Description of problem: trying to run 'sudo snapper -c home delete-config' SELinux is preventing snapperd from using the 'sys_admin' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If cree que snapperd debería tener la capacidad de sys_admin de forma predeterminada. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do permita el acceso momentáneamente executando: # grep snapperd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:snapperd_t:s0-s0:c0.c1023 Target Context system_u:system_r:snapperd_t:s0-s0:c0.c1023 Target Objects Unknown [ capability ] Source snapperd Source Path snapperd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-154.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.5-300.fc23.x86_64 #1 SMP Tue Oct 27 04:29:56 UTC 2015 x86_64 x86_64 Alert Count 2 First Seen 2015-11-18 10:45:02 ART Last Seen 2015-11-18 10:50:48 ART Local ID 8f75e8bd-9d17-4972-99f3-777d90f4f759 Raw Audit Messages type=AVC msg=audit(1447854648.340:954): avc: denied { sys_admin } for pid=14688 comm="snapperd" capability=21 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0 Hash: snapperd,snapperd_t,snapperd_t,capability,sys_admin Version-Release number of selected component: selinux-policy-3.13.1-154.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-300.fc23.x86_64 type: libreport
Description of problem: Deleting a snapshot with snapper delete fails because snapperd does not have the sys_admin capability. See previous bug https://bugzilla.redhat.com/show_bug.cgi?id=1282836, where the dac_override capability was missing which is fixed in Fedora 23 now, but the fix is incomplete as it doesn't cover all snapper commands. Version-Release number of selected component: selinux-policy-3.13.1-158.2.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.3.3-301.fc23.x86_64 type: libreport
Description of problem: Attempted to delete a snapshot. Restoring selinux context to /.snapshots did not fix the issue. Version-Release number of selected component: selinux-policy-3.13.1-158.14.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.7-300.fc23.x86_64 type: libreport
Some more information i like to add to this ticket, when I try to run `snapper status 65..66` I get SELinux AVC message, with this information, ``` SELinux is preventing snapperd from using the fowner capability. ``` ``` # ausearch -c 'snapperd' --raw | audit2allow #============= snapperd_t ============== allow snapperd_t NetworkManager_initrc_exec_t:lnk_file getattr; #!!!! The file '/.snapshots/65/snapshot/etc/firewalld/firewalld.conf' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /.snapshots/65/snapshot/etc/firewalld/firewalld.conf allow snapperd_t firewalld_etc_rw_t:lnk_file getattr; #!!!! This avc is allowed in the current policy allow snapperd_t self:capability sys_admin; allow snapperd_t self:capability fowner; #!!!! This avc is allowed in the current policy allow snapperd_t user_home_dir_t:dir { rmdir create }; #!!!! This avc is allowed in the current policy allow snapperd_t user_home_dir_t:file { rename write unlink create }; #!!!! This avc is allowed in the current policy allow snapperd_t user_home_t:dir rmdir; #!!!! This avc is allowed in the current policy allow snapperd_t user_home_t:file unlink; allow snapperd_t virt_etc_rw_t:lnk_file getattr; ``` ``` Additional Information: Source Context system_u:system_r:snapperd_t:s0-s0:c0.c1023 Target Context system_u:system_r:snapperd_t:s0-s0:c0.c1023 Target Objects Unknown [ capability ] Source snapperd Source Path snapperd Port <Unknown> Host --- Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.15.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name --- Platform Linux --- 4.5.6-200.fc23.x86_64 #1 SMP Wed Jun 1 21:28:20 UTC 2016 x86_64 x86_64 Alert Count 8 First Seen 2016-06-16 12:12:21 IDT Last Seen 2016-06-16 13:44:51 IDT Local ID db958b26-d230-4bbc-ae02-2773096d3b0f ```
selinux-policy-3.13.1-158.20.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-4c9c2badcb
selinux-policy-3.13.1-158.21.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7bed6e7c72
selinux-policy-3.13.1-158.21.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.