Bug 2218098
| Summary: | SELinux is preventing snapperd from 'read' accesses on the sock_file bus_0. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Thomas <thomasgremmen> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 38 | CC: | dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, thomasgremmen, vmojzis, zpytela | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:00231d1ca08a781484de47765004dcdf7a11fb5771b5ba0f09889cae5f38bb26;VARIANT_ID=workstation; | ||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | Type: | --- | |||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1972958 [details]
File: description
Created attachment 1972959 [details]
File: os_info
Hello, Do you know at which moment this denial appears and which configuration change is needed? I cannot reproduce this problem. (In reply to Zdenek Pytela from comment #3) > Hello, > > Do you know at which moment this denial appears and which configuration > change is needed? I cannot reproduce this problem. Hi! I have Snapper configured to take a snapshot before and after I execute 'sudo dnf up'. I get this denial after I execute the upgrade command. (In reply to Thomas from comment #4) > (In reply to Zdenek Pytela from comment #3) > > Hello, > > > > Do you know at which moment this denial appears and which configuration > > change is needed? I cannot reproduce this problem. > > Hi! I have Snapper configured to take a snapshot before and after I execute > 'sudo dnf up'. I get this denial after I execute the upgrade command. Thank you. And what is the bus_0 file, how it was created? Honestly, I have no idea. Do you know how I can find out? Thank you. With full auditing enabled: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today we can gather more information, but I suppose the file usage is set somewhere in snapperd configuration. Are there any logs in journal? (In reply to Zdenek Pytela from comment #7) > With full auditing enabled: > > 1) Open the /etc/audit/rules.d/audit.rules file in an editor. > 2) Remove the following line if it exists: > -a task,never > 3) Add the following line to the end of the file: > -w /etc/shadow -p w > 4) Restart the audit daemon: > # service auditd restart > 5) Re-run your scenario. > 6) Collect AVC denials: > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today > > we can gather more information, but I suppose the file usage is set > somewhere in snapperd configuration. > Are there any logs in journal? the logs have one entry when I search on bus_0: 2023-06-28 08:45:58 ERR libsnapper(9224) XAttributes.cc(XAttributes):153 - Couldn't get xattributes names-list size. link: //.snapshots/2284/snapshot/root/.cache/at-spi/bus_0, error: Permission denied The AVC denials after executing dnf up: ---- type=PROCTITLE msg=audit(29/06/23 09:33:36.273:494) : proctitle=/usr/sbin/snapperd type=PATH msg=audit(29/06/23 09:33:36.273:494) : item=0 name=bus_0 inode=3558541 dev=00:24 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:cache_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(29/06/23 09:33:36.273:494) : cwd=/ type=SYSCALL msg=audit(29/06/23 09:33:36.273:494) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xd a1=0x7f73a9bfc568 a2=O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_NOATIME|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=16924 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snapperd exe=/usr/sbin/snapperd subj=system_u:system_r:snapperd_t:s0 key=(null) type=AVC msg=audit(29/06/23 09:33:36.273:494) : avc: denied { read } for pid=16924 comm=snapperd name=bus_0 dev="nvme1n1p2" ino=3558541 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file permissive=0 Created attachment 1973392 [details]
Snapper cil module
Hi, can you please try to install this snapper cil module and rerun your scenario?
# semodule -i snapper.cil
Thank you,
Nikola
(In reply to Nikola Knazekova from comment #9) > Created attachment 1973392 [details] > Snapper cil module > > Hi, can you please try to install this snapper cil module and rerun your > scenario? > > # semodule -i snapper.cil > > Thank you, > Nikola Hello, When I try to click the link I get an error: "Sorry, you are not authorized to access attachment #1973392 [details]." Thank you. Best regards, Thomas (In reply to Nikola Knazekova from comment #9) > Created attachment 1973392 [details] > Snapper cil module > > Hi, can you please try to install this snapper cil module and rerun your > scenario? > > # semodule -i snapper.cil > > Thank you, > Nikola Hello Nikola, I installed the snapper cil module, but after running dnf up and installing the updates I still get the same AVC denial message. Best regards, Thomas Can you please give me output of this? semodule -lfull | grep snapper Here you go: $ semodule -lfull | grep snapper 400 snapper cil 300 my-snapperd pp 100 snapper pp(In reply to Nikola Knazekova from comment #12) > Can you please give me output of this? > semodule -lfull | grep snapper |
Description of problem: SELinux is preventing snapperd from 'read' accesses on the sock_file bus_0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that snapperd should be allowed read access on the bus_0 sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd # semodule -X 300 -i my-snapperd.pp Additional Information: Source Context system_u:system_r:snapperd_t:s0 Target Context unconfined_u:object_r:cache_home_t:s0 Target Objects bus_0 [ sock_file ] Source snapperd Source Path snapperd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.17-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.17-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.3.8-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jun 15 02:15:40 UTC 2023 x86_64 Alert Count 1 First Seen 2023-06-28 08:45:58 CEST Last Seen 2023-06-28 08:45:58 CEST Local ID e34e621c-e958-42aa-81ef-2b2f69e09db7 Raw Audit Messages type=AVC msg=audit(1687934758.259:441): avc: denied { read } for pid=9224 comm="snapperd" name="bus_0" dev="nvme0n1p2" ino=3558541 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file permissive=0 Hash: snapperd,snapperd_t,cache_home_t,sock_file,read Version-Release number of selected component: selinux-policy-targeted-38.17-1.fc38.noarch Additional info: reporter: libreport-2.17.10 reason: SELinux is preventing snapperd from 'read' accesses on the sock_file bus_0. package: selinux-policy-targeted-38.17-1.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.3.8-200.fc38.x86_64 component: selinux-policy