Bug 1462925 - SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /dev/loop-control.
SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /de...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
abrt_hash:3a897f72a654e43570dd880920a...
:
Depends On: 1385090
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-19 13:19 EDT by nate.dailey
Modified: 2018-04-10 08:33 EDT (History)
39 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-175.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1385090
Environment:
Last Closed: 2018-04-10 08:32:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 None None None 2018-04-10 08:33 EDT

  None (edit)
Description nate.dailey 2017-06-19 13:19:26 EDT
I see this on RHEL 7.4, as recently as Snap-3:

Jun 15 10:27:42 lin303 setroubleshoot: SELinux is preventing /usr/bin/gnome-shell from getattr access on the chr_file /dev/loop-control. For complete SELinux messages run: sealert -l d60aa90b-6af3-4578-b5d7-91f4498a8acd

I noticed this if I log into the GUI, double-click an ISO file to mount, and then log out. Doesn't seem to cause a problem other than the alert message.


+++ This bug was initially created as a clone of Bug #1385090 +++

Description of problem:
Just Upgraded to F25 from F24, and tried to login to GNOME (Wayland Session).
SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /dev/loop-control.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gnome-shell should be allowed getattr access on the loop-control chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:loop_control_device_t:s0
Target Objects                /dev/loop-control [ chr_file ]
Source                        gnome-shell
Source Path                   gnome-shell
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.1-1.fc25.x86_64 #1 SMP Fri Oct
                              7 14:38:22 UTC 2016 x86_64 x86_64
Alert Count                   18
First Seen                    2016-10-14 19:01:25 EET
Last Seen                     2016-10-14 19:16:22 EET
Local ID                      5f0dc318-66dc-4bfe-a072-4a685618b00e

Raw Audit Messages
type=AVC msg=audit(1476465382.549:205): avc:  denied  { getattr } for  pid=1344 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=17414 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=0


Hash: gnome-shell,xdm_t,loop_control_device_t,chr_file,getattr


Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.1-1.fc25.x86_64
type:           libreport

--- Additional comment from Martijn Kruiten on 2016-11-11 16:00:10 EST ---

Description of problem:
Steps to reproduce:
- insert usb drive (ext4 in my case)

Version-Release number of selected component:
selinux-policy-3.13.1-220.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

--- Additional comment from Krzysztof Troska on 2016-11-27 05:11:55 EST ---

Description of problem:
By mounting iso file by gnome auto mount, its starting to complain about this problem - note that mount is working and can be unmounted in normal way.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.8-300.fc25.x86_64
type:           libreport

--- Additional comment from Lukas Vrabec on 2016-11-30 07:08:26 EST ---

Hi, 
Could you try to reproduce it in permissive mode and collect all SELinux denials? 

Thanks.

--- Additional comment from Anass Ahmed on 2016-11-30 10:12:06 EST ---

I don't know if I can reproduce it again (this means installing F24, then upgrading to F25, which I've done already and applied the policy to be able to login Wayland).

--- Additional comment from Krzysztof Troska on 2016-11-30 16:53 EST ---

Logs you can get even on new installation. 
Just mount iso by build in gnome application e.g. Fedora 25 iso.
Hope it helps.

--- Additional comment from fred on 2017-01-22 07:00:26 EST ---

Description of problem:
mounting a win 10 iso by clicking on it

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.3-200.fc25.x86_64
type:           libreport

--- Additional comment from Shaun Assam on 2017-02-15 17:42:54 EST ---

Description of problem:
- Mounted an ISO file in my home directory by double-clicking the file in the Files manager.

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.9-200.fc25.x86_64
type:           libreport

--- Additional comment from Martijn Kruiten on 2017-02-18 08:54:50 EST ---

type=USER_AVC msg=audit(1487425836.848:859): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1487425836.849:860): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1487425855.196:861): avc:  denied  { getattr } for  pid=1488 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=16870 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
type=MAC_STATUS msg=audit(1487425866.169:862): enforcing=1 old_enforcing=0 auid=1000 ses=3
type=USER_AVC msg=audit(1487425866.180:863): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1487425866.184:864): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

--- Additional comment from  on 2017-02-21 15:50:43 EST ---

Description of problem:
i was installing KDevelop using the appimage

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.10-200.fc25.x86_64
type:           libreport

--- Additional comment from Bill Chatfield on 2017-03-21 21:13:43 EDT ---

Description of problem:
I simply tried to double click on a .iso image. That does an "Open with Disk Image Mounter" in the Gnome Shell.

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.14-200.fc25.i686+PAE
type:           libreport

--- Additional comment from Paul W. Frields on 2017-03-30 16:57:06 EDT ---

Description of problem:
This error appeared spontaneously.

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.5-200.fc25.x86_64
type:           libreport

--- Additional comment from  on 2017-04-05 20:38:30 EDT ---

Description of problem:
1. Two clicks on an Appimage file
2. The app gets mounted, but SELinux alert appears

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.5-200.fc25.x86_64
type:           libreport

--- Additional comment from  on 2017-04-05 20:43:07 EDT ---

Actually the problem was, that archive mounter tried to mount it as a disk image. When giving proper executable rights to the Appimage file, it was run properly without mounting.

--- Additional comment from  on 2017-04-08 13:10:53 EDT ---

Description of problem:
I couldn't burn in a CD, which already has data burnt in it, but it isn't full.

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.8-200.fc25.x86_64
type:           libreport

--- Additional comment from  on 2017-04-15 10:04:53 EDT ---

Description of problem:
Laptop (Lenovo X240) awoke from sleep mode and displayed error

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.9-200.fc25.x86_64
type:           libreport

--- Additional comment from Sebastian Potasiak on 2017-04-17 15:25:22 EDT ---

Description of problem:
Connected external HDD through USB 3.0

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.9-200.fc25.x86_64
type:           libreport

--- Additional comment from Fedora Update System on 2017-04-19 16:36:58 EDT ---

selinux-policy-3.13.1-225.13.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc

--- Additional comment from Fedora Update System on 2017-04-20 14:25:22 EDT ---

selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc

--- Additional comment from Fedora Update System on 2017-04-24 22:24:10 EDT ---

selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 errata-xmlrpc 2018-04-10 08:32:41 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.