Description of problem: SELinux is preventing sddm-greeter from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. ***** Plugin catchall_boolean (57.6 confidence) suggests ****************** If you want to allow domain to can mmap files Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean. Do setsebool -P domain_can_mmap_files 1 ***** Plugin catchall_labels (36.2 confidence) suggests ******************* If you want to allow sddm-greeter to have map access on the icon-theme.cache file Then you need to change the label on /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache Do # semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache' where FILE_TYPE is one of the following: NetworkManager_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_var_cache_t, accountsd_exec_t, acct_exec_t, admin_passwd_exec_t, aide_exec_t, alsa_exec_t, amanda_exec_t, amanda_recover_exec_t, amtu_exec_t, anacron_exec_t, apm_exec_t, audisp_exec_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, avahi_exec_t, bacula_admin_exec_t, bacula_unconfined_script_exec_t, bin_t, blueman_exec_t, bluetooth_helper_exec_t, boot_t, bootloader_exec_t, brctl_exec_t, cache_home_t, calamaris_exec_t, cardctl_exec_t, cdcc_exec_t, cdrecord_exec_t, cert_t, certmonger_unconfined_exec_t, certwatch_exec_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, colord_exec_t, config_home_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, courier_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crontab_exec_t, cupsd_config_exec_t, cvs_exec_t, cyphesis_exec_t, data_home_t, dbus_home_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, debuginfo_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, dhcpc_exec_t, disk_munin_plugin_exec_t, dmesg_exec_t, dmidecode_exec_t, etc_runtime_t, etc_t, exim_exec_t, fail2ban_client_exec_t, fetchmail_exec_t, file_context_t, firewalld_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, ftpdctl_exec_t, fusermount_exec_t, fwupd_exec_t, games_exec_t, gconf_home_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, getty_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpsd_exec_t, groupadd_exec_t, gstreamer_home_t, hostname_exec_t, httpd_passwd_exec_t, hwclock_exec_t, hwloc_dhwd_exec_t, icc_data_home_t, iceauth_exec_t, icecast_exec_t, ifconfig_exec_t, init_exec_t, install_exec_t, iotop_exec_t, ipa_helper_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, irc_exec_t, irssi_exec_t, jockey_exec_t, journalctl_exec_t, kdump_exec_t, kdumpgui_exec_t, keepalived_unconfined_script_exec_t, kismet_exec_t, kmod_exec_t, kpatch_exec_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, lib_t, livecd_exec_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logwatch_exec_t, lpr_exec_t, lsmd_plugin_exec_t, lvm_exec_t, mail_munin_plugin_exec_t, mcelog_exec_t, mencoder_exec_t, mirrormanager_exec_t, mock_build_exec_t, mock_exec_t, modemmanager_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_exec_t, mplayer_exec_t, mrtg_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netutils_exec_t, newrole_exec_t, nscd_var_run_t, ntpdate_exec_t, obex_exec_t, oddjob_mkhomedir_exec_t, openshift_cgroup_read_exec_t, openshift_net_read_exec_t, osbuild_exec_t, pads_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passwd_exec_t, passwd_file_t, pdns_control_exec_t, pinentry_exec_t, ping_exec_t, pkcs11_modules_conf_t, plymouth_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, portmap_helper_exec_t, postfix_exec_t, postfix_map_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_showq_exec_t, pppd_exec_t, prelink_exec_t, preupgrade_exec_t, procmail_exec_t, ptchown_exec_t, pulseaudio_exec_t, puppetca_exec_t, pwauth_exec_t, qemu_exec_t, qmail_tcp_env_exec_t, quota_exec_t, readahead_exec_t, realmd_exec_t, rhsmcertd_exec_t, rpm_exec_t, rpm_var_lib_t, rpmdb_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtkit_daemon_exec_t, run_init_exec_t, samba_net_exec_t, sambagui_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, showmount_exec_t, smbcontrol_exec_t, smoltclient_exec_t, snapperd_exec_t, sosreport_exec_t, spamc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, squid_cron_exec_t, src_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sssd_public_t, sssd_selinux_manager_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, sysstat_exec_t, system_conf_t, system_db_t, system_munin_plugin_exec_t, systemd_coredump_exec_t, systemd_hwdb_etc_t, systemd_passwd_agent_exec_t, systemd_systemctl_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, textrel_shlib_t, thumb_exec_t, tmpreaper_exec_t, traceroute_exec_t, tvtime_exec_t, uml_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uux_exec_t, var_log_t, virsh_exec_t, virt_qemu_ga_unconfined_exec_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vnstat_exec_t, vpnc_exec_t, watchdog_unconfined_exec_t, webalizer_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xdm_var_lib_t, xdm_var_run_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, xsession_exec_t, zabbix_script_exec_t, zos_remote_exec_t. Then execute: restorecon -v '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache' ***** Plugin catchall (7.64 confidence) suggests ************************** If you believe that sddm-greeter should be allowed map access on the icon-theme.cache file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sddm-greeter' --raw | audit2allow -M my-sddmgreeter # semodule -X 300 -i my-sddmgreeter.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects /var/lib/flatpak/exports/share/icons/hicolor/icon- theme.cache [ file ] Source sddm-greeter Source Path sddm-greeter Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.10.7-200.fc33.x86_64 #1 SMP Tue Jan 12 20:20:11 UTC 2021 x86_64 x86_64 Alert Count 2 First Seen 2021-01-17 22:59:33 EET Last Seen 2021-01-18 10:01:44 EET Local ID e33fd209-b697-4be4-b533-af30027f0c3d Raw Audit Messages type=AVC msg=audit(1610956904.439:809): avc: denied { map } for pid=1948 comm="sddm-greeter" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="dm-0" ino=2239669 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 Hash: sddm-greeter,xdm_t,var_lib_t,file,map Version-Release number of selected component: selinux-policy-targeted-3.14.6-34.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 type: libreport
Similar problem has been detected: Just by logging in to Plasma desktop from SDDM. I think I also have some flatpak apps installed such as Spotify, Zoom. hashmarkername: setroubleshoot kernel: 5.10.7-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing sddm-greeter from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
*** Bug 1919771 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Occurs on bootup, repeats on every reboot. hashmarkername: setroubleshoot kernel: 5.10.11-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing sddm-greeter from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
Similar problem has been detected: Cold startup. hashmarkername: setroubleshoot kernel: 5.10.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing sddm-greeter from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
Similar problem has been detected: happened (coincidentally?) during checking for software updates. hashmarkername: setroubleshoot kernel: 5.10.18-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing sddm-greeter from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
*** Bug 1936649 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Got the alert upon booting up and logging in (plasma desktop environment). hashmarkername: setroubleshoot kernel: 5.11.10-200.fc33.x86_64 reason: SELinux is preventing sddm-greeter from 'map' accesses on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache. type: libreport
*** This bug has been marked as a duplicate of bug 1916652 ***