Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
I see this on RHEL 7.4, as recently as Snap-3:
Jun 15 10:27:42 lin303 setroubleshoot: SELinux is preventing /usr/bin/gnome-shell from getattr access on the chr_file /dev/loop-control. For complete SELinux messages run: sealert -l d60aa90b-6af3-4578-b5d7-91f4498a8acd
I noticed this if I log into the GUI, double-click an ISO file to mount, and then log out. Doesn't seem to cause a problem other than the alert message.
+++ This bug was initially created as a clone of Bug #1385090 +++
Description of problem:
Just Upgraded to F25 from F24, and tried to login to GNOME (Wayland Session).
SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /dev/loop-control.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gnome-shell should be allowed getattr access on the loop-control chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:loop_control_device_t:s0
Target Objects /dev/loop-control [ chr_file ]
Source gnome-shell
Source Path gnome-shell
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.8.1-1.fc25.x86_64 #1 SMP Fri Oct
7 14:38:22 UTC 2016 x86_64 x86_64
Alert Count 18
First Seen 2016-10-14 19:01:25 EET
Last Seen 2016-10-14 19:16:22 EET
Local ID 5f0dc318-66dc-4bfe-a072-4a685618b00e
Raw Audit Messages
type=AVC msg=audit(1476465382.549:205): avc: denied { getattr } for pid=1344 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=17414 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=0
Hash: gnome-shell,xdm_t,loop_control_device_t,chr_file,getattr
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.8.1-1.fc25.x86_64
type: libreport
--- Additional comment from Martijn Kruiten on 2016-11-11 16:00:10 EST ---
Description of problem:
Steps to reproduce:
- insert usb drive (ext4 in my case)
Version-Release number of selected component:
selinux-policy-3.13.1-220.fc25.noarch
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.8.6-300.fc25.x86_64
type: libreport
--- Additional comment from Krzysztof Troska on 2016-11-27 05:11:55 EST ---
Description of problem:
By mounting iso file by gnome auto mount, its starting to complain about this problem - note that mount is working and can be unmounted in normal way.
Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.8.8-300.fc25.x86_64
type: libreport
--- Additional comment from Lukas Vrabec on 2016-11-30 07:08:26 EST ---
Hi,
Could you try to reproduce it in permissive mode and collect all SELinux denials?
Thanks.
--- Additional comment from Anass Ahmed on 2016-11-30 10:12:06 EST ---
I don't know if I can reproduce it again (this means installing F24, then upgrading to F25, which I've done already and applied the policy to be able to login Wayland).
--- Additional comment from Krzysztof Troska on 2016-11-30 16:53 EST ---
Logs you can get even on new installation.
Just mount iso by build in gnome application e.g. Fedora 25 iso.
Hope it helps.
--- Additional comment from fred on 2017-01-22 07:00:26 EST ---
Description of problem:
mounting a win 10 iso by clicking on it
Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.9.3-200.fc25.x86_64
type: libreport
--- Additional comment from Shaun Assam on 2017-02-15 17:42:54 EST ---
Description of problem:
- Mounted an ISO file in my home directory by double-clicking the file in the Files manager.
Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.9.9-200.fc25.x86_64
type: libreport
--- Additional comment from Martijn Kruiten on 2017-02-18 08:54:50 EST ---
type=USER_AVC msg=audit(1487425836.848:859): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1487425836.849:860): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1487425855.196:861): avc: denied { getattr } for pid=1488 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=16870 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
type=MAC_STATUS msg=audit(1487425866.169:862): enforcing=1 old_enforcing=0 auid=1000 ses=3
type=USER_AVC msg=audit(1487425866.180:863): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=1) exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1487425866.184:864): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=1) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
--- Additional comment from on 2017-02-21 15:50:43 EST ---
Description of problem:
i was installing KDevelop using the appimage
Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.9.10-200.fc25.x86_64
type: libreport
--- Additional comment from Bill Chatfield on 2017-03-21 21:13:43 EDT ---
Description of problem:
I simply tried to double click on a .iso image. That does an "Open with Disk Image Mounter" in the Gnome Shell.
Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.9.14-200.fc25.i686+PAE
type: libreport
--- Additional comment from Paul W. Frields on 2017-03-30 16:57:06 EDT ---
Description of problem:
This error appeared spontaneously.
Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.10.5-200.fc25.x86_64
type: libreport
--- Additional comment from on 2017-04-05 20:38:30 EDT ---
Description of problem:
1. Two clicks on an Appimage file
2. The app gets mounted, but SELinux alert appears
Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.10.5-200.fc25.x86_64
type: libreport
--- Additional comment from on 2017-04-05 20:43:07 EDT ---
Actually the problem was, that archive mounter tried to mount it as a disk image. When giving proper executable rights to the Appimage file, it was run properly without mounting.
--- Additional comment from on 2017-04-08 13:10:53 EDT ---
Description of problem:
I couldn't burn in a CD, which already has data burnt in it, but it isn't full.
Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.10.8-200.fc25.x86_64
type: libreport
--- Additional comment from on 2017-04-15 10:04:53 EDT ---
Description of problem:
Laptop (Lenovo X240) awoke from sleep mode and displayed error
Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.10.9-200.fc25.x86_64
type: libreport
--- Additional comment from Sebastian Potasiak on 2017-04-17 15:25:22 EDT ---
Description of problem:
Connected external HDD through USB 3.0
Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch
Additional info:
reporter: libreport-2.8.0
hashmarkername: setroubleshoot
kernel: 4.10.9-200.fc25.x86_64
type: libreport
--- Additional comment from Fedora Update System on 2017-04-19 16:36:58 EDT ---
selinux-policy-3.13.1-225.13.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc
--- Additional comment from Fedora Update System on 2017-04-20 14:25:22 EDT ---
selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc
--- Additional comment from Fedora Update System on 2017-04-24 22:24:10 EDT ---
selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:0763