Bug 1764541 - SELinux is preventing dnf from using the 'mac_admin' capabilities.
Summary: SELinux is preventing dnf from using the 'mac_admin' capabilities.
Keywords:
Status: CLOSED DUPLICATE of bug 1764538
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:af406c01e613a5ffcdad7f813a3...
: 1764543 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-23 09:47 UTC by Cocci Satch
Modified: 2019-10-23 09:59 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-10-23 09:59:38 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: CameraZOOM-20191021204545113.jpg (9.36 MB, application/octet-stream)
2019-10-23 09:48 UTC, Cocci Satch 		no flags Details
File: CameraZOOM-20191021204602496.jpg (7.94 MB, application/octet-stream)
2019-10-23 09:48 UTC, Cocci Satch 		no flags Details
View All

Description Cocci Satch 2019-10-23 09:47:59 UTC 
Description of problem:
Hello,

I have this problem since the update of October 21, which caused a panic kernel, so I start on the previous kernel and I have this error.
SELinux is preventing dnf from using the 'mac_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

Si vous pensez que dnf devrait avoir des capacités mac_admin par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# ausearch -c "dnf" --raw | audit2allow -M my-dnf
# semodule -X 300 -i my-dnf.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Inconnu [ capability2 ]
Source                        dnf
Source Path                   dnf
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Inconnu>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.2.15-200.fc30.x86_64 #1 SMP Mon
                              Sep 16 15:17:36 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-10-21 08:31:02 CEST
Last Seen                     2019-10-21 08:31:02 CEST
Local ID                      bacef89d-817c-4eba-982c-0bce9d3db7ca

Raw Audit Messages
type=AVC msg=audit(1571639462.686:18000): avc:  denied  { mac_admin } for  pid=31923 comm="dnf" capability=33  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0


Hash: dnf,unconfined_t,unconfined_t,capability2,mac_admin


Additional info:
component:      selinux-policy
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.2.15-200.fc30.x86_64
type:           libreport

Potential duplicate: bug 1557350
Comment 1 Cocci Satch 2019-10-23 09:48:27 UTC 
Created attachment 1628246 [details]
File: CameraZOOM-20191021204545113.jpg
Comment 2 Cocci Satch 2019-10-23 09:48:52 UTC 
Created attachment 1628247 [details]
File: CameraZOOM-20191021204602496.jpg
Comment 3 Lukas Vrabec 2019-10-23 09:56:54 UTC 
*** Bug 1764543 has been marked as a duplicate of this bug. ***
Comment 4 Lukas Vrabec 2019-10-23 09:59:38 UTC 
This is connected with your previous report. These is SELinux label on filesystem which is not defined in SELinux policy.

*** This bug has been marked as a duplicate of bug 1764538 ***
Note You need to log in before you can comment on or make changes to this bug.