Description of problem: * Installed dictd-server.rpm * Placed dictionary files in /var/lib/dictd/ (after creating it) - (Dictionary files were automatically labeled dictd_var_lib_t) * Attempt to start dictd with `sudo systemctl start dictd.service` This produced the selinux denial shown, and dictd failed to start. Running `sudo dictd` from the command line did successfully start the server. The following policy (generated with `audit2allow` as dictd_map.te, then compiled with checkpolicy and loaded using `sudo semodule -i dictd_map.pp`) eliminated the alert and allowed `sudo systemctl start dictd.service` to successfully launch an operational dict protocol server. module dictd_map 1.0; require { type dictd_t; type dictd_var_lib_t; class file map; } #============= dictd_t ============== # src="dictd_t" tgt="dictd_var_lib_t" class="file", perms="map" # comm="dictd" exe="" path="" allow dictd_t dictd_var_lib_t:file map; SELinux is preventing dictd from 'map' accesses on the file /var/lib/dictd/gcide.index. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dictd should be allowed map access on the gcide.index file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dictd' --raw | audit2allow -M my-dictd # semodule -X 300 -i my-dictd.pp Additional Information: Source Context system_u:system_r:dictd_t:s0 Target Context unconfined_u:object_r:dictd_var_lib_t:s0 Target Objects /var/lib/dictd/gcide.index [ file ] Source dictd Source Path dictd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-42.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.9-200.fc28.x86_64 #1 SMP Thu Sep 20 02:43:23 UTC 2018 x86_64 x86_64 Alert Count 3 First Seen 2018-10-01 04:05:28 EDT Last Seen 2018-10-01 04:06:55 EDT Local ID 248ae5cf-459b-4eaf-8c3c-56babe5af4f4 Raw Audit Messages type=AVC msg=audit(1538381215.688:1713): avc: denied { map } for pid=23508 comm="dictd" path="/var/lib/dictd/gcide.index" dev="dm-0" ino=794726 scontext=system_u:system_r:dictd_t:s0 tcontext=unconfined_u:object_r:dictd_var_lib_t:s0 tclass=file permissive=0 Hash: dictd,dictd_t,dictd_var_lib_t,file,map Version-Release number of selected component: selinux-policy-3.14.1-42.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.9-200.fc28.x86_64 type: libreport
commit ff6d7f41cdba4524422558bf381447c1f8181014 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Oct 3 12:21:22 2018 +0200 Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650)
selinux-policy-3.14.1-44.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5e18426088
selinux-policy-3.14.1-44.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5e18426088
selinux-policy-3.14.1-44.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.