Bug 2219542

Summary: SELinux is preventing /usr/bin/fwupdmgr from map access on the file /root/.cache/dconf/user.
Product: Red Hat Enterprise Linux 9 Reporter: Joerg <jkastnin>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 9.2CC: lvrabec, mmalik, rhughes, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-14 08:12:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joerg 2023-07-04 08:51:22 UTC 
Description of problem:
Every night when the `fwupdagent` runs it produces the log entry shown in the summary of this BZ. The complete sealert message is:

~~~
$ sudo sealert -l 41fff8c8-5296-4fdc-80ee-3276cb55142b
SELinux is preventing /usr/bin/fwupdmgr from map access on the file /root/.cache/dconf/user.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that fwupdmgr should be allowed map access on the user file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fwupdagent' --raw | audit2allow -M my-fwupdagent
# semodule -X 300 -i my-fwupdagent.pp


Additional Information:
Source Context                system_u:system_r:insights_client_t:s0
Target Context                system_u:object_r:cache_home_t:s0
Target Objects                /root/.cache/dconf/user [ file ]
Source                        fwupdagent
Source Path                   /usr/bin/fwupdmgr
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           fwupd-1.8.10-2.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.11-2.el9_2.3.noarch
Local Policy RPM              selinux-policy-targeted-38.1.11-2.el9_2.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com 5.14.0-284.18.1.el9_2.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023
                              x86_64 x86_64
Alert Count                   39
First Seen                    2023-04-26 02:08:13 CEST
Last Seen                     2023-07-04 03:14:11 CEST
Local ID                      41fff8c8-5296-4fdc-80ee-3276cb55142b

Raw Audit Messages
type=AVC msg=audit(1688433251.557:834): avc:  denied  { map } for  pid=33387 comm="fwupdagent" path="/root/.cache/dconf/user" dev="dm-1" ino=1310729 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1688433251.557:834): arch=x86_64 syscall=mmap success=yes exit=140588147630080 a0=0 a1=1 a2=1 a3=1 items=0 ppid=33386 pid=33387 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fwupdagent exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_client_t:s0 key=(null)

Hash: fwupdagent,insights_client_t,cache_home_t,file,map
~~~

I checked with the upstream project of fwupd and they can reproduce it and are sure this is a bug as fwupdmgr should be allowed map access on the user file by default.

Version-Release number of selected component (if applicable):
Source RPM Packages: fwupd-1.8.10-2.el9.x86_64
SELinux Policy RPM: selinux-policy-targeted-38.1.11-2.el9_2.3.noarch
Local Policy RPM: selinux-policy-targeted-38.1.11-2.el9_2.3.noarch

How reproducible:

Recurs every night when the fwupdagent runs.

Actual results:
Entry in journalctl:
SELinux is preventing /usr/bin/fwupdmgr from map access on the file /root/.cache/dconf/user.

Expected results:
fwupdmgr should be allowed map access on the user file by default.

Additional info:
Link to upstream discussion: https://github.com/fwupd/fwupd/discussions/5962
Comment 1 Nikola Knazekova 2023-07-07 16:31:06 UTC 
PR: https://github.com/fedora-selinux/selinux-policy/pull/1774
Comment 2 Milos Malik 2023-07-13 10:05:04 UTC 
# rpm -qa selinux\*
selinux-policy-38.1.17-1.el9.noarch
selinux-policy-targeted-38.1.17-1.el9.noarch
# matchpathcon /root/.cache/dconf/user
/root/.cache/dconf/user	system_u:object_r:cache_home_t:s0
# sesearch -s insights_client_t -t cache_home_t -c file -p map -A
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow insights_client_t non_security_file_type:file { ioctl lock map open read };
#

The issue seems to be fixed already.
Comment 3 Zdenek Pytela 2023-07-13 10:59:45 UTC 
Seems to be resolved as a part of
https://bugzilla.redhat.com/show_bug.cgi?id=2214581
Comment 4 Zdenek Pytela 2023-07-14 08:12:27 UTC 

*** This bug has been marked as a duplicate of bug 2214581 ***