Description of problem: Still happening with F29 (upgraded from F28). Example from boot log: # sealert -l e486d3b9-de8f-4b42-af4e-01396d1bfd37 /usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated. Instead, use this sequence: from dbus.mainloop.glib import DBusGMainLoop DBusGMainLoop(set_as_default=True) import dbus.glib SELinux is preventing colord from map access on the file /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc. ***** Plugin restorecon (92.2 confidence) suggests ************************ If you want to fix the label. /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc default label should be icc_data_home_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If you believe that colord should be allowed map access on the edid-4daa39eed4132dd27967977091f97abe.icc file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'colord' --raw | audit2allow -M my-colord # semodule -X 300 -i my-colord.pp Additional Information: Source Context system_u:system_r:colord_t:s0 Target Context system_u:object_r:ecryptfs_t:s0 Target Objects /home/christian/.local/share/icc/edid-4daa39eed413 2dd27967977091f97abe.icc [ file ] Source colord Source Path colord Port <Unknown> Host horus Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name horus Platform Linux horus 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 3 First Seen 2018-11-03 20:06:19 PDT Last Seen 2018-11-03 20:06:19 PDT Local ID e486d3b9-de8f-4b42-af4e-01396d1bfd37 Raw Audit Messages type=AVC msg=audit(1541300779.784:327): avc: denied { map } for pid=1770 comm="colord" path="/home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc" dev="ecryptfs" ino=539871982 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file permissive=0 Hash: colord,colord_t,ecryptfs_t,file,map SELinux is preventing colord from 'map' accesses on the file /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc. ***** Plugin restorecon (92.2 confidence) suggests ************************ If you want to fix the label. /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc default label should be icc_data_home_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If you believe that colord should be allowed map access on the edid-4daa39eed4132dd27967977091f97abe.icc file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'colord' --raw | audit2allow -M my-colord # semodule -X 300 -i my-colord.pp Additional Information: Source Context system_u:system_r:colord_t:s0 Target Context system_u:object_r:ecryptfs_t:s0 Target Objects /home/christian/.local/share/icc/edid-4daa39eed413 2dd27967977091f97abe.icc [ file ] Source colord Source Path colord Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 3 First Seen 2018-11-03 20:06:19 PDT Last Seen 2018-11-03 20:06:19 PDT Local ID e486d3b9-de8f-4b42-af4e-01396d1bfd37 Raw Audit Messages type=AVC msg=audit(1541300779.784:327): avc: denied { map } for pid=1770 comm="colord" path="/home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc" dev="ecryptfs" ino=539871982 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file permissive=0 Hash: colord,colord_t,ecryptfs_t,file,map Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport Potential duplicate: bug 1592640
lvrabec@lvrabec-workstation fedora/repo (rawhide) ยป git show commit bb32a71dcac5c8f6e022151cc3e32b3b994fa136 (HEAD -> rawhide, origin/rawhide) Author: Lukas Vrabec <lvrabec> Date: Sun Nov 4 13:27:51 2018 +0100 Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)
selinux-policy-3.14.2-42.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3129f981d3
selinux-policy-3.14.2-42.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3129f981d3
selinux-policy-3.14.2-42.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
This is still happening with the newest release: $ rpm -q selinux-policy selinux-policy-3.14.2-42.fc29.noarch SELinux is preventing colord from map access on the file /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc. Additional Information: Source Context system_u:system_r:colord_t:s0 Target Context system_u:object_r:ecryptfs_t:s0 Target Objects /home/christian/.local/share/icc/edid-4daa39eed413 2dd27967977091f97abe.icc [ file ] Source colord Source Path colord Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-42.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux horus 4.18.17-300.fc29.x86_64 #1 SMP Mon Nov 5 17:56:16 UTC 2018 x86_64 x86_64 Alert Count 18 First Seen 2018-11-05 15:02:12 PST Last Seen 2018-11-12 02:31:49 PST Local ID 4193ec6f-e33c-4b64-997a-9ee830f0d3ea Raw Audit Messages type=AVC msg=audit(1542018709.99:277): avc: denied { map } for pid=4437 comm="colord" path="/home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc" dev="ecryptfs" ino=539871982 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file permissive=0 Hash: colord,colord_t,ecryptfs_t,file,map
commit 1a72c6213b0745f7bead41b151c17ce50986004c (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Dec 17 19:26:21 2018 +0100 Allow colord_t domain to manage ecryptfs_t objects if use_ecryptfs_home_dirs boolean is turned on Resolves: rhbz#1645822
FWIW, this is still present with selinux-policy-3.14.2-44.fc29. But as this bug is in POST, I assume this will be fixed with a later release of selinux-policy.
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
This is still a problem or there was a regression. $ rpm -q selinux-policy selinux-policy-3.14.2-49.fc29.noarch $ sealert -l e60a3926-bf71-4ebf-a6cb-71c27cc30fca /usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated. Instead, use this sequence: from dbus.mainloop.glib import DBusGMainLoop DBusGMainLoop(set_as_default=True) import dbus.glib SELinux is preventing colord from map access on the file /home/xxxx/.local/share/icc/edid-a20fe83342bbb99ba4c4f2bad413b022.icc. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that colord should be allowed map access on the edid-a20fe83342bbb99ba4c4f2bad413b022.icc file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'colord' --raw | audit2allow -M my-colord # semodule -X 300 -i my-colord.pp Additional Information: Source Context system_u:system_r:colord_t:s0 Target Context unconfined_u:object_r:container_file_t:s0 Target Objects /home/xxxx/.local/share/icc/edid-a20fe83342bbb99ba 4c4f2bad413b022.icc [ file ] Source colord Source Path colord Port <Unknown> Host niv110 Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-49.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name niv110 Platform Linux niv110 4.20.14-200.fc29.x86_64 #1 SMP Tue Mar 5 19:55:32 UTC 2019 x86_64 x86_64 Alert Count 4 First Seen 2019-03-11 12:16:52 CET Last Seen 2019-03-12 09:28:03 CET Local ID e60a3926-bf71-4ebf-a6cb-71c27cc30fca Raw Audit Messages type=AVC msg=audit(1552379283.823:272): avc: denied { map } for pid=1532 comm="colord" path="/home/xxxx/.local/share/icc/edid-a20fe83342bbb99ba4c4f2bad413b022.icc" dev="dm-3" ino=8388705 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 Hash: colord,colord_t,container_file_t,file,map