Bug 2184203
Summary: | SELinux is preventing userdel from 'rmdir' accesses on the directory overlay. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> | ||||||
Component: | container-selinux | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | rawhide | CC: | amurdaca, dwalsh, dweomer5, jchaloup, lsm5, lvrabec, mikhail.v.gavrilov, mmalik, omosnacek, pehunt, pkoncity, rh.container.bot, vmojzis, zpytela | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | abrt_hash:85227ee9893f2afa72e2e64a5e252ea05f383bdb517b1d21aebd8e7df0ee09d3;VARIANT_ID=workstation; | ||||||||
Fixed In Version: | container-selinux-2.211.1-1.fc38 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2023-05-05 14:21:00 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Mikhail
2023-04-03 22:59:02 UTC
Created attachment 1955620 [details]
File: description
Created attachment 1955621 [details]
File: os_info
What command are you running when you get this error? *** Bug 2184204 has been marked as a duplicate of this bug. *** (In reply to Daniel Walsh from comment #3) > What command are you running when you get this error? I am delete Linux user by gnome control center. Then the question is how did the container_ro_file_t label get in place? type=AVC msg=audit(1680562685.733:1154): avc: denied { rmdir } for pid=687064 comm="userdel" name="overlay" dev="nvme1n1" ino=84448506 scontext=system_u:system_r:useradd_t:s0 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=dir permissive=1 Is this useradd remving an entire home directory? I think the fix to this would be to add user_home_type labels to the container labels. Fixed in container-selinux-2.210.0 FEDORA-2023-06ac069828 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-06ac069828 FEDORA-2023-c2d3c3af89 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-c2d3c3af89 FEDORA-2023-06ac069828 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-06ac069828` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-06ac069828 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-c2d3c3af89 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-c2d3c3af89` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-c2d3c3af89 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-f0fe2923f2 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f0fe2923f2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f0fe2923f2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-f0fe2923f2 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |