Description of problem: selinux denial notification during installation. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-202.fc25.noarch How reproducible: Always Steps to Reproduce: 1. Install Fedora-Workstation-Live-x86_64-Rawhide-20160718.n.0.iso 2. 3. Actual results: SELinux is preventing (ostnamed) from mounton access on the directory /dev. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /dev default label should be device_t. Then you can run restorecon. Do # /sbin/restorecon -v /dev ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow (ostnamed) to have mounton access on the dev directory Then you need to change the label on /dev Do # semanage fcontext -a -t FILE_TYPE '/dev' where FILE_TYPE is one of the following: admin_home_t, anon_inodefs_t, audit_spool_t, auditd_log_t, autofs_t, automount_tmp_t, bacula_store_t, binfmt_misc_fs_t, boot_t, capifs_t, cephfs_t, cgroup_t, cifs_t, container_image_t, debugfs_t, default_t, device_t, devpts_t, dnssec_t, dosfs_t, ecryptfs_t, efivarfs_t, fusefs_t, home_root_t, hugetlbfs_t, ifconfig_var_run_t, init_var_run_t, initrc_tmp_t, iso9660_t, kdbusfs_t, mail_spool_t, mnt_t, mqueue_spool_t, named_conf_t, news_spool_t, nfs_t, nfsd_fs_t, onload_fs_t, openshift_tmp_t, openshift_var_lib_t, oracleasmfs_t, proc_t, proc_xen_t, pstore_t, public_content_rw_t, public_content_t, ramfs_t, random_seed_t, removable_t, root_t, rpc_pipefs_t, security_t, spufs_t, src_t, svirt_sandbox_file_t, sysctl_fs_t, sysctl_t, sysfs_t, sysv_t, tmp_t, tmpfs_t, usbfs_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, virt_image_t, virt_var_lib_t, vmblock_t, vxfs_t, xend_var_lib_t, xend_var_run_t, xenfs_t, xenstored_var_lib_t. Then execute: restorecon -v '/dev' ***** Plugin catchall (1.44 confidence) suggests ************************** If you believe that (ostnamed) should be allowed mounton access on the dev directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(ostnamed)' --raw | audit2allow -M my-ostnamed # semodule -X 300 -i my-ostnamed.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /dev [ dir ] Source (ostnamed) Source Path (ostnamed) Port <Unknown> Host localhost Source RPM Packages Target RPM Packages filesystem-3.2-37.fc24.x86_64 Policy RPM selinux-policy-3.13.1-202.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name localhost Platform Linux localhost 4.7.0-0.rc7.git3.1.fc25.x86_64 #1 SMP Fri Jul 15 21:02:08 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-07-30 13:45:53 EDT Last Seen 2016-07-30 17:36:10 EDT Local ID 5c469ffd-f455-4973-9298-1ad0151911b6 Raw Audit Messages type=AVC msg=audit(1469900753.454:224): avc: denied { mounton } for pid=15063 comm="(-localed)" path="/dev" dev="dm-0" ino=262657 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Hash: (ostnamed),init_t,unlabeled_t,dir,mounton Expected results: No selinux denial during installation.
Created attachment 1185907 [details] journal snippet 2 Is 100% reproducible, happens when installer reports it's building the initramfs. There is an AVC denial in the log a few seconds before the setroubleshoot notice appears. It might be the actual culprit is the locale service. Jul 30 23:13:09 localhost dbus[977]: [system] Activating via systemd: service name='org.freedesktop.locale1' uni t='dbus-org.freedesktop.locale1.service' Jul 30 23:13:09 localhost systemd[1]: Starting Locale Service... Jul 30 23:13:09 localhost audit[14795]: AVC avc: denied { mounton } for pid=14795 comm="(-localed)" path="/de v" dev="dm-0" ino=262657 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=d ir permissive=1 Jul 30 23:13:09 localhost dbus[977]: [system] Successfully activated service 'org.freedesktop.locale1' Jul 30 23:13:09 localhost audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:syste m_r:init_t:s0 msg='unit=systemd-localed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal =? res=success' Jul 30 23:13:09 localhost systemd[1]: Started Locale Service.
This is still a problem with the most recent Fedora 25 workstation nightly, 20160909.n.0, which has selinux-policy-3.13.1-208.fc25.noarch. There is a notification in GNOME. SELinux is preventing (ostnamed) from mounton access on the directory /dev. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /dev default label should be device_t. Then you can run restorecon. Do # /sbin/restorecon -v /dev ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow (ostnamed) to have mounton access on the dev directory Then you need to change the label on /dev Do # semanage fcontext -a -t FILE_TYPE '/dev' where FILE_TYPE is one of the following: admin_home_t, anon_inodefs_t, audit_spool_t, auditd_log_t, autofs_t, automount_tmp_t, bacula_store_t, binfmt_misc_fs_t, boot_t, capifs_t, cephfs_t, cgroup_t, cifs_t, container_image_t, debugfs_t, default_t, device_t, devpts_t, dnssec_t, dosfs_t, ecryptfs_t, efivarfs_t, etc_t, fusefs_t, home_root_t, hugetlbfs_t, ifconfig_var_run_t, init_var_run_t, initrc_tmp_t, iso9660_t, kdbusfs_t, mail_spool_t, mnt_t, mqueue_spool_t, named_conf_t, news_spool_t, nfs_t, nfsd_fs_t, onload_fs_t, openshift_tmp_t, openshift_var_lib_t, oracleasmfs_t, proc_t, proc_xen_t, pstore_t, public_content_rw_t, public_content_t, ramfs_t, random_seed_t, removable_t, root_t, rpc_pipefs_t, security_t, spufs_t, src_t, svirt_sandbox_file_t, sysctl_fs_t, sysctl_t, sysfs_t, sysv_t, tmp_t, tmpfs_t, usbfs_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, virt_image_t, virt_var_lib_t, vmblock_t, vxfs_t, xend_var_lib_t, xend_var_run_t, xenfs_t, xenstored_var_lib_t. Then execute: restorecon -v '/dev' ***** Plugin catchall (1.44 confidence) suggests ************************** If you believe that (ostnamed) should be allowed mounton access on the dev directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(ostnamed)' --raw | audit2allow -M my-ostnamed # semodule -X 300 -i my-ostnamed.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /dev [ dir ] Source (ostnamed) Source Path (ostnamed) Port <Unknown> Host localhost Source RPM Packages Target RPM Packages filesystem-3.2-37.fc24.x86_64 Policy RPM selinux-policy-3.13.1-208.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.8.0-0.rc4.git0.1.fc25.x86_64 #1 SMP Mon Aug 29 19:28:01 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-09-10 00:30:29 EDT Last Seen 2016-09-09 20:30:47 EDT Local ID 174325d9-5477-4afb-a8c8-ef01d0306e63 Raw Audit Messages type=AVC msg=audit(1473467447.23:194): avc: denied { mounton } for pid=2056 comm="(-localed)" path="/dev" dev="dm-0" ino=262657 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 Hash: (ostnamed),init_t,unlabeled_t,dir,mounton
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Created attachment 1205681 [details] journal_20160927 Still a problem with Fedora-Workstation-Live-x86_64-25-20160927.n.0.iso Target RPM Packages filesystem-3.2-37.fc24.x86_64 Policy RPM selinux-policy-3.13.1-214.fc25.noarch Raw Audit Messages type=AVC msg=audit(1475096371.471:205): avc: denied { mounton } for pid=2243 comm="(ostnamed)" path="/dev" dev="dm-0" ino=262657 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Created attachment 1205683 [details] journal_20160927 full Replacing the partial log with full one because the AVC happens multiple times, and much earlier than in the supplied partial.
*** This bug has been marked as a duplicate of bug 1367292 ***