Description of problem: SELinux is preventing hpcups-update-p from 'create' accesses on the file 1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that hpcups-update-p should be allowed create access on the 1 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'hpcups-update-p' --raw | audit2allow -M my-hpcupsupdatep # semodule -X 300 -i my-hpcupsupdatep.pp Additional Information: Source Context unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1 023 Target Context unconfined_u:object_r:rpm_script_t:s0 Target Objects 1 [ file ] Source hpcups-update-p Source Path hpcups-update-p Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.14.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.2-201.fc24.x86_64 #1 SMP Fri Aug 26 15:58:40 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-09-06 09:09:22 CEST Last Seen 2016-09-06 09:09:22 CEST Local ID 257f25dc-1999-4d6a-9227-29358167458a Raw Audit Messages type=AVC msg=audit(1473145762.305:2037): avc: denied { create } for pid=23432 comm="hpcups-update-p" name="1" scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_t:s0 tclass=file permissive=0 Hash: hpcups-update-p,rpm_script_t,rpm_script_t,file,create Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport
Got this alert right after updating F24. ========================================================================================================= Package Arch Version Repository Size ========================================================================================================= Upgrading: hplip x86_64 3.16.8-2.fc24 updates 12 M hplip-common x86_64 3.16.8-2.fc24 updates 101 k hplip-libs x86_64 3.16.8-2.fc24 updates 190 k libsane-hpaio x86_64 3.16.8-2.fc24 updates 119 k setroubleshoot x86_64 3.3.11-1.fc24 updates 136 k setroubleshoot-plugins noarch 3.3.6-1.fc24 updates 362 k setroubleshoot-server x86_64 3.3.11-1.fc24 updates 391 k -------------------------------------------------------- SELinux is preventing hpcups-update-p from 'create' accesses on the file 1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that hpcups-update-p should be allowed create access on the 1 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'hpcups-update-p' --raw | audit2allow -M my-hpcupsupdatep # semodule -X 300 -i my-hpcupsupdatep.pp Additional Information: Source Context unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1 023 Target Context unconfined_u:object_r:rpm_script_t:s0 Target Objects 1 [ file ] Source hpcups-update-p Source Path hpcups-update-p Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.14.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.2-201.fc24.x86_64 #1 SMP Fri Aug 26 15:58:40 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-09-06 08:13:16 BRT Last Seen 2016-09-06 08:13:18 BRT Local ID 0b384b1e-f186-4c4a-ae90-c0c17e9a094c Raw Audit Messages type=AVC msg=audit(1473160398.48:356): avc: denied { create } for pid=6599 comm="hpcups-update-p" name="1" scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_t:s0 tclass=file permissive=0 Hash: hpcups-update-p,rpm_script_t,rpm_script_t,file,create
This looks like the same problem we are seeing with chrome. I think we should just add a dontaudit that does dontaudit domain self:file create; And be done with it.
BTW I don't believe anything is being blocked here. The kernel is checking for a create access on /proc, where no processes are allowed to create files. The process does not fail because the file already exists.
Description of problem: This seemed to occure after updating hplip from hplip-3.16.7-2.fc24.x86_64 to hplip-3.16.8-2.fc24.x86_64 using DNF Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport
Description of problem: After starting of google-chrome. Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64+debug type: libreport
Description of problem: Ran "sudo dnf update -y" SELinux alerted during update process. Update process finished without errors. Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport
Description of problem: Some update to the HP-CUPS utility I suppose... Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64+debug type: libreport
Description of problem: I opened the Chrome browser on Fedora 24. Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport
Description of problem: I was updating my Fedora 24 system. Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport
selinux-policy-3.13.1-191.16.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Description of problem: Did a dnf update, hplip was in it. And the selinux-targeted, was also marked for upgrade, but done after the hplip. Maybe, dnf should always upgrade selinux, before any other package. Policy could have been updated after the hplip update. not sure. Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch selinux-policy-3.13.1-191.18.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.3-200.fc24.x86_64 type: libreport