Bug 2185385

Summary: SELinux is preventing (sd-parse-elf) from access mounton in directory /.
Product: [Fedora] Fedora Reporter: Jakub Jankiewicz <jcubic>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 37CC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-37.20-1.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-10 01:40:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Jankiewicz 2023-04-08 18:58:55 UTC 
Description of problem:

Got this error from SELinux:

SELinux powstrzymuje (sd-parse-elf) przed dostępem mounton w katalog /.

*****  Wtyczka catchall_labels (83.8 zaufania) sugeruje   ********************

Aby zezwolić (sd-parse-elf) na dostęp mounton w  directory
Wtedy należy zmienić etykietę /
Wykonać
# semanage fcontext -a -t TYP_PLIKU '/',
gdzie TYP_PLIKU jest jednym z poniższych: root_t.
Następnie należy wykonać polecenie:
restorecon -v '/'


*****  Wtyczka catchall (17.1 zaufania) sugeruje   ***************************

Aby (sd-parse-elf) powinno mieć domyślnie mounton dostęp do  directory.
Wtedy proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Wykonać
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# ausearch -c '(sd-parse-elf)' --raw | audit2allow -M my-sdparseelf
# semodule -X 300 -i my-sdparseelf.pp

Dodatkowe informacje:
Kontekst źródłowy             system_u:system_r:systemd_coredump_t:s0
Kontekst docelowy             system_u:object_r:usr_t:s0
Obiekty docelowe              / [ dir ]
Źródło                        (sd-parse-elf)
Ścieżka źródłowa              (sd-parse-elf)
Port                          <Nieznane>
Komputer                      jcubic
Źródłowe pakiety RPM          
Docelowe pakiety RPM          
Pakiet RPM polityki SELinuksa selinux-policy-targeted-37.19-1.fc37.noarch
Lokalny pakiet RPM polityki   selinux-policy-targeted-37.19-1.fc37.noarch
SELinux jest włączony         True
Typ polityki                  targeted
Tryb wymuszania               Permissive
Nazwa komputera               jcubic
Platforma                     Linux jcubic 6.1.14-200.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sun Feb 26 00:13:26 UTC 2023
                              x86_64 x86_64
Liczba alarmów                2
Po raz pierwszy               2023-04-06 00:36:43 CEST
Po raz ostatni                2023-04-08 16:53:23 CEST
Lokalny identyfikator         28646be9-998e-4dbf-a857-6bcfbeba344b

Surowe komunikaty audytu
type=AVC msg=audit(1680965603.852:5360): avc:  denied  { mounton } for  pid=2016312 comm="(sd-parse-elf)" path="/" dev="sda4" ino=2 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1


Hash: (sd-parse-elf),systemd_coredump_t,usr_t,dir,mounton

Sorry I don't know how to get the English version of that output, it's from TroubleShooter GUI and localized to Polish
Comment 1 Fedora Update System 2023-04-26 19:55:05 UTC 
FEDORA-2023-13093d1386 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-13093d1386
Comment 2 Fedora Update System 2023-04-27 01:40:10 UTC 
FEDORA-2023-13093d1386 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-13093d1386`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-13093d1386

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Jakub Jankiewicz 2023-05-08 09:23:25 UTC 
Just got this warning again, I'm not sure if this is real cause by I connected the USB pen drive (32GB).
I'm not sure if this is important but here are all the steps I did
Mount using XFce disk panel widget (I think it's called Places because it's translated to miejsca)
I did this two times before it finishes so I get the error that the process is in progress
Somewhere in between I've got the SELinux warning.

I also mounted the same pendrive a few minutes before that, because I needed to move PDF to another computer with Windows.
And I didn't get the same error back then. I only have one warning in the SELinux alarm browser.
Comment 4 Fedora Update System 2023-05-10 01:40:29 UTC 
FEDORA-2023-13093d1386 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.