Description of problem: This just happens during regular use of my F29 system (which is enrolled a FreeIPA client, in case it's relevant). There is actually a string of denials: ---- time->Mon Sep 10 15:07:43 2018 type=AVC msg=audit(1536617263.999:2534): avc: denied { getattr } for pid=24141 comm="geoclue" name="/" dev="dm-2" ino=2 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2535): avc: denied { map } for pid=24141 comm="geoclue" path=2F746D702F666669724373663455202864656C6574656429 dev="tmpfs" ino=339358 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2536): avc: denied { map } for pid=24141 comm="geoclue" path=2F7661722F746D702F666669446561426C45202864656C6574656429 dev="dm-2" ino=12363 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2537): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="tmpfs" ino=18441 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2538): avc: denied { map } for pid=24141 comm="geoclue" path=2F7661722F6C69622F67656F636C75652F666669344A486C5536202864656C6574656429 dev="dm-2" ino=12363 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_var_lib_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2539): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="tmpfs" ino=18441 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2540): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="mqueue" ino=15358 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2541): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="cifs" ino=137234957 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2542): avc: denied { map } for pid=24141 comm="geoclue" path=2F746D702F666669704E76506251202864656C6574656429 dev="tmpfs" ino=339359 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2543): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="tmpfs" ino=18441 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2544): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="mqueue" ino=15358 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2545): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="cifs" ino=137234957 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.000:2546): avc: denied { map } for pid=24141 comm="geoclue" path=2F72756E2F73797374656D642F756E69742D726F6F742F746D702F6666696C4A756E747A202864656C6574656429 dev="tmpfs" ino=339360 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.001:2547): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="tmpfs" ino=18441 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.001:2548): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="mqueue" ino=15358 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.001:2549): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="cifs" ino=137234957 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.001:2550): avc: denied { map } for pid=24141 comm="geoclue" path=2F746D702F666669584C6E5A4B69202864656C6574656429 dev="tmpfs" ino=339361 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.001:2551): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="tmpfs" ino=18441 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.001:2552): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="mqueue" ino=15358 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.001:2553): avc: denied { write } for pid=24141 comm="geoclue" name="/" dev="cifs" ino=137234957 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=dir permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.001:2554): avc: denied { map } for pid=24141 comm="geoclue" path=2F72756E2F73797374656D642F756E69742D726F6F742F746D702F666669693679453231202864656C6574656429 dev="tmpfs" ino=339362 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.002:2555): avc: denied { map } for pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/README" dev="dm-2" ino=793032 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.002:2557): avc: denied { map } for pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/ipa-happyassassin.crt" dev="dm-2" ino=786635 scontext=system_u:system_r:geoclue_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.002:2558): avc: denied { map } for pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/2015-RH-IT-Root-CA.pem" dev="dm-2" ino=787655 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.002:2559): avc: denied { map } for pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/newca.crt" dev="dm-2" ino=793277 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.002:2560): avc: denied { map } for pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/oracle_ebs.crt" dev="dm-2" ino=794181 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.002:2561): avc: denied { map } for pid=24141 comm="geoclue" path="/usr/share/pki/ca-trust-source/README" dev="dm-2" ino=789723 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.002:2562): avc: denied { map } for pid=24141 comm="geoclue" path="/usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit" dev="dm-2" ino=786721 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.003:2563): avc: denied { map } for pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/ipa-happyassassin.crt" dev="dm-2" ino=786635 scontext=system_u:system_r:geoclue_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.003:2564): avc: denied { map } for pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/2015-RH-IT-Root-CA.pem" dev="dm-2" ino=787655 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.003:2565): avc: denied { map } for pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/newca.crt" dev="dm-2" ino=793277 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 ---- time->Mon Sep 10 15:07:44 2018 type=AVC msg=audit(1536617264.003:2566): avc: denied { map } for pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/oracle_ebs.crt" dev="dm-2" ino=794181 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 and a couple of geoclue errors logged in the journal: Sep 10 15:07:44 adam.happyassassin.net geoclue[24141]: ffi_closure_alloc failed Sep 10 15:07:44 adam.happyassassin.net geoclue[24141]: p11-kit: shouldn't be reached at init_wrapper_funcs Sep 10 15:07:44 adam.happyassassin.net geoclue[24141]: Failed to query location: Unacceptable TLS certificate SELinux is preventing geoclue from 'getattr' accesses on the filesystem /. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that geoclue should be allowed getattr access on the filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'geoclue' --raw | audit2allow -M my-geoclue # semodule -X 300 -i my-geoclue.pp Additional Information: Source Context system_u:system_r:geoclue_t:s0 Target Context system_u:object_r:fs_t:s0 Target Objects / [ filesystem ] Source geoclue Source Path geoclue Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages filesystem-3.9-2.fc29.x86_64 Policy RPM selinux-policy-3.14.2-32.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.5-300.fc29.x86_64 #1 SMP Fri Aug 24 17:16:35 UTC 2018 x86_64 x86_64 Alert Count 7 First Seen 2018-09-01 09:04:45 PDT Last Seen 2018-09-10 15:07:43 PDT Local ID 68c4adf0-165e-4bcb-bbfb-cecb2aaf20a0 Raw Audit Messages type=AVC msg=audit(1536617263.999:2534): avc: denied { getattr } for pid=24141 comm="geoclue" name="/" dev="dm-2" ino=2 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 Hash: geoclue,geoclue_t,fs_t,filesystem,getattr Version-Release number of selected component: selinux-policy-3.14.2-32.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.5-300.fc29.x86_64 type: libreport
selinux-policy-3.14.2-35.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d4ddac7543
selinux-policy-3.14.2-35.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d4ddac7543
selinux-policy-3.14.2-35.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.