Hide Forgot
Description of problem: While following the suggestions form "SElinux Alert Browser" I get an error at `semodule` invocation step. Version-Release number of selected component (if applicable): ``` rpm -qa | ag policycoreutils policycoreutils-python-utils-2.5-17.fc25.x86_64 policycoreutils-devel-2.5-17.fc25.x86_64 policycoreutils-python3-2.5-17.fc25.x86_64 policycoreutils-2.5-17.fc25.x86_64 policycoreutils-python-2.5-17.fc25.x86_64 policycoreutils-gui-2.5-17.fc25.x86_64 ``` How reproducible: Steps to Reproduce: 1. SELinux is preventing gnome-shell from read access on the lnk_file /data/software/ext/idea. 2. ``` sudo ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell [sudo] password for pantinor: ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-gnomeshell.pp ``` 3. ``` sudo semodule -X 300 -i my-gnomeshell.pp Re-declaration of boolean virt_sandbox_use_fusefs Failed to create node Bad boolean declaration at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:152 semodule: Failed! ``` Actual results: Expected results: Additional info: I can't find `/var/lib/selinux/targeted/tmp/modules/100/virt/cil` that I was hoping to attach. Is there a way to keep this temporary file to be inspected?
The temporary file itself probably can't be inspected but you can inspect an active module in /var/lib/selinux/targeted/active/modules/ directory - /var/lib/selinux/targeted/tmp/modules/100/virt/cil For the better understanding the problem, please provide the output of 'sudo ausearch -c 'gnome-shell' --raw' These kind of problems are usually seen with combination of not update container-selinux, former docker-selinux package.
Hi, thanks for helping. ``` sudo ausearch -c 'gnome-shell' --raw | tail type=AVC msg=audit(1480496220.412:373): avc: denied { read } for pid=1598 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1480496220.339:372): avc: denied { read } for pid=1598 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1480496397.723:222): avc: denied { read } for pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1480496759.331:318): avc: denied { read } for pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1480496759.368:319): avc: denied { read } for pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1480496759.468:320): avc: denied { read } for pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1480496759.491:321): avc: denied { read } for pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1480496773.968:326): avc: denied { read } for pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1480496773.933:325): avc: denied { read } for pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1480496923.028:183): avc: denied { read } for pid=1722 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0 ``` Regarding package update, I have currently no update available listed in `dnf` and I have performed a full filesystem relabelling just after upgrading to F25
We faced similar issue before. It was fixed by removing duplicate boolean declaration in docker policy. Docker policy is shipped by docker. Guys, Could you check if you declare virt_sandbox_use_fusefs in docker policy? Thanks, Lukas.
yum update docker-selinux or container-selinux.
Thank you Dan, that worked. Apparently I was on docker-engine-selinux from VirtualBox repo (http://public-yum.oracle.com/repo/OracleLinux/OL7/addons/$basearch/) This fixed the issue: ``` sudo dnf install container-selinux --allowerasing ... Installing: container-selinux x86_64 2:1.12.3-10.git7b5044b.fc25 updates 81 k Removing: docker-engine-selinux noarch 1.12.2-1.0.1.el7 @VirtualBox 48 k ... ```
Yes please use the distros version of docker and docker/container-selinux packages.