1432759 – SELinux is preventing (fwupd) from 'mounton' accesses on the directory /var/lib/fwupd.

Bug 1432759 - SELinux is preventing (fwupd) from 'mounton' accesses on the directory /var/lib/fwupd.

Summary: SELinux is preventing (fwupd) from 'mounton' accesses on the directory /var/l...

Keywords:
Status:	CLOSED DUPLICATE of bug 1429341
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	26
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:cc901ee8e40191f3fa74ff3d206...
Depends On:
Blocks:	F26FinalBlocker
TreeView+	depends on / blocked

Reported:	2017-03-16 06:58 UTC by Heiko Adams
Modified:	2017-03-21 08:52 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-21 08:52:19 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Heiko Adams 2017-03-16 06:58:31 UTC

Description of problem:
SELinux is preventing (fwupd) from 'mounton' accesses on the directory /var/lib/fwupd.

*****  Plugin catchall (100. confidence) suggests   **************************

If sie denken, dass es (fwupd) standardmäßig erlaubt sein sollte, mounton Zugriff auf fwupd directory zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
allow this access for now by executing:
# ausearch -c '(fwupd)' --raw | audit2allow -M my-fwupd
# semodule -X 300 -i my-fwupd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:fwupd_var_lib_t:s0
Target Objects                /var/lib/fwupd [ dir ]
Source                        (fwupd)
Source Path                   (fwupd)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.11.0-0.rc2.git0.1.fc26.x86_64 #1
                              SMP Mon Mar 13 17:14:58 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-03-16 07:57:33 CET
Last Seen                     2017-03-16 07:57:33 CET
Local ID                      2400e99c-ecc6-4c6e-ae9d-c82d1a75aeca

Raw Audit Messages
type=AVC msg=audit(1489647453.250:264): avc:  denied  { mounton } for  pid=2234 comm="(fwupd)" path="/var/lib/fwupd" dev="dm-0" ino=3145846 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fwupd_var_lib_t:s0 tclass=dir permissive=0


Hash: (fwupd),init_t,fwupd_var_lib_t,dir,mounton


Additional info:
component:      selinux-policy
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.11.0-0.rc2.git0.1.fc26.x86_64
type:           libreport

Comment 1 Fedora Blocker Bugs Application 2017-03-21 07:38:04 UTC

Proposed as a Blocker for 26-final by Fedora user vondruch using the blocker tracking app because:

 I think this violates:

"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

Although I am not sure it pops up after first login, it propably pops up sooner or later ...

Comment 2 Lukas Vrabec 2017-03-21 08:52:19 UTC


*** This bug has been marked as a duplicate of bug 1429341 ***

Note You need to log in before you can comment on or make changes to this bug.