Description of problem: SELinux is preventing systemd-tmpfile from 'getattr' accesses on the file /var/tmp/sos.qbc3h4zl/sosreport-atlantis-2019-11-12-yojbsre/proc/sys/vm/compact_memory. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-tmpfile should be allowed getattr access on the compact_memory file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-tmpfile' --raw | audit2allow -M my-systemdtmpfile # semodule -X 300 -i my-systemdtmpfile.pp Additional Information: Source Context system_u:system_r:systemd_tmpfiles_t:s0 Target Context system_u:object_r:sysctl_vm_t:s0 Target Objects /var/tmp/sos.qbc3h4zl/sosreport-atlantis-2019-11-1 2-yojbsre/proc/sys/vm/compact_memory [ file ] Source systemd-tmpfile Source Path systemd-tmpfile Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.4-39.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.3.11-300.fc31.x86_64 #1 SMP Tue Nov 12 19:08:07 UTC 2019 x86_64 x86_64 Alert Count 5 First Seen 2019-11-14 20:30:23 EST Last Seen 2019-11-15 11:39:02 EST Local ID 2ada11a4-9154-4eec-9a9a-06a94bd8b228 Raw Audit Messages type=AVC msg=audit(1573835942.618:406): avc: denied { getattr } for pid=14493 comm="systemd-tmpfile" path="/var/tmp/sos.qbc3h4zl/sosreport-atlantis-2019-11-12-yojbsre/proc/sys/vm/compact_memory" dev="dm-6" ino=111970404 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1 Hash: systemd-tmpfile,systemd_tmpfiles_t,sysctl_vm_t,file,getattr Version-Release number of selected component: selinux-policy-3.14.4-39.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.3.11-300.fc31.x86_64 type: libreport
*** Bug 1774072 has been marked as a duplicate of this bug. ***
A PR has been sent for a review: https://github.com/fedora-selinux/selinux-policy/pull/295
Fixes from Fedora: commit e3cabc4de1c28fb92398666900b0db3592b9b593 (HEAD -> rawhide, origin/rawhide) Author: Zdenek Pytela <zpytela> Date: Wed Nov 20 11:42:31 2019 +0100 Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-397eea28b7
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.