Description of problem: SELinux is preventing aide from checking hundreds of files. Version-Release number of selected component (if applicable): 1. selinux-policy-targeted-3.14.1-32.fc28.noarch 2. aide-0.16-5 How reproducible: Steps to Reproduce: 1. Initialise aide's database (i. e. /usr/sbin/aide -c /etc/aide.conf --init && /bin/cp -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz) 2. Let aide check the files against it's database (aide -c /etc/aide.conf -C) Actual results: A huge amount of errors like type=AVC msg=audit(1529979348.821:429316): avc: denied { map } for pid=27182 comm="aide" path="/usr/share/hwdata/oui.txt" dev="vda6" ino=107679 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=0 ... type=AVC msg=audit(1529979652.040:430252): avc: denied { map } for pid=27182 comm="aide" path="/usr/share/man/man0p/stdarg.h.0p.gz" dev="vda6" ino=90246 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:man_t:s0 tclass=file permissive=0 ... type=AVC msg=audit(1529979193.086:428622): avc: denied { map } for pid=27182 comm="aide" path="/usr/sbin/rtkitctl" dev="vda6" ino=262735 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 ... ({ map } for files everywhere like /etc/, /usr/ and so on) type=AVC msg=audit(1529978790.337:422685): avc: denied { getattr } for pid=27182 comm="aide" path="/dev/vda" dev="devtmpfs" ino=12834 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 type=AVC msg=audit(1529978790.337:422686): avc: denied { getattr } for pid=27182 comm="aide" path="/dev/uhid" dev="devtmpfs" ino=12017 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0 ... ( { getattr } for files in /dev/ only) Expected results: SELinux should not prevent aide from checking the files Additional info:
selinux-policy-3.14.1-37.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c2fc5a1fab
selinux-policy-3.14.1-37.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c2fc5a1fab
With "selinux-policy-3.14.1-37.fc28" the problem is partly solved. All errors regarding "{ map }" are gone, but checking files in /dev/ still causes errors like type=AVC msg=audit(1533090165.658:1531523): avc: denied { getattr } for pid=2521 comm="aide" path="/dev/tty4" dev="devtmpfs" ino=10404 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 AFAIK there's a interface call with could be used to allow aide_t to use { getattr } for files beiing located in /dev/. Is there any reason why this had not been done with "selinux-policy-3.14.1-37.fc28"? Am I missing something?
selinux-policy-3.14.1-37.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
The problem still exists as mentioned ion comment 3.
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.