Description of problem: Happened during a dnf update. SELinux is preventing nfs-server-gene from 'read' accesses on the file export_features. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that nfs-server-gene should be allowed read access on the export_features file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'nfs-server-gene' --raw | audit2allow -M my-nfsservergene # semodule -X 300 -i my-nfsservergene.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:nfsd_fs_t:s0 Target Objects export_features [ file ] Source nfs-server-gene Source Path nfs-server-gene Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.13.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.6.7-300.fc24.x86_64 #1 SMP Wed Aug 17 18:48:43 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-08-29 16:35:00 PDT Last Seen 2016-08-29 16:35:11 PDT Local ID fbe7f255-528d-4cc6-bde9-9274a8aa1b7f Raw Audit Messages type=AVC msg=audit(1472513711.388:4041): avc: denied { read } for pid=14495 comm="nfs-server-gene" name="export_features" dev="nfsd" ino=3 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=file permissive=0 Hash: nfs-server-gene,init_t,nfsd_fs_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-191.13.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.7-300.fc24.x86_64 type: libreport
Description of problem: dnf just upgradednfs-utils.x86_64 1:1.3.4-1.rc2.fc24 Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.7-300.fc24.x86_64 type: libreport
From which rpm package nfs-server-gene comes from? Thanks.
rpm -qa --filesbypkg | grep nfs-server-gene nfs-utils /usr/lib/systemd/system-generators/nfs-server-generator rpm -q nfs-utils nfs-utils-1.3.4-1.rc2.fc24.x86_64 Looks like information is getting truncated in the AVC.
Description of problem: sudo dnf update Version-Release number of selected component: selinux-policy-3.13.1-191.13.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.7-300.fc24.x86_64 type: libreport
Description of problem: I don't know. Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.7-300.fc24.x86_64 type: libreport
Description of problem: $ sudo dnf update Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.7-300.fc24.x86_64 type: libreport
Description of problem: Was upgrading packages Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 type: libreport
Description of problem: SElinux alert after yum update --refresh, most probabyy during last check phase (or clearing, not sure) Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport
Description of problem: I ran a system update, and the denial came up. This has been happening with every update for at least a week. Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport
Description of problem: running "dnf update" Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport
Please test: # chcon -t nfsd_exec_t /usr/lib/systemd/system-generators/nfs-server-generator and then try to reproduce the issue. THanks.
*** Bug 1372394 has been marked as a duplicate of this bug. ***
Description of problem: I ran the daily update, and got this alert somewhere in the process. Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.3-200.fc24.x86_64 type: libreport
Description of problem: Easiest to reproduce: install vagrant, edit config.vm.synced_folder to any synced folder, vagrant up. Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.3-200.fc24.x86_64 type: libreport
Description of problem: sudo dnf update Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.4-200.fc24.x86_64 type: libreport
FWIW I believe my earlier assessment was wrong, it has nothing to do with vagrant, I just happened to be working on vagrant at the same time dnf was running. A later dnf update showed the same selinux warning.
I too initially suspected this denial was caused by use of Vagrant, for whatever it's worth. But it does seem to pop up whenever I dnf update.
Description of problem: sudo dnf update Version-Release number of selected component: selinux-policy-3.13.1-191.18.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.6-200.fc24.x86_64 type: libreport
Description of problem: Tried to mount an NFS share to a Vagrant box. Version-Release number of selected component: selinux-policy-3.13.1-191.18.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.7-200.fc24.x86_64 type: libreport
Description of problem: Every f24 update triggers this Version-Release number of selected component: selinux-policy-3.13.1-191.18.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.7-200.fc24.x86_64 type: libreport
selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.