Bug 1462925 - SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /dev/loop-control.
SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /de...
Status: VERIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
abrt_hash:3a897f72a654e43570dd880920a...
:
Depends On: 1385090
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-19 13:19 EDT by nate.dailey
Modified: 2018-01-09 03:35 EST (History)
39 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-175.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1385090
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description nate.dailey 2017-06-19 13:19:26 EDT
I see this on RHEL 7.4, as recently as Snap-3:

Jun 15 10:27:42 lin303 setroubleshoot: SELinux is preventing /usr/bin/gnome-shell from getattr access on the chr_file /dev/loop-control. For complete SELinux messages run: sealert -l d60aa90b-6af3-4578-b5d7-91f4498a8acd

I noticed this if I log into the GUI, double-click an ISO file to mount, and then log out. Doesn't seem to cause a problem other than the alert message.


+++ This bug was initially created as a clone of Bug #1385090 +++

Description of problem:
Just Upgraded to F25 from F24, and tried to login to GNOME (Wayland Session).
SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /dev/loop-control.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gnome-shell should be allowed getattr access on the loop-control chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:loop_control_device_t:s0
Target Objects                /dev/loop-control [ chr_file ]
Source                        gnome-shell
Source Path                   gnome-shell
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.1-1.fc25.x86_64 #1 SMP Fri Oct
                              7 14:38:22 UTC 2016 x86_64 x86_64
Alert Count                   18
First Seen                    2016-10-14 19:01:25 EET
Last Seen                     2016-10-14 19:16:22 EET
Local ID                      5f0dc318-66dc-4bfe-a072-4a685618b00e

Raw Audit Messages
type=AVC msg=audit(1476465382.549:205): avc:  denied  { getattr } for  pid=1344 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=17414 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=0


Hash: gnome-shell,xdm_t,loop_control_device_t,chr_file,getattr


Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.1-1.fc25.x86_64
type:           libreport

--- Additional comment from Martijn Kruiten on 2016-11-11 16:00:10 EST ---

Description of problem:
Steps to reproduce:
- insert usb drive (ext4 in my case)

Version-Release number of selected component:
selinux-policy-3.13.1-220.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

--- Additional comment from Krzysztof Troska on 2016-11-27 05:11:55 EST ---

Description of problem:
By mounting iso file by gnome auto mount, its starting to complain about this problem - note that mount is working and can be unmounted in normal way.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.8-300.fc25.x86_64
type:           libreport

--- Additional comment from Lukas Vrabec on 2016-11-30 07:08:26 EST ---

Hi, 
Could you try to reproduce it in permissive mode and collect all SELinux denials? 

Thanks.

--- Additional comment from Anass Ahmed on 2016-11-30 10:12:06 EST ---

I don't know if I can reproduce it again (this means installing F24, then upgrading to F25, which I've done already and applied the policy to be able to login Wayland).

--- Additional comment from Krzysztof Troska on 2016-11-30 16:53 EST ---

Logs you can get even on new installation. 
Just mount iso by build in gnome application e.g. Fedora 25 iso.
Hope it helps.

--- Additional comment from fred on 2017-01-22 07:00:26 EST ---

Description of problem:
mounting a win 10 iso by clicking on it

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.3-200.fc25.x86_64
type:           libreport

--- Additional comment from Shaun Assam on 2017-02-15 17:42:54 EST ---

Description of problem:
- Mounted an ISO file in my home directory by double-clicking the file in the Files manager.

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.9-200.fc25.x86_64
type:           libreport

--- Additional comment from Martijn Kruiten on 2017-02-18 08:54:50 EST ---

type=USER_AVC msg=audit(1487425836.848:859): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1487425836.849:860): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1487425855.196:861): avc:  denied  { getattr } for  pid=1488 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=16870 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
type=MAC_STATUS msg=audit(1487425866.169:862): enforcing=1 old_enforcing=0 auid=1000 ses=3
type=USER_AVC msg=audit(1487425866.180:863): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1487425866.184:864): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

--- Additional comment from  on 2017-02-21 15:50:43 EST ---

Description of problem:
i was installing KDevelop using the appimage

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.10-200.fc25.x86_64
type:           libreport

--- Additional comment from Bill Chatfield on 2017-03-21 21:13:43 EDT ---

Description of problem:
I simply tried to double click on a .iso image. That does an "Open with Disk Image Mounter" in the Gnome Shell.

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.14-200.fc25.i686+PAE
type:           libreport

--- Additional comment from Paul W. Frields on 2017-03-30 16:57:06 EDT ---

Description of problem:
This error appeared spontaneously.

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.5-200.fc25.x86_64
type:           libreport

--- Additional comment from  on 2017-04-05 20:38:30 EDT ---

Description of problem:
1. Two clicks on an Appimage file
2. The app gets mounted, but SELinux alert appears

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.5-200.fc25.x86_64
type:           libreport

--- Additional comment from  on 2017-04-05 20:43:07 EDT ---

Actually the problem was, that archive mounter tried to mount it as a disk image. When giving proper executable rights to the Appimage file, it was run properly without mounting.

--- Additional comment from  on 2017-04-08 13:10:53 EDT ---

Description of problem:
I couldn't burn in a CD, which already has data burnt in it, but it isn't full.

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.8-200.fc25.x86_64
type:           libreport

--- Additional comment from  on 2017-04-15 10:04:53 EDT ---

Description of problem:
Laptop (Lenovo X240) awoke from sleep mode and displayed error

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.9-200.fc25.x86_64
type:           libreport

--- Additional comment from Sebastian Potasiak on 2017-04-17 15:25:22 EDT ---

Description of problem:
Connected external HDD through USB 3.0

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.9-200.fc25.x86_64
type:           libreport

--- Additional comment from Fedora Update System on 2017-04-19 16:36:58 EDT ---

selinux-policy-3.13.1-225.13.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc

--- Additional comment from Fedora Update System on 2017-04-20 14:25:22 EDT ---

selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc

--- Additional comment from Fedora Update System on 2017-04-24 22:24:10 EDT ---

selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.