1895587 – SELinux errors after Fedora 33 upgrade

Bug 1895587 - SELinux errors after Fedora 33 upgrade

Summary: SELinux errors after Fedora 33 upgrade

Keywords:
Status:	CLOSED DUPLICATE of bug 1461313
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	33
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-07 10:43 UTC by rugk
Modified:	2020-11-09 07:27 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-11-09 07:27:27 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description rugk 2020-11-07 10:43:25 UTC

Description of problem:
After upgrading Fedora Workstation to Fedora 33 SeLinux shows all kinds of errors.

Version-Release number of selected component (if applicable):
rpm-4.16.0-1.fc33.src.rpm

How reproducible:
Yes(?)

Steps to Reproduce:
Upgrade.

Actual results:
SELinux is preventing abrt-action-lis from 'setattr' accesses on the Datei /var/lib/rpm/rpmdb.sqlite-wal.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

Wenn Sie erlauben wollen, dass abrt-action-lis  setattr Zugriff auf rpmdb.sqlite-wal file
Then sie müssen das Label auf /var/lib/rpm/rpmdb.sqlite-wal ändern
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/rpm/rpmdb.sqlite-wal'
wobei FILE_TYPE einer der folgenen Werte ist: abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, kdump_crash_t, mail_home_rw_t, mock_var_lib_t, rhsmcertd_var_run_t, rpm_log_t, rpm_var_cache_t, rpm_var_run_t, usr_t. 
Führen Sie danach Folgendes aus: 
restorecon -v '/var/lib/rpm/rpmdb.sqlite-wal'


*****  Plugin catchall (17.1 confidence) suggests   **************************

Wenn Sie denken, dass es abrt-action-lis standardmäßig erlaubt sein sollte, setattr Zugriff auf rpmdb.sqlite-wal file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'abrt-action-lis' --raw | audit2allow -M my-abrtactionlis
# semodule -X 300 -i my-abrtactionlis.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/rpm/rpmdb.sqlite-wal [ file ]
Source                        abrt-action-lis
Source Path                   abrt-action-lis
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            <Unbekannt>
Local Policy RPM              selinux-policy-targeted-3.14.6-29.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.8.17-300.fc33.x86_64 #1 SMP Thu
                              Oct 29 15:55:40 UTC 2020 x86_64 x86_64
Alert Count                   384
First Seen                    2020-11-03 17:13:48 CET
Last Seen                     2020-11-07 11:31:43 CET
Local ID                      1f128834-f6f3-4da2-938d-13ce9319deb7

Raw Audit Messages
type=AVC msg=audit(1604745103.285:1140): avc:  denied  { setattr } for  pid=3557 comm="abrt-action-lis" name="rpmdb.sqlite-wal" dev="dm-2" ino=3276873 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


Hash: abrt-action-lis,abrt_t,var_lib_t,file,setattr


Expected results:
no error

Additional info:
-

Comment 1 rugk 2020-11-07 10:45:32 UTC

Another error:
SELinux is preventing abrt-action-lis from 'write' accesses on the Datei /var/lib/rpm/rpmdb.sqlite-wal.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

Wenn Sie erlauben wollen, dass abrt-action-lis  write Zugriff auf rpmdb.sqlite-wal file
Then sie müssen das Label auf /var/lib/rpm/rpmdb.sqlite-wal ändern
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/rpm/rpmdb.sqlite-wal'
wobei FILE_TYPE einer der folgenen Werte ist: abrt_etc_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, afs_cache_t, initrc_tmp_t, kdump_crash_t, mail_home_rw_t, mock_var_lib_t, postfix_postdrop_t, puppet_tmp_t, rhsmcertd_var_run_t, rpm_log_t, rpm_var_cache_t, rpm_var_run_t, sysfs_t, user_cron_spool_t, user_tmp_t, usr_t. 
Führen Sie danach Folgendes aus: 
restorecon -v '/var/lib/rpm/rpmdb.sqlite-wal'


*****  Plugin catchall (17.1 confidence) suggests   **************************

Wenn Sie denken, dass es abrt-action-lis standardmäßig erlaubt sein sollte, write Zugriff auf rpmdb.sqlite-wal file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'abrt-action-lis' --raw | audit2allow -M my-abrtactionlis
# semodule -X 300 -i my-abrtactionlis.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/rpm/rpmdb.sqlite-wal [ file ]
Source                        abrt-action-lis
Source Path                   abrt-action-lis
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            <Unbekannt>
Local Policy RPM              selinux-policy-targeted-3.14.6-29.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.8.17-300.fc33.x86_64 #1 SMP Thu
                              Oct 29 15:55:40 UTC 2020 x86_64 x86_64
Alert Count                   477
First Seen                    2020-11-03 17:13:48 CET
Last Seen                     2020-11-07 11:34:42 CET
Local ID                      e95517ee-2740-4627-bdeb-89b2b1e11a66

Raw Audit Messages
type=AVC msg=audit(1604745282.488:20105): avc:  denied  { write } for  pid=5827 comm="abrt-action-lis" name="rpmdb.sqlite-wal" dev="dm-2" ino=3276873 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


Hash: abrt-action-lis,abrt_t,var_lib_t,file,write

Comment 2 Panu Matilainen 2020-11-09 07:27:27 UTC


*** This bug has been marked as a duplicate of bug 1461313 ***

Note You need to log in before you can comment on or make changes to this bug.