Bug 1973808 - SELinux is preventing /usr/bin/file from 'search' accesses on the directory /dev/dma_heap/system.
Summary: SELinux is preventing /usr/bin/file from 'search' accesses on the directory /...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:f782e24f5987b5e5adad5944db5...
Depends On:
TreeView+ depends on / blocked
Reported: 2021-06-18 18:34 UTC by Michael Setzer II
Modified: 2021-07-18 01:03 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.6-39.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-07-18 01:03:23 UTC
Type: ---

Attachments (Terms of Use)

Description Michael Setzer II 2021-06-18 18:34:42 UTC
Description of problem:
Shows up in SELinux Troubleshooter.
Might be linked to the cron.daily running of rkhunter??
SELinux is preventing /usr/bin/file from 'search' accesses on the directory /dev/dma_heap/system.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that file should be allowed search access on the system directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'file' --raw | audit2allow -M my-file
# semodule -X 300 -i my-file.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Target Context                system_u:object_r:dma_device_t:s0
Target Objects                /dev/dma_heap/system [ dir ]
Source                        file
Source Path                   /usr/bin/file
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           file-5.39-3.fc33.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-38.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-38.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.12.10-200.fc33.x86_64 #1 SMP Thu
                              Jun 10 14:19:48 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-06-19 04:30:47 ChST
Last Seen                     2021-06-19 04:30:47 ChST
Local ID                      93da5410-67c1-496a-8fcc-7ff40a101072

Raw Audit Messages
type=AVC msg=audit(1624041047.343:1867): avc:  denied  { search } for  pid=641697 comm="file" name="dma_heap" dev="devtmpfs" ino=130 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dma_device_t:s0 tclass=dir permissive=1

type=SYSCALL msg=audit(1624041047.343:1867): arch=x86_64 syscall=lstat success=yes exit=0 a0=7ffd31a29e03 a1=7ffd31a27a20 a2=7ffd31a27a20 a3=22 items=1 ppid=641696 pid=641697 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm=file exe=/usr/bin/file subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

type=CWD msg=audit(1624041047.343:1867): cwd=/etc/cron.daily

type=PATH msg=audit(1624041047.343:1867): item=0 name=/dev/dma_heap/system inode=131 dev=00:05 mode=020600 ouid=0 ogid=0 rdev=fb:00 obj=system_u:object_r:dma_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Hash: file,unconfined_t,dma_device_t,dir,search

Version-Release number of selected component:

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.12.10-200.fc33.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2021-06-21 11:24:23 UTC
I've submitted a Fedora PR to backport the solution to F33:

Comment 2 Nick Carboni 2021-06-21 19:08:47 UTC
For anyone else who might be running into this.. 
Relabeling after disabling selinux didn't work for me, but I was able to get things working again by doing a `dnf downgrade selinux-policy` which brought me from selinux-policy-3.14.6-38.fc33.noarch to selinux-policy-3.14.6-28.fc33.noarch.

This issue was preventing docker from running some containers for me with audit logs like the following:
type=AVC msg=audit(1624300881.843:1562): avc:  denied  { read } for  pid=1760 comm="dockerd" name="dma_heap" dev="devtmpfs" ino=150 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:dma_device_t:s0 tclass=dir permissive=0

Comment 3 Fedora Update System 2021-07-02 08:42:57 UTC
FEDORA-2021-3b341e9e71 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3b341e9e71

Comment 4 Fedora Update System 2021-07-03 01:04:34 UTC
FEDORA-2021-3b341e9e71 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3b341e9e71`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3b341e9e71

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2021-07-18 01:03:23 UTC
FEDORA-2021-3b341e9e71 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.