Bug 1498861 - SELinux is preventing qemu-system-x86 from 'search' accesses on the directory 7838.
Summary: SELinux is preventing qemu-system-x86 from 'search' accesses on the directory...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:068c10f78e3c23c919a52ff97cf...
Keywords:
: 1541145 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-05 12:39 UTC by tpypta
Modified: 2018-03-23 15:01 UTC (History)
16 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-10-31 15:35:59 UTC


Attachments (Terms of Use)

Description tpypta 2017-10-05 12:39:50 UTC
Description of problem:
I was backing up the whole / with GNOME Backup. I rebooted and 9 seliux prompts came up.
SELinux is preventing qemu-system-x86 from 'search' accesses on the directory 7838.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-x86 should be allowed search access on the 7838 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-system-x86' --raw | audit2allow -M my-qemusystemx86
# semodule -X 300 -i my-qemusystemx86.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:svirt_t:s0:c216,c374
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                7838 [ dir ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-260.9.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.12.14-300.fc26.x86_64 #1 SMP Wed
                              Sep 20 16:28:07 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-09-27 18:26:56 EEST
Last Seen                     2017-09-27 18:26:56 EEST
Local ID                      365a00e2-1d0d-4c89-a281-ef8aa7f4b53f

Raw Audit Messages
type=AVC msg=audit(1506526016.302:424): avc:  denied  { search } for  pid=8001 comm="qemu-system-x86" name="7838" dev="proc" ino=201200 scontext=unconfined_u:unconfined_r:svirt_t:s0:c216,c374 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0


Hash: qemu-system-x86,svirt_t,unconfined_t,dir,search

Version-Release number of selected component:
selinux-policy-3.13.1-260.9.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.4-300.fc27.x86_64
type:           libreport

Potential duplicate: bug 1415975

Comment 1 tpypta 2017-10-10 06:55:51 UTC
Description of problem:
A bunch of SELinux alerts appeared on boot, after deja-dup tried to do automatic daily backup but crashed.

Version-Release number of selected component:
selinux-policy-3.13.1-260.9.fc26.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.5-300.fc27.x86_64
type:           libreport

Comment 2 tpypta 2017-10-10 06:58:14 UTC
Description of problem:
A bunch of SELinux alerts appeared upon boot, after deja-dup tried to do an automatic daily backup but crashed. 

Version-Release number of selected component:
selinux-policy-3.13.1-260.9.fc26.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.5-300.fc27.x86_64
type:           libreport

Comment 3 Lukas Vrabec 2017-10-10 08:45:34 UTC
Should be fixed in the next selinux-policy update.

Comment 4 tpypta 2017-10-20 13:35:34 UTC
Description of problem:
The error occured when I set pCloud Appimage client to autostart on every boot.

Version-Release number of selected component:
selinux-policy-3.13.1-260.9.fc26.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.8-300.fc27.x86_64
type:           libreport

Comment 5 Fedora Update System 2017-10-25 10:13:32 UTC
selinux-policy-3.13.1-283.13.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2

Comment 6 Fedora Update System 2017-10-27 18:45:58 UTC
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2

Comment 7 Fedora Update System 2017-10-31 15:35:59 UTC
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Chris 2018-02-01 20:35:27 UTC
*** Bug 1541145 has been marked as a duplicate of this bug. ***

Comment 9 John Williams 2018-02-04 21:43:18 UTC
Description of problem:
installing blockstack browser

Version-Release number of selected component:
selinux-policy-3.13.1-260.9.fc26.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.16-300.fc27.x86_64
type:           libreport

Comment 10 J. Alexander Jacocks 2018-02-07 16:06:49 UTC
I had this same alert come up with F27, package rev selinux-policy-3.13.1-283.21.fc27.noarch installed.


Note You need to log in before you can comment on or make changes to this bug.