Bug 1646899 - SELinux is preventing certwatch from 'write' accesses on the directory /sys/fs/fuse/connections.
Summary: SELinux is preventing certwatch from 'write' accesses on the directory /sys/f...
Keywords:
Status: CLOSED DUPLICATE of bug 1655357
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:6968a4e7be200361df250bb14b8...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-06 09:29 UTC by George Petasis
Modified: 2018-12-12 14:35 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-12 14:35:35 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description George Petasis 2018-11-06 09:29:22 UTC 
Description of problem:
certwatch is run daily from cron
SELinux is preventing certwatch from 'write' accesses on the directory /sys/fs/fuse/connections.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that certwatch should be allowed write access on the connections directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'certwatch' --raw | audit2allow -M my-certwatch
# semodule -X 300 -i my-certwatch.pp

Additional Information:
Source Context                system_u:system_r:certwatch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fusefs_t:s0
Target Objects                /sys/fs/fuse/connections [ dir ]
Source                        certwatch
Source Path                   certwatch
Port                          <Άγνωστο>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-40.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.16-300.fc29.x86_64 #1 SMP Sat
                              Oct 20 23:24:08 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-11-06 03:42:01 EET
Last Seen                     2018-11-06 03:42:01 EET
Local ID                      fe9f4373-c25c-4b53-aefb-381dd5019e18

Raw Audit Messages
type=AVC msg=audit(1541468521.770:4249): avc:  denied  { write } for  pid=15862 comm="certwatch" name="/" dev="fusectl" ino=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=0


Hash: certwatch,certwatch_t,fusefs_t,dir,write

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport
Comment 1 T 2018-11-09 20:06:28 UTC 
same problem here.

After upgrading to Fedora 29 (from 28) certwatch is giving many selinux errors

I have

crypto-utils-2.5-4.fc29.x86_64
selinux-policy-targeted-3.14.2-42.fc29.noarch
policycoreutils-2.8-8.fc29.x86_64
kernel-headers-4.18.17-300.fc29.x86_64



# runcon -t certwatch_t -u system_u -r system_r /etc/cron.daily/certwatch          
ffi_closure_alloc failed
ffi_closure_alloc failed
ffi_closure_alloc failed
ffi_closure_alloc failed
ffi_closure_alloc failed
ffi_closure_alloc failed


[root@nonoise share]# ausearch -m avc -ts recent   
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:455): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=21539 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:456): avc:  denied  { write } for  pid=7033 comm="certwatch" name="tmp" dev="dm-1" ino=1179708 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:457): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=17423 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:458): avc:  denied  { dac_override } for  pid=7033 comm="certwatch" capability=1  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:459): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:460): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=17423 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:461): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=17425 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:462): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="configfs" ino=16592 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:463): avc:  denied  { dac_override } for  pid=7033 comm="certwatch" capability=1  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:464): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:465): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="hugetlbfs" ino=2371 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:466): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="debugfs" ino=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:467): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="mqueue" ino=13145 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:468): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=21539 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:469): avc:  denied  { dac_override } for  pid=7033 comm="certwatch" capability=1  scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tclass=capability permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:470): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="dm-3" ino=2 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:471): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="dm-4" ino=2 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.188:472): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="dm-6" ino=2 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.189:473): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.189:474): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="fusectl" ino=1 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.189:475): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0
----
time->Fri Nov  9 12:47:59 2018
type=AVC msg=audit(1541792879.189:476): avc:  denied  { write } for  pid=7033 comm="certwatch" name="/" dev="tmpfs" ino=17423 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----


and many more

Cheers
T.
Comment 2 Anthony Messina 2018-11-24 16:37:04 UTC 
In permissive mode, certwatch will generate additional AVCs related to temporary files and mmap.



AVC avc:  denied  { write } for  pid=10988 comm="certwatch" name="/" dev="tmpfs" ino=19732 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
AVC avc:  denied  { add_name } for  pid=10988 comm="certwatch" name="ffi5HJkIb" scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
AVC avc:  denied  { create } for  pid=10988 comm="certwatch" name="ffi5HJkIb" scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
AVC avc:  denied  { write } for  pid=10988 comm="certwatch" path="/tmp/ffi5HJkIb" dev="tmpfs" ino=196868 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
AVC avc:  denied  { remove_name } for  pid=10988 comm="certwatch" name="ffi5HJkIb" dev="tmpfs" ino=196868 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
AVC avc:  denied  { unlink } for  pid=10988 comm="certwatch" name="ffi5HJkIb" dev="tmpfs" ino=196868 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
AVC avc:  denied  { map } for  pid=10988 comm="certwatch" path=2F746D702F66666935484A6B4962202864656C6574656429 dev="tmpfs" ino=196868 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
AVC avc:  denied  { execute } for  pid=10988 comm="certwatch" path=2F746D702F66666935484A6B4962202864656C6574656429 dev="tmpfs" ino=196868 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
Comment 3 Doug Hutcheson 2018-12-03 00:27:34 UTC 
Description of problem:
This is one of a cascade of related reports presented each morning after I open my laptop.


Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.19.4-300.fc29.x86_64
type:           libreport
Comment 4 Lukas Vrabec 2018-12-12 14:35:35 UTC 

*** This bug has been marked as a duplicate of bug 1655357 ***
Note You need to log in before you can comment on or make changes to this bug.