Description of problem: SELinux is preventing mandb from 'search' accesses on the directory /var/lib/snapd. ***** Plugin restorecon (68.9 confidence) suggests ************************ If you want to fix the label. /var/lib/snapd default label should be var_lib_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /var/lib/snapd ***** Plugin file (21.0 confidence) suggests ****************************** If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin file (21.0 confidence) suggests ****************************** If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin catchall_labels (3.92 confidence) suggests ******************* If you want to allow mandb to have search access on the snapd directory Then you need to change the label on /var/lib/snapd Do # semanage fcontext -a -t FILE_TYPE '/var/lib/snapd' where FILE_TYPE is one of the following: abrt_var_run_t, admin_home_t, bin_t, boot_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t, cpu_online_t, default_t, device_t, devpts_t, etc_runtime_t, etc_t, fail2ban_var_lib_t, fonts_cache_t, fonts_t, home_root_t, httpd_sys_content_t, init_var_run_t, lib_t, locale_t, lost_found_t, man_cache_t, man_t, mandb_cache_t, mnt_t, nscd_var_run_t, pkcs11_modules_conf_t, proc_t, rkhunter_var_lib_t, root_t, rpm_log_t, rpm_script_tmp_t, security_t, selinux_config_t, setrans_var_run_t, shell_exec_t, sosreport_tmp_t, src_t, sssd_public_t, sssd_var_lib_t, sysctl_t, sysfs_t, system_conf_t, system_db_t, textrel_shlib_t, tmp_t, tmpfs_t, user_home_dir_t, usr_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_spool_t, var_t. Then execute: restorecon -v '/var/lib/snapd' ***** Plugin catchall (1.18 confidence) suggests ************************** If you believe that mandb should be allowed search access on the snapd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mandb' --raw | audit2allow -M my-mandb # semodule -X 300 -i my-mandb.pp Additional Information: Source Context system_u:system_r:mandb_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /var/lib/snapd [ dir ] Source mandb Source Path mandb Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-28.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-28.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.8.14-300.fc33.x86_64 #1 SMP Wed Oct 7 21:44:23 UTC 2020 x86_64 x86_64 Alert Count 4 First Seen 2020-10-16 14:52:13 EEST Last Seen 2020-10-20 12:36:58 EEST Local ID 4da3abba-9d2e-458a-9435-0e888ce14460 Raw Audit Messages type=AVC msg=audit(1603186618.880:332): avc: denied { search } for pid=10816 comm="mandb" name="snapd" dev="sda6" ino=249194 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 trawcon="system_u:object_r:snappy_var_lib_t:s0" Hash: mandb,mandb_t,unlabeled_t,dir,search Version-Release number of selected component: selinux-policy-targeted-3.14.6-28.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.8.14-300.fc33.x86_64 type: libreport Potential duplicate: bug 1782694
Hi, Could you please ensure you have the snappy selinux module installed and active? 1. Ensure the subpackage is installed: rpm -q snapd-selinux 2. Check the active modules: semodule -lfull|grep -e snappy 3. List all modules with priority 200: ls -l /var/lib/selinux/targeted/active/modules/200/ 4. Check the default context: matchpathcon /var/lib/snapd 5. List the context of the directory: ls -lZ /var/lib/snapd
I must have brought confusion to this report by omitting mentioning that snapd had previously been uninstalled. $ rpm -q snapd-selinux package snapd-selinux is not installed # semodule -lfull|grep -e snappy # ls -l /var/lib/selinux/targeted/active/modules/200/ | sed 1d drwx------. 1 root root 28 Oct 16 12:48 container drwx------. 1 root root 28 Oct 16 12:48 flatpak drwx------. 1 root root 28 Oct 16 12:48 mysql $ matchpathcon /var/lib/snapd Deprecated, use selabel_lookup /var/lib/snapd system_u:object_r:var_lib_t:s0 $ ls -lZ /var/lib/snapd | sed 1d drwx------. 1 root root system_u:object_r:unlabeled_t:s0 0 Oct 16 12:48 cache drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 10 Oct 16 12:48 desktop drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 0 Oct 16 12:48 sequence
Hi, That explains. You should now remove the remnant files/dirs if you don't need them any longer, or relabel if yes with restorecon, and check why mandb wants to go through this directory: /etc/man_db.conf Closing as NOTABUG. Feel free to reopen the bugzilla if the issues continue.
*** Bug 1782694 has been marked as a duplicate of this bug. ***