Bug 2385328

Summary: SELinux is preventing switcheroo-cont from 'getattr' accesses on the filesystem /dev/shm.
Product: [Fedora] Fedora Reporter: marek77 <marek.schimara>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 42CC: dwalsh, jjanasek, lvrabec, marek.schimara, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Flags: zpytela: mirror+
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:cb38ea6048d5e0a18eefa98247bfe8b08e7309033fe9a631df1f5cc659a0939d;VARIANT_ID=;
Fixed In Version: selinux-policy-42.7-1.fc42 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-09-01 00:50:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: os_info
none
File: description none

Description marek77 2025-07-31 06:38:33 UTC 
Description of problem:
SELinux is preventing switcheroo-cont from 'getattr' accesses on the filesystem /dev/shm.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that switcheroo-cont should be allowed getattr access on the shm filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'switcheroo-cont' --raw | audit2allow -M my-switcheroocont
# semodule -X 300 -i my-switcheroocont.pp

Additional Information:
Source Context                system_u:system_r:switcheroo_control_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /dev/shm [ filesystem ]
Source                        switcheroo-cont
Source Path                   switcheroo-cont
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.2-1.fc42.noarch
Local Policy RPM              selinux-policy-targeted-42.2-1.fc42.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.15.8-200.fc42.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Jul 24 13:26:52 UTC 2025
                              x86_64
Alert Count                   6
First Seen                    2025-07-30 15:42:02 CEST
Last Seen                     2025-07-31 08:37:22 CEST
Local ID                      829422cb-9aed-427d-9f86-654a58840843

Raw Audit Messages
type=AVC msg=audit(1753943842.431:76351): avc:  denied  { getattr } for  pid=1134 comm="switcheroo-cont" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:switcheroo_control_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1


Hash: switcheroo-cont,switcheroo_control_t,tmpfs_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-targeted-42.2-1.fc42.noarch

Additional info:
reporter:       libreport-2.17.15
component:      selinux-policy
type:           libreport
hashmarkername: setroubleshoot
package:        selinux-policy-targeted-42.2-1.fc42.noarch
kernel:         6.15.8-200.fc42.x86_64
reason:         SELinux is preventing switcheroo-cont from 'getattr' accesses on the filesystem /dev/shm.
component:      selinux-policy
Comment 1 marek77 2025-07-31 06:38:35 UTC 
Created attachment 2100968 [details]
File: os_info
Comment 2 marek77 2025-07-31 06:38:36 UTC 
Created attachment 2100969 [details]
File: description
Comment 3 Zdenek Pytela 2025-07-31 07:11:28 UTC 
Hello,

Is there any configuration change needed to trigger this denial?
Can you set your system to permissive mode and try again to collect all denials?

setenforce 0
Comment 4 marek77 2025-07-31 07:16:54 UTC 
Hi, I'm not aware of any changes apart from regular dnf updates. I started reporting these as I'm getting some unrelated AVC denials due to installing of an antivirus (this is my company laptop). I was mostly ignoring them before..
I'll try with permissive settings.
Comment 5 marek77 2025-07-31 12:07:28 UTC 
It happened again in Permissive mode:

SELinux is preventing switcheroo-cont from getattr access on the filesystem /dev/shm.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that switcheroo-cont should be allowed getattr access on the shm filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'switcheroo-cont' --raw | audit2allow -M my-switcheroocont
# semodule -X 300 -i my-switcheroocont.pp

Additional Information:
Source Context                system_u:system_r:switcheroo_control_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /dev/shm [ filesystem ]
Source                        switcheroo-cont
Source Path                   switcheroo-cont
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.2-1.fc42.noarch
Local Policy RPM              selinux-policy-targeted-42.2-1.fc42.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     fedora
Platform                      Linux fedora 6.15.8-200.fc42.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Jul 24 13:26:52 UTC 2025
                              x86_64
Alert Count                   9
First Seen                    2025-07-30 15:42:02 CEST
Last Seen                     2025-07-31 14:06:06 CEST
Local ID                      829422cb-9aed-427d-9f86-654a58840843

Raw Audit Messages
type=AVC msg=audit(1753963566.784:87862): avc:  denied  { getattr } for  pid=1134 comm="switcheroo-cont" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:switcheroo_control_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1


Hash: switcheroo-cont,switcheroo_control_t,tmpfs_t,filesystem,getattr
Comment 6 Fedora Update System 2025-08-29 12:09:19 UTC 
FEDORA-2025-7a468a12c5 (selinux-policy-42.7-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-7a468a12c5
Comment 7 Fedora Update System 2025-08-30 02:01:23 UTC 
FEDORA-2025-7a468a12c5 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-7a468a12c5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-7a468a12c5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2025-09-01 00:50:38 UTC 
FEDORA-2025-7a468a12c5 (selinux-policy-42.7-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.