Bug 1943785
| Summary: | SELinux is preventing f2b/f.recidive from 'watch' accesses on the dossier /var/log/journal/ec1f2eff01f44aa2bebe5f6230eac47b. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Berrehouc <nberrehouc> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 34 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, nberrehouc, omosnace, plautrba, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:e154e1377d2b81c89e18973a654f2bc6cd95c624ccd0a057294bc1d7fbfdef98;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-31 19:11:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Still present with: selinux-policy-3.14.7-29.fc34.noarch selinux-policy-targeted-3.14.7-29.fc34.noarch *** This bug has been marked as a duplicate of bug 1943696 *** |
Description of problem: After upgrade from F33 to F34 Beta. SELinux is preventing f2b/f.recidive from 'watch' accesses on the dossier /var/log/journal/ec1f2eff01f44aa2bebe5f6230eac47b. ***** Plugin catchall (100. confidence) suggests ************************** Si vous pensez que f.recidive devrait être autorisé à accéder watch sur ec1f2eff01f44aa2bebe5f6230eac47b directory par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # ausearch -c "f2b/f.recidive" --raw | audit2allow -M my-f2bfrecidive # semodule -X 300 -i my-f2bfrecidive.pp Additional Information: Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/journal/ec1f2eff01f44aa2bebe5f6230eac47b [ dir ] Source f2b/f.recidive Source Path f2b/f.recidive Port <Inconnu> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.7-27.fc34.noarch Local Policy RPM selinux-policy-targeted-3.14.7-27.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.9-300.fc34.x86_64 #1 SMP Wed Mar 24 12:06:51 UTC 2021 x86_64 x86_64 Alert Count 20 First Seen 2021-03-27 07:49:50 CET Last Seen 2021-03-27 07:55:39 CET Local ID e2a094b6-ebab-4243-9b28-0716415a3704 Raw Audit Messages type=AVC msg=audit(1616828139.877:528): avc: denied { watch } for pid=817 comm="f2b/f.selinux-s" path="/var/log/journal/ec1f2eff01f44aa2bebe5f6230eac47b" dev="sda2" ino=168932 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0 Hash: f2b/f.recidive,fail2ban_t,var_log_t,dir,watch Version-Release number of selected component: selinux-policy-targeted-3.14.7-27.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.9-300.fc34.x86_64 type: libreport