Bug 1553164 - SELinux is preventing sosreport from 'associate' accesses on the filesystem overcommit_memory.
Summary: SELinux is preventing sosreport from 'associate' accesses on the filesystem o...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:64bf399fb58d7c82a2d0f53c93f...
: 1553165 1553166 1553167 1553168 1553169 1553170 1553171 1553172 1553173 1553174 1553175 1553176 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-08 12:54 UTC by Brian J. Murrell
Modified: 2018-07-06 15:43 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-283.35.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-06 15:43:56 UTC


Attachments (Terms of Use)

Description Brian J. Murrell 2018-03-08 12:54:54 UTC
Description of problem:
SELinux is preventing sosreport from 'associate' accesses on the filesystem overcommit_memory.

*****  Plugin associate (99.5 confidence) suggests   *************************

If you want to change the label of overcommit_memory to sysctl_vm_overcommit_t, you are not allowed to since it is not a valid file type.
Then you must pick a valid file label.
Do
select a valid file type.  List valid file labels by executing: 
# seinfo -afile_type -x

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that sosreport should be allowed associate access on the overcommit_memory filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sosreport' --raw | audit2allow -M my-sosreport
# semodule -X 300 -i my-sosreport.pp

Additional Information:
Source Context                system_u:object_r:sysctl_vm_overcommit_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                overcommit_memory [ filesystem ]
Source                        sosreport
Source Path                   sosreport
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.11.11-300.fc26.x86_64 #1 SMP Mon
                              Jul 17 16:32:11 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-09-06 10:46:53 EDT
Last Seen                     2017-09-06 10:46:53 EDT
Local ID                      203a2f51-ab14-41c3-9b5e-d59b1d0e704f

Raw Audit Messages
type=AVC msg=audit(1504709213.254:29897): avc:  denied  { associate } for  pid=25810 comm="sosreport" name="overcommit_memory" dev="dm-12" ino=148990 scontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0


Hash: sosreport,sysctl_vm_overcommit_t,fs_t,filesystem,associate


Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.6-300.fc27.x86_64
type:           libreport

Potential duplicate: bug 1297969

Comment 1 Lukas Vrabec 2018-03-12 15:50:05 UTC
*** Bug 1553165 has been marked as a duplicate of this bug. ***

Comment 2 Lukas Vrabec 2018-03-12 15:50:12 UTC
*** Bug 1553166 has been marked as a duplicate of this bug. ***

Comment 3 Lukas Vrabec 2018-03-12 15:50:16 UTC
*** Bug 1553167 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2018-03-12 15:50:23 UTC
*** Bug 1553168 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Vrabec 2018-03-12 15:50:31 UTC
*** Bug 1553169 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Vrabec 2018-03-12 15:50:41 UTC
*** Bug 1553170 has been marked as a duplicate of this bug. ***

Comment 7 Lukas Vrabec 2018-03-12 15:50:46 UTC
*** Bug 1553171 has been marked as a duplicate of this bug. ***

Comment 8 Lukas Vrabec 2018-03-12 15:50:58 UTC
*** Bug 1553172 has been marked as a duplicate of this bug. ***

Comment 9 Lukas Vrabec 2018-03-12 15:51:04 UTC
*** Bug 1553173 has been marked as a duplicate of this bug. ***

Comment 10 Lukas Vrabec 2018-03-12 15:51:10 UTC
*** Bug 1553174 has been marked as a duplicate of this bug. ***

Comment 11 Lukas Vrabec 2018-03-12 15:51:14 UTC
*** Bug 1553175 has been marked as a duplicate of this bug. ***

Comment 12 Lukas Vrabec 2018-03-12 15:51:21 UTC
*** Bug 1553176 has been marked as a duplicate of this bug. ***

Comment 13 Lukas Vrabec 2018-03-12 16:05:32 UTC
Hi,
 
Do you have any idea why sosreport has sysctl_vm_overcommit_t domain? This is not a label for process. 

Lukas.

Comment 14 Brian J. Murrell 2018-03-12 16:08:37 UTC
@Lukas: I have no idea.  I just found this slew of reports in the SELinux Alert Browser.

Comment 15 Brian J. Murrell 2018-05-10 10:52:32 UTC
Description of problem:
Not sure why this happened.


Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.16.5-200.fc27.x86_64
type:           libreport

Comment 16 Fedora Update System 2018-05-28 07:41:58 UTC
selinux-policy-3.13.1-283.35.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1

Comment 17 Fedora Update System 2018-05-28 14:24:46 UTC
selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1

Comment 18 Fedora Update System 2018-07-06 15:43:56 UTC
selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.