Description of problem: SELinux is preventing genie-daemon from 'watch' accesses on the file /root/distrs/inside/static_service.s3srv. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /root/distrs/inside/static_service.s3srv default label should be admin_home_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /root/distrs/inside/static_service.s3srv ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that genie-daemon should be allowed watch access on the static_service.s3srv file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'genie-daemon' --raw | audit2allow -M my-geniedaemon # semodule -X 300 -i my-geniedaemon.pp Additional Information: Source Context system_u:system_r:container_t:s0:c623,c904 Target Context system_u:object_r:fusefs_t:s0 Target Objects /root/distrs/inside/static_service.s3srv [ file ] Source genie-daemon Source Path genie-daemon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.8-1.fc35.noarch Local Policy RPM selinux-policy-targeted-3.14.8-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.11.0-0.rc7.20210212git291009f656 e8.151.fc35.x86_64 #1 SMP Sat Feb 13 01:01:00 +05 2021 x86_64 x86_64 Alert Count 3 First Seen 2021-02-15 10:22:40 +05 Last Seen 2021-02-15 10:23:41 +05 Local ID a43a6d98-a7df-4044-95a3-3e9c593e9c13 Raw Audit Messages type=AVC msg=audit(1613366621.549:858): avc: denied { watch } for pid=83899 comm="genie-daemon" path="/root/distrs/inside/static_service.s3srv" dev="fuse" ino=173812483 scontext=system_u:system_r:container_t:s0:c623,c904 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 Hash: genie-daemon,container_t,fusefs_t,file,watch Version-Release number of selected component: selinux-policy-targeted-3.14.8-1.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.0-0.rc7.20210212git291009f656e8.151.fc35.x86_64 type: libreport
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle. Changing version to 35.
*** Bug 1928602 has been marked as a duplicate of this bug. ***
Container is not allowed to access data outside the container by default. If you need it, either disable container separation, or include the directory in the container setup, or enable the virt_sandbox_use_fusefs boolean as suggested by setroubleshoot. Closing NOTABUG.