Description of problem: When running from cron/anacron, all aide checks fail with avc violations: type=AVC msg=audit(1515754088.650:51467): avc: denied { map } for pid=10774 comm="aide" path="/usr/share/doc/kbd/ANSI-dvorak.gif" dev="xvda1" ino=402604 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 This occurs for every file checked. Version-Release number of selected component (if applicable): aide-0.16-4.fc27.x86_64 selinux-policy-3.13.1-283.21.fc27.noarch How reproducible: Whenever aide is run confined. Unconfined runs and runs with setenforce 0 succeeed. Steps to Reproduce: 1. Set up aide to scan the filesystem for changes. 2. Schedule aide to run in anacron Actual results: The run returns access denied for all files, and the above AVC message for each file checked. Expected results: A summary of changed files. Additional info: This appears releated to the upstream selinux change https://github.com/SELinuxProject/selinux-kernel/commit/6941857e82ae3da11373c9d80d75cdc10a5caafc which broke out the "map" privilege from the "read" privilege. Since aide mmaps the files it checks, it needs "map all files" in addition to "read all files".
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
I'm still seeing a lot of AVC denials for aide. This is just a short copy/paste taken from the audit log file: ================== type=AVC msg=audit(1517573596.990:90842): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/grub2-set-default" dev="sda5" ino=3408710 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.990:90843): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/rtcwake" dev="sda5" ino=3414137 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.990:90844): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/selinuxenabled" dev="sda5" ino=3420379 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.990:90845): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/btrfs-map-logical" dev="sda5" ino=3409700 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.990:90846): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/smartctl" dev="sda5" ino=3460902 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.990:90847): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/chcpu" dev="sda5" ino=3431555 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.993:90848): avc: denied { map } for pid=20120 comm="aide" path="/var/spool/at/.SEQ" dev="sda5" ino=5638750 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.993:90849): avc: denied { map } for pid=20120 comm="aide" path="/var/spool/cron/root" dev="sda5" ino=5767495 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.993:90850): avc: denied { map } for pid=20120 comm="aide" path="/var/spool/cron/exim" dev="sda5" ino=5767452 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.993:90851): avc: denied { map } for pid=20120 comm="aide" path="/var/spool/cron/john" dev="sda5" ino=5768173 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0 ================== rpm -q selinux-policy selinux-policy-3.13.1-283.24.fc27.noarch rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-283.24.fc27.noarch
I'm still seeing the aide "map" avcs too.
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
A little bit confused why this has been marked as CLOSED when it still has problems. I included a comment on bodhi as well, but notice that the -1 karma I set has been omitted. As per comments #2 and #5, problems still persist and I have made a note of them in this bug report. Can it be reopened?
Yes, it's still an issue. Reopening.
The bugfix added files_mmap_usr_files(aide_t) to aide's rights, but that only allows mmaping files labeled usr_t. Anything else will still fail.
selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.