reason: SELinux is preventing pool-geoclue from 'getattr' accesses on the filesystem /sys/fs/cgroup. type: libreport Similar problem has been detected: Happens during normal use of current F34 Workstation. hashmarkername: setroubleshoot kernel: 5.11.10-300.fc34.x86_64 package: selinux-policy-targeted-3.14.7-28.fc34.noarch reason: SELinux is preventing pool-geoclue from 'getattr' accesses on the filesystem /sys/fs/cgroup. type: libreport Similar problem has been detected: Just logged in. hashmarkername: setroubleshoot kernel: 5.11.11-300.fc34.x86_64 package: selinux-policy-targeted-34-1.fc34.noarch reason: SELinux is preventing pool-geoclue from 'getattr' accesses on the filesystem /sys/fs/cgroup. type: libreport Merged in rawhide:
commit 758687d367ef820e488f2475f1515c2207218284
Author: Zdenek Pytela <zpytela>
Date: Tue Apr 6 18:20:08 2021 +0200
Allow pool-geoclue get attributes of cgroup filesystems
Resolves: rhbz#1932681
FEDORA-2021-79ef7c5af6 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-79ef7c5af6 FEDORA-2021-79ef7c5af6 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-79ef7c5af6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-79ef7c5af6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-79ef7c5af6 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-79ef7c5af6 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: SELinux is preventing pool-geoclue from 'getattr' accesses on the filesystem /sys/fs/cgroup. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pool-geoclue should be allowed getattr access on the cgroup filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pool-geoclue' --raw | audit2allow -M my-poolgeoclue # semodule -X 300 -i my-poolgeoclue.pp Additional Information: Source Context system_u:system_r:geoclue_t:s0 Target Context system_u:object_r:cgroup_t:s0 Target Objects /sys/fs/cgroup [ filesystem ] Source pool-geoclue Source Path pool-geoclue Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.8-3.fc35.noarch Local Policy RPM selinux-policy-targeted-3.14.8-3.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.11.0-155.fc35.x86_64+debug #1 SMP Wed Feb 17 00:22:21 +05 2021 x86_64 x86_64 Alert Count 1 First Seen 2021-02-25 03:52:35 +05 Last Seen 2021-02-25 03:52:35 +05 Local ID 67d588bb-0722-4265-bff4-02b879918ef0 Raw Audit Messages type=AVC msg=audit(1614207155.917:638): avc: denied { getattr } for pid=1725 comm="pool-geoclue" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 Hash: pool-geoclue,geoclue_t,cgroup_t,filesystem,getattr Version-Release number of selected component: selinux-policy-targeted-3.14.8-3.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.0-155.fc35.x86_64+debug type: libreport