Bug 2063994 - SELinux is preventing waydroid from 'getattr' accesses on the chr_file /dev/binderfs/anbox-binder.
Summary: SELinux is preventing waydroid from 'getattr' accesses on the chr_file /dev/b...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: waydroid
Version: 37
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Alessandro Astone
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:6a46155555310df44dc85fc6838...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-14 20:37 UTC by Mikhail
Modified: 2023-07-31 08:16 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Mikhail 2022-03-14 20:37:04 UTC 
Description of problem:
SELinux is preventing waydroid from 'getattr' accesses on the chr_file /dev/binderfs/anbox-binder.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that waydroid should be allowed getattr access on the anbox-binder chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'waydroid' --raw | audit2allow -M my-waydroid
# semodule -X 300 -i my-waydroid.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:binderfs_t:s0
Target Objects                /dev/binderfs/anbox-binder [ chr_file ]
Source                        waydroid
Source Path                   waydroid
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.4-3.fc37.noarch
Local Policy RPM              selinux-policy-targeted-36.4-3.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.17.0-
                              0.rc7.20220311git79b00034e9dc.120.fc37.x86_64 #1
                              SMP PREEMPT Fri Mar 11 19:41:52 UTC 2022 x86_64
                              x86_64
Alert Count                   3
First Seen                    2022-03-14 21:53:30 +05
Last Seen                     2022-03-14 23:59:52 +05
Local ID                      2fd96aef-db23-4bd6-819d-383c6aae39bf

Raw Audit Messages
type=AVC msg=audit(1647284392.6:1484): avc:  denied  { getattr } for  pid=347262 comm="waydroid" path="/dev/binderfs/anbox-binder" dev="binder" ino=7 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:binderfs_t:s0 tclass=chr_file permissive=1


Hash: waydroid,init_t,binderfs_t,chr_file,getattr

Version-Release number of selected component:
selinux-policy-targeted-36.4-3.fc37.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.1
hashmarkername: setroubleshoot
kernel:         5.17.0-0.rc7.20220311git79b00034e9dc.120.fc37.x86_64
type:           libreport
Comment 1 Zdenek Pytela 2022-03-15 07:50:19 UTC 
Hi Mikhail,

I cannot find waydroid in Fedora. Where did you get it?
Comment 2 Mikhail 2022-03-15 07:55:37 UTC 
Here discussion: https://bugzilla.redhat.com/show_bug.cgi?id=1455411
Here repo: https://copr.fedorainfracloud.org/coprs/aleasto/waydroid/
Comment 3 Zdenek Pytela 2022-03-15 10:33:52 UTC 
I see, so it requires confining the service and adding policy for it.
Comment 4 Ben Cotton 2022-08-09 13:36:48 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 37 development cycle.
Changing version to 37.
Comment 5 Alessandro Astone 2023-01-03 11:12:20 UTC 
We're starting to ship waydroid in fedora repos. It includes a waydroid-selinux package.
Under normal operation this issue will not happen, however there is still a path that triggers this audit but doesn't affect functionality.
That path is invoking a `sudo waydroid init` command without having previously started `waydroid-container.service` that would have triggered `dev-binderfs.mount` and properly exposed the binder devices.
`sudo waydroid init` is not the preferred mode of operation as by the official waydroid docs, and we're tracking auto-starting `waydroid-container.service` here: https://bugzilla.redhat.com/show_bug.cgi?id=2157810
Note You need to log in before you can comment on or make changes to this bug.