Description of problem: SELinux is preventing (ostnamed) from 'mounton' accesses on the file /proc/mtrr. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (ostnamed) should be allowed mounton access on the mtrr file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(ostnamed)' --raw | audit2allow -M my-ostnamed # semodule -X 300 -i my-ostnamed.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:mtrr_device_t:s0 Target Objects /proc/mtrr [ file ] Source (ostnamed) Source Path (ostnamed) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-231.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.10.0-0.rc2.git4.1.fc26.x86_64 #1 SMP Fri Jan 6 19:24:42 UTC 2017 x86_64 x86_64 Alert Count 4 First Seen 2017-01-09 09:44:36 EST Last Seen 2017-01-09 09:45:49 EST Local ID 98f33645-99cc-46e9-a604-8aa67858db62 Raw Audit Messages type=AVC msg=audit(1483973149.942:254): avc: denied { mounton } for pid=2101 comm="(-localed)" path="/proc/mtrr" dev="proc" ino=4026531961 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file permissive=1 Hash: (ostnamed),init_t,mtrr_device_t,file,mounton Version-Release number of selected component: selinux-policy-3.13.1-231.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.10.0-0.rc2.git4.1.fc26.x86_64 type: libreport
Description of problem: I updated to Rawhide today and logging in to GNOME Session (Wayland or X11) would just hang. Setting SELinux to permissive mode allowed me to log in successfully. Version-Release number of selected component: selinux-policy-3.13.1-233.fc26.noarch Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.10.0-0.rc3.git1.1.fc26.x86_64 type: libreport
Description of problem: Just brought up this Rawhide instance (VM) after and extensive dnf upgrade, no idea if this access behaviour is valid or not! Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.10.0-0.rc4.git2.1.fc26.x86_64 type: libreport
Description of problem: I just open gnome-tweak-tool after upgrading to fedora 26 using fedora-upgrade... Version-Release number of selected component: selinux-policy-3.13.1-235.fc26.noarch Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.10.0-0.rc5.git1.1.fc26.x86_64 type: libreport
*** Bug 1417368 has been marked as a duplicate of this bug. ***
OK> Exactly how is this not an Alpha blocker? This issue prevents fedora26 being at all usable unless you either disable selinux entirely, change it to permissive or install local override policy.
Could you please try this issue with: https://koji.fedoraproject.org/koji/buildinfo?buildID=837901 Thank you.
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
(In reply to Lukas Vrabec from comment #6) > Could you please try this issue with: > https://koji.fedoraproject.org/koji/buildinfo?buildID=837901 > Still happening in a later version: [root@omiday ~]# rpm -qa --last selinux-policy selinux-policy-3.13.1-241.fc26.noarch Wed 22 Feb 2017 12:14:33 PM MST [root@omiday ~]# ausearch -m avc -ts today -c ostnamed ---- time->Wed Mar 1 21:03:55 2017 type=AVC msg=audit(1488427435.601:2457): avc: denied { mounton } for pid=23675 comm="(ostnamed)" path="/proc/mtrr" dev="proc" ino=4026531961 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file permissive=0
Description of problem: Starting the session Version-Release number of selected component: selinux-policy-3.13.1-241.fc26.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.11.0-0.rc0.git5.1.fc26.x86_64 type: libreport
Yeah, I'm still seeing this on my own box, and all openQA tests still run into it all the time. Bill: the denial doesn't have any immediately obvious consequences, for me; how is it 'preventing fedora26 being at all usable' for you? It is at least a clear Final blocker, though, per "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." - this shows up as an AVC notification on the desktop.
(In reply to Adam Williamson from comment #10) > Yeah, I'm still seeing this on my own box, and all openQA tests still run > into it all the time. > > Bill: the denial doesn't have any immediately obvious consequences, for me; > how is it 'preventing fedora26 being at all usable' for you? Actually this was based on comment 1, so this should be a question for Stephen Gallagher
***** Plugin catchall (100. confidence) suggests ************************** If you believe that (ostnamed) should be allowed mounton access on the mtrr file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(ostnamed)' --raw | audit2allow -M my-ostnamed # semodule -X 300 -i my-ostnamed.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:mtrr_device_t:s0 Target Objects /proc/mtrr [ file ] Source (ostnamed) Source Path (ostnamed) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-241.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.11.0-0.rc0.git9.1.fc26.x86_64 #1 SMP Fri Mar 3 16:57:16 UTC 2017 x86_64 x86_64 Alert Count 24 First Seen 2017-03-05 11:36:13 IST Last Seen 2017-03-06 09:08:51 IST Local ID eb618873-5d6a-40dc-a48b-cbccf7447b07 Raw Audit Messages type=AVC msg=audit(1488784131.869:254): avc: denied { mounton } for pid=2340 comm="(-localed)" path="/proc/mtrr" dev="proc" ino=4026531973 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file permissive=0 Hash: (ostnamed),init_t,mtrr_device_t,file,mounton
(In reply to Bill Gianopoulos from comment #11) > (In reply to Adam Williamson from comment #10) > > Yeah, I'm still seeing this on my own box, and all openQA tests still run > > into it all the time. > > > > Bill: the denial doesn't have any immediately obvious consequences, for me; > > how is it 'preventing fedora26 being at all usable' for you? > > Actually this was based on comment 1, so this should be a question for > Stephen Gallagher This was one of several systemd-related SELinux denials I was getting at the time. I'm not sure which *specific* one was causing me to be unable to log into the GNOME session, but it appears not to be the case any more (at least as of today).
Discussed during the 2017-03-06 blocker review meeting: [1] The decision to classify this bug as an Accepted Blocker (Final) and Accepted Freeze Exception (Alpha) was made as it violates the following blocker criteria: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop" It is also widespread enough to warrant a Freeze Exception status. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-06/f26-blocker-review.2017-03-06-17.02.txt
Description of problem: Booting up a Fedora 26 virtual machine (hosted on Fedora 25 Virtual Machine Manager) with automatic login for the user account. I'm not sure if this happened during boot up or during login. Version-Release number of selected component: selinux-policy-3.13.1-241.fc26.noarch Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.11.0-0.rc0.git9.1.fc26.x86_64 type: libreport
Description of problem: These error messages appear when I download something from Firefox. I don't know if there is really a security hole or these alarms aren't concerned with security. Version-Release number of selected component: selinux-policy-3.13.1-244.fc26.noarch Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.11.0-0.rc1.git0.1.fc26.x86_64 type: libreport
(In reply to Christian Crispino from comment #16) > Description of problem: > These error messages appear when I download something from Firefox. I don't > know if there is really a security hole or these alarms aren't concerned > with security. > > Version-Release number of selected component: > selinux-policy-3.13.1-244.fc26.noarch > > Additional info: > reporter: libreport-2.9.0 > hashmarkername: setroubleshoot > kernel: 4.11.0-0.rc1.git0.1.fc26.x86_64 > type: libreport OH this is really interesting as Firefox is an 11 application. I wonder if the people who see this upon login all have desktop icon display enabled which seems to result in an X11 overlay on the desktop.
No. The AVC happens to openQA tests just on boot, even non-desktop ones. e.g. https://openqa.fedoraproject.org/tests/62979#step/_console_avc_crash/11 , which is just a minimal install and boot test.
(In reply to Bill Gianopoulos from comment #17) > (In reply to Christian Crispino from comment #16) > > Description of problem: > > These error messages appear when I download something from Firefox. I don't > > know if there is really a security hole or these alarms aren't concerned > > with security. > > > > Version-Release number of selected component: > > selinux-policy-3.13.1-244.fc26.noarch > > > > Additional info: > > reporter: libreport-2.9.0 > > hashmarkername: setroubleshoot > > kernel: 4.11.0-0.rc1.git0.1.fc26.x86_64 > > type: libreport > > OH this is really interesting as Firefox is an 11 application. I wonder if > the people who see this upon login all have desktop icon display enabled > which seems to result in an X11 overlay on the desktop. These messages appear in SELinux issues application, not in X11. However the system is usable.
selinux-policy-3.13.1-245.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-58233b1a16
selinux-policy-3.13.1-246.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-58233b1a16
(In reply to Christian Crispino from comment #16) > Description of problem: > These error messages appear when I download something from Firefox. Same here and the update in Comment 21 fixes it.
selinux-policy-3.13.1-246.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.