Description of problem: Occur: In exection of Unreal Engine 4.22 (Internal Build: Commit 87b58a0cc30ec15765f545769f7c9c27864b65fb). During a in folder exploration by UE4. UE4 execute with -vulkan Issues fix, by this commands: ausearch -c 'abrt-action-gen' --raw | audit2allow -M my-abrtactiongen semodule -X 300 -i my-abrtactiongen.pp Occur: In execute Unreal Engine 4 4.22, internal build. OS: Fedora 29 (lastest stable build) SELinux is preventing abrt-action-gen from 'map' accesses on the file /run/media/vdiard/LinuxPart/UnrealEngine/Engine/Binaries/Linux/UE4Editor. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that abrt-action-gen should be allowed map access on the UE4Editor file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'abrt-action-gen' --raw | audit2allow -M my-abrtactiongen # semodule -X 300 -i my-abrtactiongen.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:unlabeled_t:s0 Target Objects /run/media/vdiard/LinuxPart/UnrealEngine/Engine/Bi naries/Linux/UE4Editor [ file ] Source abrt-action-gen Source Path abrt-action-gen Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-51.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.0.3-200.fc29.x86_64 #1 SMP Tue Mar 19 15:07:58 UTC 2019 x86_64 x86_64 Alert Count 3 First Seen 2019-03-28 13:31:16 CET Last Seen 2019-03-30 22:12:53 CET Local ID 56cac398-eea5-493c-8af3-a16915a662f6 Raw Audit Messages type=AVC msg=audit(1553980373.152:399): avc: denied { map } for pid=11559 comm="abrt-action-gen" path="/run/media/vdiard/LinuxPart/UnrealEngine/Engine/Binaries/Linux/UE4Editor" dev="sda2" ino=16648791 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=1 Hash: abrt-action-gen,abrt_t,unlabeled_t,file,map Version-Release number of selected component: selinux-policy-3.14.2-51.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.3-200.fc29.x86_64 type: libreport
Created attachment 1549933 [details] File: Diagnostics.txt
Hi, Could you please run: # restorecon -Rv / This should fix your issue.
Hi Valentin, The reason for this SELinux denial is that abrt does not have access to files with the special "unlabeled_t" label: this label is displayed when a file was created in SELinux disabled state or when its actual label does not currently exist. It can happen, for instance, when the volume mounted does not support security attributes, but there also can be other reasons. One of the ways how to deal with the issue is mounting the volume with a particular label. Turning on the boolean as suggested would allow too much of permissions which should be assessed properly if it is desired. Is there any actual problem with the application running or is it just the problem with abrt unable to access the file? Does vendor of the application recommend usage, including labeling of files?
As this bugzilla has not been updated for a long time, I assume that the issue has either been resolved or is no longer current, hence closing the bz. Feel free to reopen it if the issue persists.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days