Bug 1645822 - SELinux is preventing colord from 'map' accesses on the file /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc.
Summary: SELinux is preventing colord from 'map' accesses on the file /home/christian/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b345ecd0606ea9d3c939fbc4448...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-04 03:22 UTC by Christian Kujau
Modified: 2019-03-12 09:11 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.2-46.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-17 02:16:15 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Christian Kujau 2018-11-04 03:22:00 UTC 
Description of problem:
Still happening with F29 (upgraded from F28). Example from boot log:


# sealert -l e486d3b9-de8f-4b42-af4e-01396d1bfd37
/usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated.
Instead, use this sequence:

    from dbus.mainloop.glib import DBusGMainLoop

    DBusGMainLoop(set_as_default=True)

  import dbus.glib
SELinux is preventing colord from map access on the file /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc.

*****  Plugin restorecon (92.2 confidence) suggests   ************************

If you want to fix the label. 
/home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc default label should be icc_data_home_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc

*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that colord should be allowed map access on the edid-4daa39eed4132dd27967977091f97abe.icc file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'colord' --raw | audit2allow -M my-colord
# semodule -X 300 -i my-colord.pp


Additional Information:
Source Context                system_u:system_r:colord_t:s0
Target Context                system_u:object_r:ecryptfs_t:s0
Target Objects                /home/christian/.local/share/icc/edid-4daa39eed413
                              2dd27967977091f97abe.icc [ file ]
Source                        colord
Source Path                   colord
Port                          <Unknown>
Host                          horus
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-40.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     horus
Platform                      Linux horus 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct
                              20 23:24:08 UTC 2018 x86_64 x86_64
Alert Count                   3
First Seen                    2018-11-03 20:06:19 PDT
Last Seen                     2018-11-03 20:06:19 PDT
Local ID                      e486d3b9-de8f-4b42-af4e-01396d1bfd37

Raw Audit Messages
type=AVC msg=audit(1541300779.784:327): avc:  denied  { map } for  pid=1770 comm="colord" path="/home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc" dev="ecryptfs" ino=539871982 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file permissive=0


Hash: colord,colord_t,ecryptfs_t,file,map
SELinux is preventing colord from 'map' accesses on the file /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc.

*****  Plugin restorecon (92.2 confidence) suggests   ************************

If you want to fix the label. 
/home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc default label should be icc_data_home_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc

*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that colord should be allowed map access on the edid-4daa39eed4132dd27967977091f97abe.icc file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'colord' --raw | audit2allow -M my-colord
# semodule -X 300 -i my-colord.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0
Target Context                system_u:object_r:ecryptfs_t:s0
Target Objects                /home/christian/.local/share/icc/edid-4daa39eed413
                              2dd27967977091f97abe.icc [ file ]
Source                        colord
Source Path                   colord
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-40.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.16-300.fc29.x86_64 #1 SMP Sat
                              Oct 20 23:24:08 UTC 2018 x86_64 x86_64
Alert Count                   3
First Seen                    2018-11-03 20:06:19 PDT
Last Seen                     2018-11-03 20:06:19 PDT
Local ID                      e486d3b9-de8f-4b42-af4e-01396d1bfd37

Raw Audit Messages
type=AVC msg=audit(1541300779.784:327): avc:  denied  { map } for  pid=1770 comm="colord" path="/home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc" dev="ecryptfs" ino=539871982 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file permissive=0


Hash: colord,colord_t,ecryptfs_t,file,map

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Potential duplicate: bug 1592640
Comment 1 Lukas Vrabec 2018-11-04 12:30:06 UTC 
lvrabec@lvrabec-workstation fedora/repo (rawhide) ยป git show
commit bb32a71dcac5c8f6e022151cc3e32b3b994fa136 (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Sun Nov 4 13:27:51 2018 +0100

    Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)
Comment 2 Fedora Update System 2018-11-05 08:19:30 UTC 
selinux-policy-3.14.2-42.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3129f981d3
Comment 3 Fedora Update System 2018-11-06 22:00:09 UTC 
selinux-policy-3.14.2-42.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3129f981d3
Comment 4 Fedora Update System 2018-11-09 06:02:09 UTC 
selinux-policy-3.14.2-42.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Christian Kujau 2018-11-12 10:43:22 UTC 
This is still happening with the newest release:

$ rpm -q selinux-policy
selinux-policy-3.14.2-42.fc29.noarch


SELinux is preventing colord from map access on the file /home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc.

Additional Information:
Source Context                system_u:system_r:colord_t:s0
Target Context                system_u:object_r:ecryptfs_t:s0
Target Objects                /home/christian/.local/share/icc/edid-4daa39eed413
                              2dd27967977091f97abe.icc [ file ]
Source                        colord
Source Path                   colord
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-42.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux horus 4.18.17-300.fc29.x86_64 #1 SMP Mon Nov
                              5 17:56:16 UTC 2018 x86_64 x86_64
Alert Count                   18
First Seen                    2018-11-05 15:02:12 PST
Last Seen                     2018-11-12 02:31:49 PST
Local ID                      4193ec6f-e33c-4b64-997a-9ee830f0d3ea

Raw Audit Messages
type=AVC msg=audit(1542018709.99:277): avc:  denied  { map } for  pid=4437 comm="colord" path="/home/christian/.local/share/icc/edid-4daa39eed4132dd27967977091f97abe.icc" dev="ecryptfs" ino=539871982 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file permissive=0

Hash: colord,colord_t,ecryptfs_t,file,map
Comment 6 Lukas Vrabec 2018-12-17 18:27:14 UTC 
commit 1a72c6213b0745f7bead41b151c17ce50986004c (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Dec 17 19:26:21 2018 +0100

    Allow colord_t domain to manage ecryptfs_t objects if use_ecryptfs_home_dirs boolean is turned on
    Resolves: rhbz#1645822
Comment 7 Christian Kujau 2019-01-01 21:12:33 UTC 
FWIW, this is still present with selinux-policy-3.14.2-44.fc29. But as this bug is in POST, I assume this will be fixed with a later release of selinux-policy.
Comment 8 Fedora Update System 2019-01-13 15:44:29 UTC 
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
Comment 9 Fedora Update System 2019-01-14 03:02:48 UTC 
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
Comment 10 Fedora Update System 2019-01-17 02:16:15 UTC 
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 David Delbecq 2019-03-12 09:11:21 UTC 
This is still a problem or there was a regression.

$ rpm -q selinux-policy
selinux-policy-3.14.2-49.fc29.noarch
$ sealert -l e60a3926-bf71-4ebf-a6cb-71c27cc30fca
/usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated.
Instead, use this sequence:

    from dbus.mainloop.glib import DBusGMainLoop

    DBusGMainLoop(set_as_default=True)

  import dbus.glib
SELinux is preventing colord from map access on the file /home/xxxx/.local/share/icc/edid-a20fe83342bbb99ba4c4f2bad413b022.icc.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that colord should be allowed map access on the edid-a20fe83342bbb99ba4c4f2bad413b022.icc file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'colord' --raw | audit2allow -M my-colord
# semodule -X 300 -i my-colord.pp


Additional Information:
Source Context                system_u:system_r:colord_t:s0
Target Context                unconfined_u:object_r:container_file_t:s0
Target Objects                /home/xxxx/.local/share/icc/edid-a20fe83342bbb99ba
                              4c4f2bad413b022.icc [ file ]
Source                        colord
Source Path                   colord
Port                          <Unknown>
Host                          niv110
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-49.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     niv110
Platform                      Linux niv110 4.20.14-200.fc29.x86_64 #1 SMP Tue
                              Mar 5 19:55:32 UTC 2019 x86_64 x86_64
Alert Count                   4
First Seen                    2019-03-11 12:16:52 CET
Last Seen                     2019-03-12 09:28:03 CET
Local ID                      e60a3926-bf71-4ebf-a6cb-71c27cc30fca

Raw Audit Messages
type=AVC msg=audit(1552379283.823:272): avc:  denied  { map } for  pid=1532 comm="colord" path="/home/xxxx/.local/share/icc/edid-a20fe83342bbb99ba4c4f2bad413b022.icc" dev="dm-3" ino=8388705 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0


Hash: colord,colord_t,container_file_t,file,map
Note You need to log in before you can comment on or make changes to this bug.