Bug 2066740 - SELinux is preventing snap-confine from mounton access on the directory /tmp
Summary: SELinux is preventing snap-confine from mounton access on the directory /tmp
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: snapd
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Zygmunt Krynicki
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-22 11:48 UTC by Phil Perry
Modified: 2024-07-09 03:55 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-07-09 03:55:00 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Phil Perry 2022-03-22 11:48:22 UTC 
Description of problem:

SELinux is preventing snap-confine from mounton access on the directory /tmp


Version-Release number of selected component (if applicable):
snap-confine-2.54.4-1.el7.x86_64
snapd-2.54.4-1.el7.x86_64
snapd-selinux-2.54.4-1.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. update snapd to version 2.54.4-1.el7.x86_64
2.
3.

Actual results:
SELinux is preventing snap-confine from mounton access on the directory /tmp

Expected results:
Runs without SELinux warnings/errors

Additional info:
This is on a fully updated RHEL7 system:

SELinux is preventing snap-confine from mounton access on the directory /tmp.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/tmp default label should be tmp_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /tmp

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that snap-confine should be allowed mounton access on the tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snap-confine' --raw | audit2allow -M my-snapconfine
# semodule -i my-snapconfine.pp

Additional Information:
Source Context                system_u:system_r:snappy_confine_t:s0
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                /tmp [ dir ]
Source                        snap-confine
Source Path                   snap-confine
Port                          <Unknown>
Host                          <removed>
Source RPM Packages           
Target RPM Packages           filesystem-3.2-25.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-268.el7_9.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <removed>
Platform                      Linux <removed>
                              3.10.0-1160.59.1.el7.x86_64 #1 SMP Wed Feb 16
                              12:17:35 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-03-22 04:15:42 GMT
Last Seen                     2022-03-22 04:15:42 GMT
Local ID                      a8d253e4-b710-4a24-b6a6-eb6252294b78

Raw Audit Messages
type=AVC msg=audit(1647922542.803:26988): avc:  denied  { mounton } for  pid=10455 comm="snap-confine" path="/tmp" dev="md127" ino=6032773 scontext=system_u:system_r:snappy_confine_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1


Hash: snap-confine,snappy_confine_t,user_tmp_t,dir,mounton
Comment 1 Troy Dawson 2024-07-09 03:55:00 UTC 
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.
Note You need to log in before you can comment on or make changes to this bug.