Bug 2049351
| Summary: | Selinux alerts | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | bodhi.zazen <bodhi.zazen> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 35 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela | ||||||
| Target Milestone: | --- | Keywords: | Triaged | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2022-02-16 17:24:37 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1767779 | ||||||||
| Attachments: |
|
||||||||
Additional information:
ausearch -m avc -ts boot | audit2allow -a -M upgrade
cat upgrade.te [0]
module upgrade 1.0;
require {
type root_t;
type var_log_t;
type staff_t;
type fonts_t;
type system_conf_t;
type bin_t;
type lib_t;
class dir watch;
class sock_file write;
}
#============= staff_t ==============
allow staff_t bin_t:dir watch;
allow staff_t fonts_t:dir watch;
allow staff_t lib_t:dir watch;
allow staff_t root_t:dir watch;
allow staff_t system_conf_t:dir watch;
allow staff_t var_log_t:sock_file write;
I am 99.9% certain the last line regarding "allow staff_t var_log_t:sock_file write;" is related to the citrix clinet and unrelated to the upgrade, but I included it to be complete . It looks as if selinux policy does not like the "watch"
I relabeled the files after upgrade prior to reboot
Thank you for reporting the issue. Could you include more details? Have something changed in your configuration? I cannot see such denials in my environment, staff has already been allowed to watch a bunch of directories. The "staff_t var_log_t:sock_file write" is unlikely to be allowed, but the rest is if there is a reason. To find out what is actually going on, full auditing enabled is very helpful. Please do the following: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today Thank you for looking at this and your advice. I have not changed any configuration or selinux settings. For what it is worth , my understanding is semanage export will show any local changes thus : semanage export [0] boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D ibendport -D ibpkey -D permissive -D boolean -m -1 domain_can_mmap_files login -a -s staff_u -r 's0' bodhi fcontext -a -f a -t chrome_sandbox_exec_t -r 's0' '/usr/lib/chrome-sandbox' fcontext -a -f a -t bin_t -r 's0' '/usr/lib/chromium-browser' fcontext -a -f a -t bin_t -r 's0' '/usr/lib/chromium-browser/chromium-browser.sh' fcontext -a -f a -t rpm_exec_t -r 's0' '/usr/share/dnfdaemon/dnfdaemon-system' The selinux alerts are continuous so I piped the output to a text file I will upload as "avc_denials". Created attachment 1858747 [details]
avc denials
Created attachment 1858748 [details]
avc denials
Well something has to be done as these selinux alerts are filling my logs and thus hard drive. There is a PR to address this and similar permissions: https://github.com/fedora-selinux/selinux-policy/pull/1061 |
Description of problem: I upgraded from Fedora 33 to 35 , I use confined users, and selinux alert browser is going crazy Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Log in 2.Selinux alert browser is flashing non-stop 3. Actual results: Selinux alert browser is flashing non-stop Expected results: No selinux alerts Additional info: Endless output: type=AVC msg=audit(1643765589.633:566): avc: denied { watch } for pid=3619 comm="xdg-desktop-por" path="/usr/share/fonts/vlgothic" dev="dm-0" ino=4194591 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0 appears I am getting this message for every font in /usr/share/fonts