Bug 1648701 - SELinux is preventing mandb from 'search' accesses on the directory /var/lib/snapd.
Summary: SELinux is preventing mandb from 'search' accesses on the directory /var/lib/...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: snapd
Version: 29
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zygmunt Krynicki
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:8fb1976f00047197afba3614d5e...
: 1673682 1687816 1689996 1700019 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-11 20:02 UTC by Mai Ling
Modified: 2019-09-02 17:36 UTC (History)
69 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Mai Ling 2018-11-11 20:02:30 UTC
Description of problem:
SELinux is preventing mandb from 'search' accesses on the directory /var/lib/snapd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mandb should be allowed search access on the snapd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mandb' --raw | audit2allow -M my-mandb
# semodule -X 300 -i my-mandb.pp

Additional Information:
Source Context                system_u:system_r:mandb_t:s0
Target Context                system_u:object_r:snappy_var_lib_t:s0
Target Objects                /var/lib/snapd [ dir ]
Source                        mandb
Source Path                   mandb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           snapd-2.36-1.fc29.x86_64
Policy RPM                    selinux-policy-3.14.2-42.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.20.0-0.rc1.git1.2.fc30.x86_64 #1
                              SMP Tue Nov 6 22:29:17 UTC 2018 x86_64 x86_64
Alert Count                   4
First Seen                    2018-11-11 21:56:29 EET
Last Seen                     2018-11-11 21:56:29 EET
Local ID                      7b8b78bf-f8a3-4b27-b497-7b336e9899ce

Raw Audit Messages
type=AVC msg=audit(1541966189.890:391): avc:  denied  { search } for  pid=6859 comm="mandb" name="snapd" dev="sda3" ino=95339 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:object_r:snappy_var_lib_t:s0 tclass=dir permissive=0


Hash: mandb,mandb_t,snappy_var_lib_t,dir,search

Version-Release number of selected component:
selinux-policy-3.14.2-42.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.20.0-0.rc1.git1.2.fc30.x86_64
type:           libreport

Comment 1 akiross 2018-12-01 09:59:41 UTC
Description of problem:
If I use dnf to install a package, selinux warns me about this error, specifically, when running some scriptlets after the installations.
I can reproduce this problem by installing a package with dnf.

Version-Release number of selected component:
selinux-policy-3.14.2-42.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.19.4-300.fc29.x86_64
type:           libreport

Comment 2 deadrat 2018-12-23 19:34:00 UTC
Description of problem:
i was trying to run an electron wrapper app, so installed GConf2 and then tried to run the app. Honestly I don't know what i am doing. 

Version-Release number of selected component:
selinux-policy-3.14.2-42.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.19.5-300.fc29.x86_64
type:           libreport

Comment 3 aten 2018-12-26 21:32:18 UTC
Description of problem:
 sudo dnf distro-sync --setopt=deltarpm=0
did this right after upgrade to F29, and Selinux triggered the error


Additional info:
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.19.10-300.fc29.x86_64
type:           libreport

Comment 4 aten 2019-01-19 20:11:57 UTC
Description of problem:
rebooted

Version-Release number of selected component:
selinux-policy-3.14.2-47.fc29.noarch

Additional info:
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.19.15-300.fc29.x86_64
type:           libreport

Comment 5 Evgeny 2019-01-27 06:41:21 UTC
Description of problem:
Install or remove rpm pkg.

Version-Release number of selected component:
selinux-policy-3.14.2-47.fc29.noarch

Additional info:
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.20.3-200.fc29.x86_64
type:           libreport

Comment 6 gburlats 2019-01-30 09:35:40 UTC
Description of problem:
Problem happened few minutes after I updated my OS

Version-Release number of selected component:
selinux-policy-3.14.2-47.fc29.noarch

Additional info:
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.20.4-200.fc29.x86_64
type:           libreport

Comment 7 Teoman ONAY 2019-02-04 08:19:46 UTC
Description of problem:
Just booted my laptop

Version-Release number of selected component:
selinux-policy-3.14.2-47.fc29.noarch

Additional info:
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.20.4-200.fc29.x86_64
type:           libreport

Comment 8 Artemio 2019-02-07 18:51:51 UTC
*** Bug 1673682 has been marked as a duplicate of this bug. ***

Comment 9 lucas 2019-02-08 14:10:59 UTC
Description of problem:
Background process.  Seems to be the mandb indexer trying to scan snapd

Version-Release number of selected component:
selinux-policy-3.14.2-47.fc29.noarch

Additional info:
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.20.6-200.fc29.x86_64
type:           libreport

Comment 10 Martijn Kruiten 2019-02-18 08:51:05 UTC
Description of problem:
Description of problem:
1. sudo dnf install snapd
2. sudo systemctl enable --now snapd.socket
3. sudo ln -s /var/lib/snapd/snap /snap

SELinux errors all over the place.

Version-Release number of selected component:
selinux-policy-3.14.2-48.fc29.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         4.20.8-200.fc29.x86_64
type:           libreport

Comment 11 Artemio 2019-03-12 12:43:01 UTC
*** Bug 1687816 has been marked as a duplicate of this bug. ***

Comment 12 Artemio 2019-03-18 15:00:50 UTC
*** Bug 1689996 has been marked as a duplicate of this bug. ***

Comment 13 Jorge 2019-04-09 13:17:15 UTC
Description of problem:
NO puedo instalar Android Studio y Eclipse desde Snap

Version-Release number of selected component:
selinux-policy-3.14.2-53.fc29.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.5-200.fc29.x86_64
type:           libreport

Comment 14 Zdenek Pytela 2019-04-15 15:47:18 UTC
*** Bug 1700019 has been marked as a duplicate of this bug. ***

Comment 15 Ryan 2019-05-04 22:51:19 UTC
Description of problem:
Installed snapd
$ sudo dnf install snapd
$ systemctl enable snapd
$ systemctl start snapd

After running this commands SE Linux continues to report bugs related to snaps. 

Version-Release number of selected component:
selinux-policy-3.14.3-32.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.10-300.fc30.x86_64
type:           libreport

Comment 16 Ryan 2019-05-16 01:26:22 UTC
Description of problem:
Installed snapd and error started appearing. 

Version-Release number of selected component:
selinux-policy-3.14.3-29.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.9-301.fc30.x86_64
type:           libreport

Comment 17 Paul Nickerson 2019-05-17 20:32:21 UTC
Description of problem:
I think this SELinux alert appears in my notification tray whenever I dnf install an update. It might also happen at system startup.

Version-Release number of selected component:
selinux-policy-3.14.3-35.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.16-300.fc30.x86_64
type:           libreport

Comment 18 seb 2019-05-24 08:52:26 UTC
Description of problem:
suite a la mise jour du kernal en .17 au demarrage de la session.

Version-Release number of selected component:
selinux-policy-3.14.3-37.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.17-300.fc30.x86_64
type:           libreport

Comment 19 Allan Poulsen 2019-06-01 09:46:56 UTC
Description of problem:
Automatic update

Version-Release number of selected component:
selinux-policy-3.14.3-37.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.17-300.fc30.x86_64
type:           libreport

Comment 20 MC 2019-06-13 10:37:40 UTC
Description of problem:
SELinux alert appears while booting my laptop running Fedora 30 (Workstation Edition),
Kernel: Linux 5.1.7-300.fc30.x86_64.

Version-Release number of selected component:
selinux-policy-3.14.3-37.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.7-300.fc30.x86_64
type:           libreport

Comment 21 Lolita Haggard 2019-06-13 13:59:55 UTC
Description of problem:
This happens after a dnf update completes. The snapd package was removed sometime before I started to get these alerts. 

Version-Release number of selected component:
selinux-policy-3.14.2-59.fc29.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.19-200.fc29.x86_64
type:           libreport

Comment 22 morgan read 2019-06-23 08:50:51 UTC
Description of problem:
I don't know...  (While browsing for new Wallpapers.)

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.12-300.fc30.x86_64
type:           libreport

Comment 23 Jani Heinonen 2019-06-25 19:17:16 UTC
Description of problem:
installed snapd and then caprine and spotify. Error came after Spotify had installed and running

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.12-300.fc30.x86_64
type:           libreport

Comment 24 morgan read 2019-06-30 11:44:57 UTC
Description of problem:
This might be triggered when gnome-software is run

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.12-300.fc30.x86_64
type:           libreport

Comment 25 Dirk Deimeke 2019-07-04 09:42:54 UTC
Description of problem:
Installed snap, got SELinux Alerts

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.15-300.fc30.x86_64
type:           libreport

Comment 26 Warren Lewis 2019-07-11 23:44:11 UTC
Description of problem:
Bug happened during a dnf update.

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.0.11-200.fc29.x86_64
type:           libreport

Comment 27 a.wellbrock 2019-07-12 13:41:31 UTC
Description of problem:
I did `dnf update`. After update was completed, this occured.

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.16-300.fc30.x86_64
type:           libreport

Comment 28 ctompkins 2019-07-12 19:40:52 UTC
Description of problem:
I Installed Snap via yum
Then I installed Spotify 
I then restarted XFCE.
When I updated DNF, I got the SE Linux alert.

Version-Release number of selected component:
selinux-policy-3.14.3-39.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.16-300.fc30.x86_64
type:           libreport

Comment 29 Tim Diillenberger 2019-07-18 21:43:43 UTC
Description of problem:
I installed Snapd on my fedora os and SELinux got a bug I want it to get access to Mandb.

Version-Release number of selected component:
selinux-policy-3.14.3-40.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.17-300.fc30.x86_64
type:           libreport

Comment 30 enricobe 2019-07-27 13:19:12 UTC
Description of problem:
After installing snapd

Version-Release number of selected component:
selinux-policy-3.14.3-41.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.18-300.fc30.x86_64
type:           libreport

Comment 31 Peter 2019-07-28 18:31:58 UTC
Description of problem:
Every time there is an update for a week or two now.

Version-Release number of selected component:
selinux-policy-3.14.3-42.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.19-300.fc30.x86_64
type:           libreport

Comment 32 Peter 2019-08-01 19:04:13 UTC
Description of problem:
updated

Version-Release number of selected component:
selinux-policy-3.14.3-42.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.19-300.fc30.x86_64
type:           libreport

Comment 33 dani 2019-08-04 03:31:27 UTC
Description of problem:
As per instructions on https://snapcraft.io/docs/installing-snap-on-fedora
1. sudo dnf install snapd
2. sudo ln -s /var/lib/snapd/snap /snap
3. reboot

Version-Release number of selected component:
selinux-policy-3.14.3-42.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.20-300.fc30.x86_64
type:           libreport

Comment 34 Raman Gupta 2019-08-06 17:31:58 UTC
Description of problem:
Seems to happen with dnf operations. I have snapd installed and running.

Version-Release number of selected component:
selinux-policy-3.14.2-60.fc29.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.18-200.fc29.x86_64
type:           libreport

Comment 35 Anatoli Babenia 2019-08-08 04:24:03 UTC
Anybody to update the version to Fedora 30?

Comment 36 GEOF DUNCAN 2019-08-17 21:38:14 UTC
Description of problem:
Attempting to install Dropbox in Fedora MATE 30. 

Version-Release number of selected component:
selinux-policy-3.14.3-43.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.8-200.fc30.x86_64
type:           libreport

Comment 37 Ted Roche 2019-08-21 14:59:11 UTC
Description of problem:
During routine dnf update 21-Aug-2019

Version-Release number of selected component:
selinux-policy-3.14.2-64.fc29.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.21-200.fc29.x86_64
type:           libreport

Comment 38 hx 2019-08-26 13:44:57 UTC
Description of problem:
Installed npm / nodejs via Visual Studio Code terminal

Version-Release number of selected component:
selinux-policy-3.14.3-43.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.8-200.fc30.x86_64
type:           libreport

Comment 39 Zbigniew Puszko 2019-08-29 05:46:59 UTC
Description of problem:
Just updating using dnfdragora

Version-Release number of selected component:
selinux-policy-3.14.3-43.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.9-200.fc30.x86_64
type:           libreport

Comment 40 wd 2019-09-02 17:36:20 UTC
Description of problem:
This isue appears!

Version-Release number of selected component:
selinux-policy-3.14.3-43.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.9-200.fc30.x86_64
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.