Red Hat Bugzilla – Bug 1462925
SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /dev/loop-control.
Last modified: 2018-04-10 08:33:50 EDT
I see this on RHEL 7.4, as recently as Snap-3: Jun 15 10:27:42 lin303 setroubleshoot: SELinux is preventing /usr/bin/gnome-shell from getattr access on the chr_file /dev/loop-control. For complete SELinux messages run: sealert -l d60aa90b-6af3-4578-b5d7-91f4498a8acd I noticed this if I log into the GUI, double-click an ISO file to mount, and then log out. Doesn't seem to cause a problem other than the alert message. +++ This bug was initially created as a clone of Bug #1385090 +++ Description of problem: Just Upgraded to F25 from F24, and tried to login to GNOME (Wayland Session). SELinux is preventing gnome-shell from 'getattr' accesses on the chr_file /dev/loop-control. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gnome-shell should be allowed getattr access on the loop-control chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell # semodule -X 300 -i my-gnomeshell.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:loop_control_device_t:s0 Target Objects /dev/loop-control [ chr_file ] Source gnome-shell Source Path gnome-shell Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.1-1.fc25.x86_64 #1 SMP Fri Oct 7 14:38:22 UTC 2016 x86_64 x86_64 Alert Count 18 First Seen 2016-10-14 19:01:25 EET Last Seen 2016-10-14 19:16:22 EET Local ID 5f0dc318-66dc-4bfe-a072-4a685618b00e Raw Audit Messages type=AVC msg=audit(1476465382.549:205): avc: denied { getattr } for pid=1344 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=17414 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=0 Hash: gnome-shell,xdm_t,loop_control_device_t,chr_file,getattr Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.1-1.fc25.x86_64 type: libreport --- Additional comment from Martijn Kruiten on 2016-11-11 16:00:10 EST --- Description of problem: Steps to reproduce: - insert usb drive (ext4 in my case) Version-Release number of selected component: selinux-policy-3.13.1-220.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.6-300.fc25.x86_64 type: libreport --- Additional comment from Krzysztof Troska on 2016-11-27 05:11:55 EST --- Description of problem: By mounting iso file by gnome auto mount, its starting to complain about this problem - note that mount is working and can be unmounted in normal way. Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.8-300.fc25.x86_64 type: libreport --- Additional comment from Lukas Vrabec on 2016-11-30 07:08:26 EST --- Hi, Could you try to reproduce it in permissive mode and collect all SELinux denials? Thanks. --- Additional comment from Anass Ahmed on 2016-11-30 10:12:06 EST --- I don't know if I can reproduce it again (this means installing F24, then upgrading to F25, which I've done already and applied the policy to be able to login Wayland). --- Additional comment from Krzysztof Troska on 2016-11-30 16:53 EST --- Logs you can get even on new installation. Just mount iso by build in gnome application e.g. Fedora 25 iso. Hope it helps. --- Additional comment from fred on 2017-01-22 07:00:26 EST --- Description of problem: mounting a win 10 iso by clicking on it Version-Release number of selected component: selinux-policy-3.13.1-225.6.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.3-200.fc25.x86_64 type: libreport --- Additional comment from Shaun Assam on 2017-02-15 17:42:54 EST --- Description of problem: - Mounted an ISO file in my home directory by double-clicking the file in the Files manager. Version-Release number of selected component: selinux-policy-3.13.1-225.6.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.9-200.fc25.x86_64 type: libreport --- Additional comment from Martijn Kruiten on 2017-02-18 08:54:50 EST --- type=USER_AVC msg=audit(1487425836.848:859): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1487425836.849:860): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1487425855.196:861): avc: denied { getattr } for pid=1488 comm="gnome-shell" path="/dev/loop-control" dev="devtmpfs" ino=16870 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1 type=MAC_STATUS msg=audit(1487425866.169:862): enforcing=1 old_enforcing=0 auid=1000 ses=3 type=USER_AVC msg=audit(1487425866.180:863): pid=14110 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=1) exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1487425866.184:864): pid=1163 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=1) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' --- Additional comment from on 2017-02-21 15:50:43 EST --- Description of problem: i was installing KDevelop using the appimage Version-Release number of selected component: selinux-policy-3.13.1-225.6.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.10-200.fc25.x86_64 type: libreport --- Additional comment from Bill Chatfield on 2017-03-21 21:13:43 EDT --- Description of problem: I simply tried to double click on a .iso image. That does an "Open with Disk Image Mounter" in the Gnome Shell. Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.14-200.fc25.i686+PAE type: libreport --- Additional comment from Paul W. Frields on 2017-03-30 16:57:06 EDT --- Description of problem: This error appeared spontaneously. Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.10.5-200.fc25.x86_64 type: libreport --- Additional comment from on 2017-04-05 20:38:30 EDT --- Description of problem: 1. Two clicks on an Appimage file 2. The app gets mounted, but SELinux alert appears Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.10.5-200.fc25.x86_64 type: libreport --- Additional comment from on 2017-04-05 20:43:07 EDT --- Actually the problem was, that archive mounter tried to mount it as a disk image. When giving proper executable rights to the Appimage file, it was run properly without mounting. --- Additional comment from on 2017-04-08 13:10:53 EDT --- Description of problem: I couldn't burn in a CD, which already has data burnt in it, but it isn't full. Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.10.8-200.fc25.x86_64 type: libreport --- Additional comment from on 2017-04-15 10:04:53 EDT --- Description of problem: Laptop (Lenovo X240) awoke from sleep mode and displayed error Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.10.9-200.fc25.x86_64 type: libreport --- Additional comment from Sebastian Potasiak on 2017-04-17 15:25:22 EDT --- Description of problem: Connected external HDD through USB 3.0 Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.10.9-200.fc25.x86_64 type: libreport --- Additional comment from Fedora Update System on 2017-04-19 16:36:58 EDT --- selinux-policy-3.13.1-225.13.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc --- Additional comment from Fedora Update System on 2017-04-20 14:25:22 EDT --- selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc --- Additional comment from Fedora Update System on 2017-04-24 22:24:10 EDT --- selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763