Description of problem: Starting Gnome Boxes under Wayland session SELinux is preventing bwrap from nnp_transition, nosuid_transition access on the process2 Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bwrap should be allowed nnp_transition nosuid_transition access on the Unknown process2 by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'bwrap' --raw | audit2allow -M my-bwrap # semodule -X 300 -i my-bwrap.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Objects Unknown [ process2 ] Source bwrap Source Path bwrap Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.14.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.14.0-0.rc3.git0.2.ecdt.fc27.x86_64 #1 SMP Tue Oct 3 19:54:23 UTC 2017 x86_64 x86_64 Alert Count 18 First Seen 2017-10-31 21:13:26 PDT Last Seen 2017-10-31 21:13:57 PDT Local ID b72a27d6-bd92-4048-b727-5b8935d6b681 Raw Audit Messages type=AVC msg=audit(1509509637.924:1227): avc: denied { nnp_transition nosuid_transition } for pid=11127 comm="bwrap" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=process2 permissive=0 Hash: bwrap,unconfined_t,thumb_t,process2,nnp_transition,nosuid_transition Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.2 hashmarkername: setroubleshoot kernel: 4.14.0-0.rc3.git0.2.ecdt.fc27.x86_64 type: libreport Potential duplicate: bug 1507911
Hi, Do you know what's going here? When this AVC showed up?
*** Bug 1507911 has been marked as a duplicate of this bug. ***
Hi, I can not say with certainty. Seems it happens when I start some applications on fresh boot, fresh login. For example when I start audacity-freeworld, but when I start audacity not in the first time the AVC does not show up sometimes. Audacity is not the one application when I see the AVC. I will try to pay more attention to this.
Not sure how that happens. For example, I just start setroubleshoot when the AVC popped up.
Well, I've got the AVC alert every time I start audacity-freeworld, easytag, keepassx. Sometimes when I open a folder on autofs nfs mount in nautilus I've got alert also.
Description of problem: When starting the nextcloud-client flatpak from flathub Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.11-300.fc27.x86_64 type: libreport
Jiri, It looks like flatpack and also gnome-boxes using bubblewrap in Fedora, right?
(In reply to Lukas Vrabec from comment #7) I don't have gnome-boxes installed, but I can imagine that this might pop up when gnome-software is checking for updates on background, since it depends on flatpak. That could explain the randomness.
Description of problem: I got this issue when I launched tilix from the GNOME shell. I use Fedora 27 x86_64 up-to-date with updates-testing. Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.11-300.fc27.x86_64 type: libreport
Description of problem: Just logged in. Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.11-300.fc27.x86_64 type: libreport
I have the same behavior on rawhide (fc28)... yesterday I tried mounting a samba share.
I think it happens when you search for anything on GNOME Shell overview. I can reproduce it reliably here. Steps: 1. Open GNOME Shell overview. 2. Search for any application. 3. Wait for 5 seconds or so. 4. Get out of the overview (sometimes, you don't need to get out, the next step will happen inevitably). 5. SELinux Troubleshooter notification will kick in. Looks like some sort of gnome-shell-search-provider for GNOME Software or GNOME Boxes (both use bubblewrap as stated earlier). I've GNOME Boxes and I have machines inside and when I search for them, they appear in the results without issues, then the SELinux Troubleshooter notification kicks in. I also have GNOME Software, and it used to show results in GNOME Shell overview for non-installed software that matches my search, but not anymore (I think it has been broken for me for some time now; and I use DNF anyway), and the SELinux Troubleshooter notification appears. NOTE: If you've already a bwrap listed AVC, you should delete it from the SELinux Alert Browser to reproduce the issue again reliably.
OK, I've disabled all the search providers and enabled them one by one replicating the test I've stated above and I discovered the culprit which is a bit of a surprise to me; it's not Boxes nor Software, it's Documents. The GNOME Documents search provider shows documents in the search results, but then the SELinux Troubleshooter notification appears. Opening GNOME Documents itself results in the same SELinux notification which ensures that it's the culprit.
(In reply to Anass Ahmed from comment #13) > OK, I've disabled all the search providers and enabled them one by one > replicating the test I've stated above and I discovered the culprit which is > a bit of a surprise to me; it's not Boxes nor Software, it's Documents. > > The GNOME Documents search provider shows documents in the search results, > but then the SELinux Troubleshooter notification appears. > > Opening GNOME Documents itself results in the same SELinux notification > which ensures that it's the culprit. Don't be so sure, it started happening to me too since few days, and I have no clue what's the cause, I can't point exactly what causes this alert to appear because it is so random, but happens on boot, reboot, opening Gnome-Files (Nautilus), and some other apps as said previously by other persons...
I'm using F27, and I'll run into it every time if I open Chrome (under Gnome3)
(In reply to GOGI from comment #14) > Don't be so sure, it started happening to me too since few days, and I have > no clue what's the cause, I can't point exactly what causes this alert to > appear because it is so random, but happens on boot, reboot, opening > Gnome-Files (Nautilus), and some other apps as said previously by other > persons... It shows up on boot, and reboot because this is how SELinux Troubleshooter handles pending alerts. It shows up upon launching different apps, because the way you launch them is through searching in the GNOME Shell overview which triggers the error regardless of the app you're trying to launch.
(In reply to Anass Ahmed from comment #16) > (In reply to GOGI from comment #14) > > Don't be so sure, it started happening to me too since few days, and I have > > no clue what's the cause, I can't point exactly what causes this alert to > > appear because it is so random, but happens on boot, reboot, opening > > Gnome-Files (Nautilus), and some other apps as said previously by other > > persons... > > It shows up on boot, and reboot because this is how SELinux Troubleshooter > handles pending alerts. Oh really? You're serious? :D Thanks I'm aware of how Troubleshooter works ;) > > It shows up upon launching different apps, because the way you launch them > is through searching in the GNOME Shell overview which triggers the error > regardless of the app you're trying to launch. Looks like you're acting as Big Brother inside my machine, aren't you? ;) I'm sorry but I have to disappoint you and deny your self-assurance, because I didn't launch Nautilus from Gnome Shell Overview, and neither do I launch any of my favorites apps this way, I simply use the Dash, or "Places" shell extension when I intend to open something in Nautilus...
Description of problem: Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.11-300.fc27.x86_64 type: libreport
*** Bug 1513000 has been marked as a duplicate of this bug. ***
(In reply to GOGI from comment #17) > Looks like you're acting as Big Brother inside my machine, aren't you? ;) > I'm sorry but I have to disappoint you and deny your self-assurance, because > I didn't launch Nautilus from Gnome Shell Overview, and neither do I launch > any of my favorites apps this way, I simply use the Dash, or "Places" shell > extension when I intend to open something in Nautilus... I'm trying to narrow the search for the culprit, not anything else. On my machine, I'm able to re-produce the AVC reliably every time with the steps I've mentioned above.
Description of problem: I opened LibreOffice Calc. Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.12-300.fc27.x86_64 type: libreport
Description of problem: I was extracting files from an encrypted zip archive using drag&drop from file-roller to nautilus. Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.12-300.fc27.x86_64 type: libreport
Description of problem: Opened file browser and went to file system root / Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.12-300.fc27.x86_64 type: libreport
*** Bug 1513575 has been marked as a duplicate of this bug. ***
I can reproduce this by launching nautilus from the CLI
Description of problem: Just booting in a VM. Doesn't appear to happen on "real" hardware. Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.12-300.fc27.x86_64 type: libreport
selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393
Description of problem: Started steam and this error appeared Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.12-300.fc27.x86_64 type: libreport
Description of problem: Took a few screenshots with printscreen key, then launched "GNOME Screenshot" and got this. Application launched succsessfuly. Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.12-300.fc27.x86_64 type: libreport
Description of problem: After logging in. Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.12-300.fc27.x86_64 type: libreport
*** Bug 1514507 has been marked as a duplicate of this bug. ***
*** Bug 1514513 has been marked as a duplicate of this bug. ***
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393
Just got this issue restoring from suspend on a laptop. No other activity was being performed. Not sure if restoring slept processes is treated the same way as launching them new. If not, the issue may not be related to actually running a new process as some of the posts above seem to suggest.] SELinux is preventing bwrap from 'nnp_transition, nosuid_transition' accesses on the process2 Unknown.
Addition to prior comment - this behavior is repeatable. Restoring from suspend consistently seems to trigger this alert. Running FC27 on a dell XPS 13.
I think the update in the testing repo has fixed it for me.
Description of problem: downloaded file/gif and opened in gthumb Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.12-300.fc27.x86_64 type: libreport
Description of problem: SELinux is preventing bwrap from nnp_transition, nosuid_transition access on the process2 Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bwrap should be allowed nnp_transition nosuid_transition access on the Unknown process2 by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'bwrap' --raw | audit2allow -M my-bwrap # semodule -X 300 -i my-bwrap.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Objects Unknown [ process2 ] Source bwrap Source Path bwrap Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.14.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.13.12-300.fc27.x86_64 #1 SMP Wed Nov 8 16:38:01 UTC 2017 x86_64 x86_64 Alert Count 106 First Seen 2017-11-20 10:28:54 +07 Last Seen 2017-11-20 14:55:59 +07 Local ID de9c4efa-bfe9-499b-b8c9-fea74c7100ad Raw Audit Messages type=AVC msg=audit(1511164559.924:663): avc: denied { nnp_transition nosuid_transition } for pid=16725 comm="bwrap" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=process2 permissive=0 Hash: bwrap,unconfined_t,thumb_t,process2,nnp_transition,nosuid_transition NAME=Fedora VERSION="27 (Workstation Edition)" ID=fedora VERSION_ID=27 PRETTY_NAME="Fedora 27 (Workstation Edition)" ANSI_COLOR="0;34" CPE_NAME="cpe:/o:fedoraproject:fedora:27" HOME_URL="https://fedoraproject.org/" SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=27 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=27 PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy" VARIANT="Workstation Edition" VARIANT_ID=workstation Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.12-300.fc27.x86_64 type: libreport
Please update selinux-policy to fix this issue.
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1562721 has been marked as a duplicate of this bug. ***
Description of problem: Not sure downloading some videoes thats all Additional info: reporter: libreport-2.9.2 hashmarkername: setroubleshoot kernel: 4.16.9-200.fc27.x86_64 type: libreport