Description of problem: Strange. It looks more like a bug of logwatch than a bug of the SELinux policy. Why would logwatch want to run `df` on `/run`?! SELinux is preventing df from 'getattr' accesses on the file /run/docker/netns/a154e3251d7c. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that df should be allowed getattr access on the a154e3251d7c file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'df' --raw | audit2allow -M my-df # semodule -X 300 -i my-df.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:nsfs_t:s0 Target Objects /run/docker/netns/a154e3251d7c [ file ] Source df Source Path df Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.21.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.8-200.fc24.x86_64 #1 SMP Tue Nov 15 19:41:51 UTC 2016 x86_64 x86_64 Alert Count 6 First Seen 2016-11-26 03:10:16 CET Last Seen 2016-11-28 03:15:36 CET Local ID eabce3a4-bad6-4f11-8509-a2c5db4986a7 Raw Audit Messages type=AVC msg=audit(1480299336.798:5646): avc: denied { getattr } for pid=41518 comm="df" path="/run/docker/netns/a154e3251d7c" dev="nsfs" ino=4026532779 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 Hash: df,logwatch_t,nsfs_t,file,getattr Version-Release number of selected component: selinux-policy-3.13.1-191.21.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.8-200.fc24.x86_64 type: libreport
Logwatch is just running df. df is looking at all mounted file systems, which is why you see this AVC. It can be safely ignored, but we should add a dontaudit for it.
selinux-policy-3.13.1-191.23.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33
selinux-policy-3.13.1-191.23.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33
selinux-policy-3.13.1-191.23.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
I am hitting this in Fedora 31 with a generic network namespace I created (i.e. logwatch spawned df which is denied getattr on /run/netns/mynetns). Was the dontaudit specifically for the docker path or more generally for network namespaces? Perhaps I am hitting a regression in the targeted policy?