Description of problem: Installing libcgroup seems to run groupadd which in turn produces AVC denials. Version-Release number of selected component (if applicable): shadow-utils-4.3.1-3.fc26.x86_64 kernel-4.11.0-0.rc8.git0.1.fc26.x86_64 selinux-policy-3.13.1-249.fc26.noarch libcgroup-0.41-11.fc26.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. dnf install -y libcgroup 2. Check audit.log. Actual results: type=AVC msg=audit(1494387026.407:124): avc: denied { net_admin } for pid=1244 comm="groupadd" capability=12 scontext=system_u:unconfined_r:groupadd_t:s0 tcontext=system_u:unconfined_r:groupadd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1494387026.407:125): avc: denied { net_admin } for pid=1244 comm="groupadd" capability=12 scontext=system_u:unconfined_r:groupadd_t:s0 tcontext=system_u:unconfined_r:groupadd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1494387026.407:126): avc: denied { write } for pid=1244 comm="groupadd" name="system_bus_socket" dev="tmpfs" ino=14232 scontext=system_u:unconfined_r:groupadd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0 Expected results: No AVC denials. Additional info: Filing against shadow-utils in case this is something which needs to be addressed in groupadd, rather than in selinux-policy.
Lukáš, can you please look at it? I don't think this is something solvable by groupadd itself.
I see only the first AVC - net_admin denial when I try to reproduce. This is legitimate and caused by kernel. I do not see the dbus related one. What is in your /etc/nsswitch.conf. Is this running in container or regular install?
This is regular, on host install. The nsswitch.conf contains passwd: sss files systemd shadow: files sss group: sss files systemd #hosts: db files nisplus nis dns hosts: files dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: nisplus sss publickey: nisplus automount: files nisplus aliases: files nisplus
Sorry for clearing the wrong needinfo.
I'd expect some dbus communication from the systemd module. So if it is now by default there (should it really really be there?) there could be some dbus accesses by all processes possible.
I'm not able reproduce this bug and get SELinux denials from description. But if dbus communication is excepted I have no problem to allow it. Moving this issue to selinux-policy component.
*** Bug 1416961 has been marked as a duplicate of this bug. ***
*** Bug 1416962 has been marked as a duplicate of this bug. ***
Description of problem: This happened during a default installation of F26 Beta 1.3 Workstation Live. Version-Release number of selected component: selinux-policy-3.13.1-251.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.0-2.fc26.x86_64 type: libreport
Proposing as a F26 Final blocker: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. " https://fedoraproject.org/wiki/Fedora_26_Final_Release_Criteria#SELinux_and_crash_notifications
Description of problem: The same as in https://bugzilla.redhat.com/show_bug.cgi?id=1416964#c7 . I was installing bzflag from repos. Version-Release number of selected component: selinux-policy-3.13.1-254.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.3-300.fc26.x86_64 type: libreport
Description of problem: Ran "dnf upgrade -y --refresh" Version-Release number of selected component: selinux-policy-3.13.1-254.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.3-300.fc26.x86_64 type: libreport
Description of problem: Running "sudo dnf -y upgrade --refresh" Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.3-300.fc26.x86_64 type: libreport
Discussed at 2017-06-05 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-06-05/f26-blocker-review.2017-06-05-16.01.html . Accepted as a blocker per Kamil's claim that it happens during a default Workstation install, as a violation of criterion "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."
selinux-policy-3.13.1-257.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6a43388229
selinux-policy-3.13.1-257.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6a43388229
selinux-policy-3.13.1-257.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Description of problem: Not sure just found this bug, possible from a program script or code from Kodi program?? Version-Release number of selected component: selinux-policy-3.13.1-249.fc26.noarch selinux-policy-3.13.1-257.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.4-300.fc26.x86_64 type: libreport