Hide Forgot
Version-Release number of selected component (if applicable): selinux-policy-3.13.1-158.11.fc23.noarch Description of problem: selinux-policy upgrade denies abrt-server access to /var/cache/dnf/*. To be honest, I'm not even sure how to categorise this one. After an upgrade--and reboot--dnf tool failed with error message (NOT RELATED TO THIS! bug 1327099 ). The abrt-server attempted to gather information, I guess, and setroubleshoot (which was ALSO upgraded at the same time as dnf) started showing denial errors in journal logs. The following text shows the updates of the selinux-related tools: ``` Upgraded selinux-policy-3.13.1-158.11.fc23.noarch @@commandline Upgrade 3.13.1-158.12.fc23.noarch @updates Upgraded selinux-policy-devel-3.13.1-158.11.fc23.noarch @@commandline Upgrade 3.13.1-158.12.fc23.noarch @updates Upgraded selinux-policy-doc-3.13.1-158.11.fc23.noarch @@commandline Upgrade 3.13.1-158.12.fc23.noarch @updates Upgraded selinux-policy-mls-3.13.1-158.11.fc23.noarch @@commandline Upgrade 3.13.1-158.12.fc23.noarch @updates Upgraded selinux-policy-sandbox-3.13.1-158.11.fc23.noarch @@commandline Upgrade 3.13.1-158.12.fc23.noarch @updates Upgraded selinux-policy-targeted-3.13.1-158.11.fc23.noarch @@commandline Upgrade 3.13.1-158.12.fc23.noarch @updates Upgraded setroubleshoot-3.3.4-1.fc23.i686 @@commandline Upgrade 3.3.5-2.fc23.i686 @updates Upgraded setroubleshoot-plugins-3.3.2-1.fc23.noarch @@commandline Upgrade 3.3.3-1.fc23.noarch @updates Upgraded setroubleshoot-server-3.3.4-1.fc23.i686 @@commandline Upgrade 3.3.5-2.fc23.i686 @updates ``` So, I'm not sure if this is due to - the updated selinux-related tools - the updated dnf-related packages (/var/cache/dnf/ subdirs) - wrong selinux labels on the directories ( var_cache_t ) ------------------------------------------------ The following text shows the relevant lines of text in the journal log: ``` Apr 14 04:20:58 babinkomp.airportx.lan audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? ter minal=? res=failed' Apr 14 04:20:59 babinkomp.airportx.lan python3[2964]: detected unhandled Python exception in '/usr/bin/dnf' Apr 14 04:20:59 babinkomp.airportx.lan dbus[767]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Apr 14 04:21:00 babinkomp.airportx.lan dbus[767]: [system] Successfully activated service 'org.freedesktop.problems' Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc: denied { read } for pid=2992 comm="find" name="repodata" dev="dm-0" ino=2093606 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass =dir permissive=0 Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc: denied { read } for pid=2992 comm="find" name="repodata" dev="dm-0" ino=2094591 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass =dir permissive=0 Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc: denied { read } for pid=2992 comm="find" name="repodata" dev="dm-0" ino=2093300 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass =dir permissive=0 Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc: denied { read } for pid=2992 comm="find" name="repodata" dev="dm-0" ino=2094237 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass =dir permissive=0 Apr 14 04:21:00 babinkomp.airportx.lan dbus[767]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/rpmfusion-nonfree-updates-testing-6ba7c5eb0f1e12ff/repodata’: Permission denied Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/rpmfusion-nonfree-5cfe49eb66844049/repodata’: Permission denied Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/rpmfusion-free-updates-testing-87b68c9319105f04/repodata’: Permission denied Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/adobe-linux-i386-e8be5a0311beef74/repodata’: Permission denied Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc: denied { read } for pid=2992 comm="find" name="repodata" dev="dm-0" ino=2093322 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass =dir permissive=0 Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc: denied { read } for pid=2992 comm="find" name="repodata" dev="dm-0" ino=2094410 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass =dir permissive=0 Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/updates-96b7b648a31a001b/repodata’: Permission denied Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/rpmfusion-free-6740a20e6b884619/repodata’: Permission denied Apr 14 04:21:01 babinkomp.airportx.lan dbus[767]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Apr 14 04:21:02 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory repodata. For complete SELinux messages. run sealert -l e05c3860-a20b-4a89-b0ee-c248c4576d60 Apr 14 04:21:02 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory repodata. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that find should be allowed read access on the repodata directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c find --raw | audit2allow -M mypol # semodule -i mypol.pp Apr 14 04:21:03 babinkomp.airportx.lan setroubleshoot[2994]: failed to retrieve rpm info for /var/cache/dnf/rpmfusion-nonfree-5cfe49eb66844049/repodata Apr 14 04:21:03 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/rpmfusion-nonfree-5cfe49eb66844049/repodata. For complete SELinux messages. run sealert -l e05c3860-a2 0b-4a89-b0ee-c248c4576d60 Apr 14 04:21:03 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/rpmfusion-nonfree-5cfe49eb66844049/repodata. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that find should be allowed read access on the repodata directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c find --raw | audit2allow -M mypol # semodule -i mypol.pp Apr 14 04:21:03 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory repodata. For complete SELinux messages. run sealert -l e05c3860-a20b-4a89-b0ee-c248c4576d60 Apr 14 04:21:03 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory repodata. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that find should be allowed read access on the repodata directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c find --raw | audit2allow -M mypol # semodule -i mypol.pp Apr 14 04:21:04 babinkomp.airportx.lan python3[2964]: communication with ABRT daemon failed: timed out Apr 14 04:21:06 babinkomp.airportx.lan sedispatch[759]: timeout flush Apr 14 04:21:06 babinkomp.airportx.lan setroubleshoot[2994]: failed to retrieve rpm info for /var/cache/dnf/adobe-linux-i386-e8be5a0311beef74/repodata Apr 14 04:21:07 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/adobe-linux-i386-e8be5a0311beef74/repodata. For complete SELinux messages. run sealert -l e05c3860-a20 b-4a89-b0ee-c248c4576d60 Apr 14 04:21:07 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/adobe-linux-i386-e8be5a0311beef74/repodata. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that find should be allowed read access on the repodata directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c find --raw | audit2allow -M mypol # semodule -i mypol.pp Apr 14 04:21:09 babinkomp.airportx.lan sedispatch[759]: timeout flush Apr 14 04:21:10 babinkomp.airportx.lan setroubleshoot[2994]: failed to retrieve rpm info for /var/cache/dnf/updates-96b7b648a31a001b/repodata Apr 14 04:21:10 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/updates-96b7b648a31a001b/repodata. For complete SELinux messages. run sealert -l e05c3860-a20b-4a89-b0 ee-c248c4576d60 Apr 14 04:21:10 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/updates-96b7b648a31a001b/repodata. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that find should be allowed read access on the repodata directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c find --raw | audit2allow -M mypol # semodule -i mypol.pp Apr 14 04:21:10 babinkomp.airportx.lan abrt-server[2969]: cp: cannot stat ‘/var/log/dnf.transaction.log’: No such file or directory Apr 14 04:21:13 babinkomp.airportx.lan sedispatch[759]: timeout flush Apr 14 04:21:13 babinkomp.airportx.lan setroubleshoot[2994]: failed to retrieve rpm info for /var/cache/dnf/rpmfusion-free-6740a20e6b884619/repodata Apr 14 04:21:13 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/rpmfusion-free-6740a20e6b884619/repodata. For complete SELinux messages. run sealert -l e05c3860-a20b- 4a89-b0ee-c248c4576d60 Apr 14 04:21:13 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/rpmfusion-free-6740a20e6b884619/repodata. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that find should be allowed read access on the repodata directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c find --raw | audit2allow -M mypol # semodule -i mypol.pp
Sorry, I mistakenly stated that fcontext was "var_cache_t" instead of "rpm_var_cache_t". The following is a list of the SELinux labels for the existing directories and files in "/var/cache/dnf/.": ``` unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 unconfined_u:object_r:rpm_var_cache_t:s0 system_u:object_r:rpm_var_cache_t:s0 ```
Ok so /var/cache/dnf is labeled correctly, right?
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Hi, This was a while ago, but I did provide the file context SELinux labels in my previous comments. Based on that information, you can see that they were, indeed, labelled correctly.
Additionally, I'd like to point out that I ended up resolving this issue, though, due to the age of this report, I am not sure how I had done that. Once again, based on the context labels in Comment 1, it appears that the complaints were showing **MLS** labelled files/directories; and `selinux-policy-targeted` as well as `selinux-policy-mls` were installed. At this time, the following SELinux labels are on the same system where the issue was reported and resolved (somehow). ~~~ [09:11][1005]# ls -alhZ /var/cache/dnf/updates-96b7b648a31a001b/ total 48K drwxr-xr-x. 4 root root unconfined_u:object_r:rpm_var_cache_t:s0 4.0K Nov 7 00:51 . drwxr-xr-x. 22 root root system_u:object_r:rpm_var_cache_t:s0 4.0K Nov 7 09:11 .. -rw-r--r--. 1 root root system_u:object_r:rpm_tmp_t:s0 7.8K Nov 7 00:51 metalink.xml drwxr-xr-x. 2 root root unconfined_u:object_r:rpm_var_cache_t:s0 24K Oct 7 12:39 packages drwxr-xr-x. 2 root root system_u:object_r:rpm_tmp_t:s0 4.0K Nov 7 00:51 repodata ~~~
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.