Description of problem: ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (fwupd) should be allowed mounton access on the fwupd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(fwupd)' --raw | audit2allow -M my-fwupd # semodule -X 300 -i my-fwupd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:fwupd_var_lib_t:s0 Target Objects /var/lib/fwupd [ dir ] Source (fwupd) Source Path (fwupd) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages fwupd-0.8.1-1.fc26.x86_64 Policy RPM selinux-policy-3.13.1-241.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.11.0-0.rc0.git9.1.fc26.x86_64 #1 SMP Fri Mar 3 16:57:16 UTC 2017 x86_64 x86_64 Alert Count 3 First Seen 2017-03-05 13:50:39 IST Last Seen 2017-03-05 22:16:37 IST Local ID 01ff0dbd-275e-4254-acbd-c7776816d08e Raw Audit Messages type=AVC msg=audit(1488744997.336:249): avc: denied { mounton } for pid=2465 comm="(fwupd)" path="/var/lib/fwupd" dev="dm-0" ino=1706571 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fwupd_var_lib_t:s0 tclass=dir permissive=1 Hash: (fwupd),init_t,fwupd_var_lib_t,dir,mounton Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Just saw this in an openQA test after the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1427312 - seems like with selinux policy <245 in enforcing mode you don't see this, but with 245 or with permissive mode, this one shows up. Proposing as a Final blocker, as it looks like a violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop" - https://fedoraproject.org/wiki/Fedora_26_Final_Release_Criteria#SELinux_and_crash_notifications
Also proposing as Alpha FE.
Discussed during the 2017-03-20 blocker review meeting: [1] The decision was made to classify this bug as an AcceptedBlocker (Final) as it violates the following criteria: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." This has also been accepted as an Alpha Freeze Exception as this would be gladly welcomed into the Alpha release. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-20/f26-blocker-review.2017-03-20-16.06.txt
*** Bug 1432759 has been marked as a duplicate of this bug. ***
selinux-policy-3.13.1-247.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b8ef20ac2b
selinux-policy-3.13.1-247.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b8ef20ac2b
selinux-policy-3.13.1-247.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1433884 has been marked as a duplicate of this bug. ***