Bug 1717673 - SELinux is preventing (upowerd) from 'remount' accesses on the filesystem .
Summary: SELinux is preventing (upowerd) from 'remount' accesses on the filesystem .
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: snapd
Version: 30
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zygmunt Krynicki
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b143e7e7fa4eed2fe3475a8e0b7...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-05 22:50 UTC by jarek.dziedzic
Modified: 2020-02-18 12:03 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-02-18 12:03:03 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description jarek.dziedzic 2019-06-05 22:50:32 UTC
Description of problem:
Happens on start of upowerd version 0.99.10

Installed Packages
Name         : selinux-policy
Version      : 3.14.3
Release      : 37.fc30
Architecture : noarch
Size         : 24 k
Source       : selinux-policy-3.14.3-37.fc30.src.rpm
Repository   : @System
From repo    : updates
Summary      : SELinux policy configuration
URL          : https://github.com/fedora-selinux/selinux-policy
License      : GPLv2+
Description  : SELinux Base package for SELinux Reference Policy - modular.
             : Based off of reference policy: Checked out revision  2.20091117


[jarek@karbon ~]$ uname -a
Linux karbon 5.1.6-300.fc30.x86_64 #1 SMP Fri May 31 17:43:23 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
SELinux is preventing (upowerd) from 'remount' accesses on the filesystem .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (upowerd) should be allowed remount access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(upowerd)' --raw | audit2allow -M my-upowerd
# semodule -X 300 -i my-upowerd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:snappy_snap_t:s0
Target Objects                 [ filesystem ]
Source                        (upowerd)
Source Path                   (upowerd)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-37.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.1.6-300.fc30.x86_64 #1 SMP Fri
                              May 31 17:43:23 UTC 2019 x86_64 x86_64
Alert Count                   5
First Seen                    2019-06-06 00:30:43 CEST
Last Seen                     2019-06-06 00:30:44 CEST
Local ID                      883af12b-553e-45cb-a1c4-6e0c37290544

Raw Audit Messages
type=AVC msg=audit(1559773844.842:395): avc:  denied  { remount } for  pid=5197 comm="(upowerd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:snappy_snap_t:s0 tclass=filesystem permissive=0


Hash: (upowerd),init_t,snappy_snap_t,filesystem,remount

Version-Release number of selected component:
selinux-policy-3.14.3-37.fc30.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.6-300.fc30.x86_64
type:           libreport

Comment 1 ValdikSS 2019-11-17 11:43:03 UTC
This happens to me when I setup tmpfs on /var/cache/cups using fstab.
For some reason, upowerd and systemd-hostname won't execute, they are trying to remount this partition.

Comment 2 Zygmunt Krynicki 2020-02-18 12:03:03 UTC
This bug is now tracked in an aggregate helper issue: https://bugs.launchpad.net/snapd/+bug/1863747


Note You need to log in before you can comment on or make changes to this bug.