Description of problem: Install system updates @ 8:40pm on 5/26/18. SELinux is preventing load_policy from 'append' accesses on the unix_stream_socket unix_stream_socket. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that load_policy should be allowed append access on the unix_stream_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'load_policy' --raw | audit2allow -M my-loadpolicy # semodule -X 300 -i my-loadpolicy.pp Additional Information: Source Context system_u:system_r:load_policy_t:s0 Target Context system_u:system_r:init_t:s0 Target Objects unix_stream_socket [ unix_stream_socket ] Source load_policy Source Path load_policy Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-25.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.10-300.fc28.x86_64 #1 SMP Mon May 21 14:41:48 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-05-26 20:38:52 CDT Last Seen 2018-05-26 20:38:52 CDT Local ID e842437c-febc-4399-acf4-0e4956cdb65d Raw Audit Messages type=AVC msg=audit(1527385132.736:568): avc: denied { append } for pid=4613 comm="load_policy" path="socket:[186800]" dev="sockfs" ino=186800 scontext=system_u:system_r:load_policy_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0 Hash: load_policy,load_policy_t,init_t,unix_stream_socket,append Version-Release number of selected component: selinux-policy-3.14.1-25.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.10-300.fc28.x86_64 type: libreport
Hi, Are you able to reproduce it?
Description of problem: Ran update. Version-Release number of selected component: selinux-policy-3.14.1-29.fc28.noarch selinux-policy-3.14.1-30.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.11-300.fc28.x86_64 type: libreport
(In reply to Lukas Vrabec from comment #1) > Hi, > > Are you able to reproduce it? Seems to happen during updates. That's the only time I get the sealert messages.
Description of problem: Restarted Fedora Version-Release number of selected component: selinux-policy-3.14.1-30.fc28.noarch selinux-policy-3.14.1-32.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.15-300.fc28.x86_64 type: libreport
Description of problem: KDE notified me there were update available. Seems this error always occurs when update are available. Version-Release number of selected component: selinux-policy-3.14.1-30.fc28.noarch selinux-policy-3.14.1-32.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.15-300.fc28.x86_64 type: libreport
Description of problem: This occured after applying updates and restarting Fedora Version-Release number of selected component: selinux-policy-3.14.1-30.fc28.noarch selinux-policy-3.14.1-32.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.15-300.fc28.x86_64 type: libreport
Relabeling the file system seems to have resolved this issue for me.
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.