Bug 1411360 - SELinux is preventing (ostnamed) from 'mounton' accesses on the file /proc/mtrr.
Summary: SELinux is preventing (ostnamed) from 'mounton' accesses on the file /proc/mtrr.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 26
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:400081240413893e0be4eb8bf42...
: 1417368 (view as bug list)
Depends On:
Blocks: F26AlphaFreezeException F26FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2017-01-09 14:47 UTC by Bill Gianopoulos
Modified: 2017-03-21 02:40 UTC (History)
26 users (show)

Fixed In Version: selinux-policy-3.13.1-246.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-21 02:40:24 UTC
Type: ---


Attachments (Terms of Use)

Description Bill Gianopoulos 2017-01-09 14:47:10 UTC
Description of problem:
SELinux is preventing (ostnamed) from 'mounton' accesses on the file /proc/mtrr.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (ostnamed) should be allowed mounton access on the mtrr file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(ostnamed)' --raw | audit2allow -M my-ostnamed
# semodule -X 300 -i my-ostnamed.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:mtrr_device_t:s0
Target Objects                /proc/mtrr [ file ]
Source                        (ostnamed)
Source Path                   (ostnamed)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-231.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.10.0-0.rc2.git4.1.fc26.x86_64 #1
                              SMP Fri Jan 6 19:24:42 UTC 2017 x86_64 x86_64
Alert Count                   4
First Seen                    2017-01-09 09:44:36 EST
Last Seen                     2017-01-09 09:45:49 EST
Local ID                      98f33645-99cc-46e9-a604-8aa67858db62

Raw Audit Messages
type=AVC msg=audit(1483973149.942:254): avc:  denied  { mounton } for  pid=2101 comm="(-localed)" path="/proc/mtrr" dev="proc" ino=4026531961 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file permissive=1


Hash: (ostnamed),init_t,mtrr_device_t,file,mounton

Version-Release number of selected component:
selinux-policy-3.13.1-231.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.10.0-0.rc2.git4.1.fc26.x86_64
type:           libreport

Comment 1 Stephen Gallagher 2017-01-14 12:25:45 UTC
Description of problem:
I updated to Rawhide today and logging in to GNOME Session (Wayland or X11) would just hang. Setting SELinux to permissive mode allowed me to log in successfully.

Version-Release number of selected component:
selinux-policy-3.13.1-233.fc26.noarch

Additional info:
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.10.0-0.rc3.git1.1.fc26.x86_64
type:           libreport

Comment 2 Nivag 2017-01-21 00:55:40 UTC
Description of problem:
Just  brought up this Rawhide instance (VM) after and extensive dnf upgrade, no idea if this access behaviour is valid or not!


Additional info:
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.10.0-0.rc4.git2.1.fc26.x86_64
type:           libreport

Comment 3 arturpolak1 2017-01-26 23:27:05 UTC
Description of problem:
I just open gnome-tweak-tool after upgrading to fedora 26 using fedora-upgrade...

Version-Release number of selected component:
selinux-policy-3.13.1-235.fc26.noarch

Additional info:
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.10.0-0.rc5.git1.1.fc26.x86_64
type:           libreport

Comment 4 Delete My Account 2017-01-28 10:52:40 UTC
*** Bug 1417368 has been marked as a duplicate of this bug. ***

Comment 5 Bill Gianopoulos 2017-02-03 15:05:26 UTC
OK>  Exactly how is this not an Alpha blocker?  This issue prevents fedora26 being at all usable unless you either disable selinux entirely, change it to permissive or install  local override policy.

Comment 6 Lukas Vrabec 2017-02-03 16:49:57 UTC
Could you please try this issue with: 
https://koji.fedoraproject.org/koji/buildinfo?buildID=837901

Thank you.

Comment 7 Fedora End Of Life 2017-02-28 10:54:50 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 8 Viorel Tabara 2017-03-02 04:15:50 UTC
(In reply to Lukas Vrabec from comment #6)
> Could you please try this issue with: 
> https://koji.fedoraproject.org/koji/buildinfo?buildID=837901
> 

Still happening in a later version:

    [root@omiday ~]# rpm -qa --last selinux-policy
    selinux-policy-3.13.1-241.fc26.noarch         Wed 22 Feb 2017 12:14:33 PM MST

    [root@omiday ~]# ausearch -m avc -ts today -c ostnamed
    ----
    time->Wed Mar  1 21:03:55 2017
    type=AVC msg=audit(1488427435.601:2457): avc:  denied  { mounton } for  pid=23675 comm="(ostnamed)" path="/proc/mtrr" dev="proc" ino=4026531961 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file permissive=0

Comment 9 Luya Tshimbalanga 2017-03-02 18:46:58 UTC
Description of problem:
Starting the session

Version-Release number of selected component:
selinux-policy-3.13.1-241.fc26.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.11.0-0.rc0.git5.1.fc26.x86_64
type:           libreport

Comment 10 Adam Williamson 2017-03-04 04:22:56 UTC
Yeah, I'm still seeing this on my own box, and all openQA tests still run into it all the time.

Bill: the denial doesn't have any immediately obvious consequences, for me; how is it 'preventing fedora26 being at all usable' for you?

It is at least a clear Final blocker, though, per "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." - this shows up as an AVC notification on the desktop.

Comment 11 Bill Gianopoulos 2017-03-04 11:18:16 UTC
(In reply to Adam Williamson from comment #10)
> Yeah, I'm still seeing this on my own box, and all openQA tests still run
> into it all the time.
> 
> Bill: the denial doesn't have any immediately obvious consequences, for me;
> how is it 'preventing fedora26 being at all usable' for you?

Actually this was based on comment 1, so this should be a question for Stephen Gallagher

Comment 12 Andrey Motoshkov 2017-03-06 07:29:31 UTC
*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (ostnamed) should be allowed mounton access on the mtrr file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(ostnamed)' --raw | audit2allow -M my-ostnamed
# semodule -X 300 -i my-ostnamed.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:mtrr_device_t:s0
Target Objects                /proc/mtrr [ file ]
Source                        (ostnamed)
Source Path                   (ostnamed)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-241.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              4.11.0-0.rc0.git9.1.fc26.x86_64 #1 SMP Fri Mar 3
                              16:57:16 UTC 2017 x86_64 x86_64
Alert Count                   24
First Seen                    2017-03-05 11:36:13 IST
Last Seen                     2017-03-06 09:08:51 IST
Local ID                      eb618873-5d6a-40dc-a48b-cbccf7447b07

Raw Audit Messages
type=AVC msg=audit(1488784131.869:254): avc:  denied  { mounton } for  pid=2340 comm="(-localed)" path="/proc/mtrr" dev="proc" ino=4026531973 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file permissive=0


Hash: (ostnamed),init_t,mtrr_device_t,file,mounton

Comment 13 Stephen Gallagher 2017-03-06 15:50:57 UTC
(In reply to Bill Gianopoulos from comment #11)
> (In reply to Adam Williamson from comment #10)
> > Yeah, I'm still seeing this on my own box, and all openQA tests still run
> > into it all the time.
> > 
> > Bill: the denial doesn't have any immediately obvious consequences, for me;
> > how is it 'preventing fedora26 being at all usable' for you?
> 
> Actually this was based on comment 1, so this should be a question for
> Stephen Gallagher

This was one of several systemd-related SELinux denials I was getting at the time. I'm not sure which *specific* one was causing me to be unable to log into the GNOME session, but it appears not to be the case any more (at least as of today).

Comment 14 Geoffrey Marr 2017-03-06 18:38:54 UTC
Discussed during the 2017-03-06 blocker review meeting: [1]

The decision to classify this bug as an Accepted Blocker (Final) and Accepted Freeze Exception (Alpha) was made as it violates the following blocker criteria:

"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop"

It is also widespread enough to warrant a Freeze Exception status.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-06/f26-blocker-review.2017-03-06-17.02.txt

Comment 15 M. Edward (Ed) Borasky 2017-03-10 04:57:45 UTC
Description of problem:
Booting up a Fedora 26 virtual machine (hosted on Fedora 25 Virtual Machine Manager) with automatic login for the user account.

I'm not sure if this happened during boot up or during login.

Version-Release number of selected component:
selinux-policy-3.13.1-241.fc26.noarch

Additional info:
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.11.0-0.rc0.git9.1.fc26.x86_64
type:           libreport

Comment 16 Delete My Account 2017-03-11 18:27:13 UTC
Description of problem:
These error messages appear when I download something from Firefox. I don't know if there is really a security hole or these alarms aren't concerned with security.

Version-Release number of selected component:
selinux-policy-3.13.1-244.fc26.noarch

Additional info:
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.11.0-0.rc1.git0.1.fc26.x86_64
type:           libreport

Comment 17 Bill Gianopoulos 2017-03-11 18:36:28 UTC
(In reply to Christian Crispino from comment #16)
> Description of problem:
> These error messages appear when I download something from Firefox. I don't
> know if there is really a security hole or these alarms aren't concerned
> with security.
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-244.fc26.noarch
> 
> Additional info:
> reporter:       libreport-2.9.0
> hashmarkername: setroubleshoot
> kernel:         4.11.0-0.rc1.git0.1.fc26.x86_64
> type:           libreport

OH this is really interesting as Firefox is an 11 application.  I wonder if the people who see this upon login all have desktop icon display enabled which seems to result in an X11 overlay on the desktop.

Comment 18 Adam Williamson 2017-03-11 23:54:26 UTC
No. The AVC happens to openQA tests just on boot, even non-desktop ones. e.g. https://openqa.fedoraproject.org/tests/62979#step/_console_avc_crash/11 , which is just a minimal install and boot test.

Comment 19 Delete My Account 2017-03-16 20:08:50 UTC
(In reply to Bill Gianopoulos from comment #17)
> (In reply to Christian Crispino from comment #16)
> > Description of problem:
> > These error messages appear when I download something from Firefox. I don't
> > know if there is really a security hole or these alarms aren't concerned
> > with security.
> > 
> > Version-Release number of selected component:
> > selinux-policy-3.13.1-244.fc26.noarch
> > 
> > Additional info:
> > reporter:       libreport-2.9.0
> > hashmarkername: setroubleshoot
> > kernel:         4.11.0-0.rc1.git0.1.fc26.x86_64
> > type:           libreport
> 
> OH this is really interesting as Firefox is an 11 application.  I wonder if
> the people who see this upon login all have desktop icon display enabled
> which seems to result in an X11 overlay on the desktop.

These messages appear in SELinux issues application, not in X11. However the system is usable.

Comment 20 Fedora Update System 2017-03-17 22:48:09 UTC
selinux-policy-3.13.1-245.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-58233b1a16

Comment 21 Fedora Update System 2017-03-19 14:21:40 UTC
selinux-policy-3.13.1-246.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-58233b1a16

Comment 22 Viorel Tabara 2017-03-20 05:45:34 UTC
(In reply to Christian Crispino from comment #16)
> Description of problem:
> These error messages appear when I download something from Firefox. 

Same here and the update in Comment 21 fixes it.

Comment 23 Fedora Update System 2017-03-21 02:40:24 UTC
selinux-policy-3.13.1-246.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.