Description of problem: SELinux is preventing sosreport from 'associate' accesses on the filesystem overcommit_memory. ***** Plugin associate (99.5 confidence) suggests ************************* If you want to change the label of overcommit_memory to sysctl_vm_overcommit_t, you are not allowed to since it is not a valid file type. Then you must pick a valid file label. Do select a valid file type. List valid file labels by executing: # seinfo -afile_type -x ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that sosreport should be allowed associate access on the overcommit_memory filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sosreport' --raw | audit2allow -M my-sosreport # semodule -X 300 -i my-sosreport.pp Additional Information: Source Context system_u:object_r:sysctl_vm_overcommit_t:s0 Target Context system_u:object_r:fs_t:s0 Target Objects overcommit_memory [ filesystem ] Source sosreport Source Path sosreport Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.11.11-300.fc26.x86_64 #1 SMP Mon Jul 17 16:32:11 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-09-06 10:46:53 EDT Last Seen 2017-09-06 10:46:53 EDT Local ID 203a2f51-ab14-41c3-9b5e-d59b1d0e704f Raw Audit Messages type=AVC msg=audit(1504709213.254:29897): avc: denied { associate } for pid=25810 comm="sosreport" name="overcommit_memory" dev="dm-12" ino=148990 scontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 Hash: sosreport,sysctl_vm_overcommit_t,fs_t,filesystem,associate Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.6-300.fc27.x86_64 type: libreport Potential duplicate: bug 1297969
*** Bug 1553165 has been marked as a duplicate of this bug. ***
*** Bug 1553166 has been marked as a duplicate of this bug. ***
*** Bug 1553167 has been marked as a duplicate of this bug. ***
*** Bug 1553168 has been marked as a duplicate of this bug. ***
*** Bug 1553169 has been marked as a duplicate of this bug. ***
*** Bug 1553170 has been marked as a duplicate of this bug. ***
*** Bug 1553171 has been marked as a duplicate of this bug. ***
*** Bug 1553172 has been marked as a duplicate of this bug. ***
*** Bug 1553173 has been marked as a duplicate of this bug. ***
*** Bug 1553174 has been marked as a duplicate of this bug. ***
*** Bug 1553175 has been marked as a duplicate of this bug. ***
*** Bug 1553176 has been marked as a duplicate of this bug. ***
Hi, Do you have any idea why sosreport has sysctl_vm_overcommit_t domain? This is not a label for process. Lukas.
@Lukas: I have no idea. I just found this slew of reports in the SELinux Alert Browser.
Description of problem: Not sure why this happened. Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.5-200.fc27.x86_64 type: libreport
selinux-policy-3.13.1-283.35.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1
selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1
selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.