2066740 – SELinux is preventing snap-confine from mounton access on the directory /tmp

Bug 2066740 - SELinux is preventing snap-confine from mounton access on the directory /tmp

Summary: SELinux is preventing snap-confine from mounton access on the directory /tmp

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	snapd
Sub Component:
Version:	epel7
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zygmunt Krynicki
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-03-22 11:48 UTC by Phil Perry
Modified:	2022-03-22 13:39 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Phil Perry 2022-03-22 11:48:22 UTC

Description of problem:

SELinux is preventing snap-confine from mounton access on the directory /tmp


Version-Release number of selected component (if applicable):
snap-confine-2.54.4-1.el7.x86_64
snapd-2.54.4-1.el7.x86_64
snapd-selinux-2.54.4-1.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. update snapd to version 2.54.4-1.el7.x86_64
2.
3.

Actual results:
SELinux is preventing snap-confine from mounton access on the directory /tmp

Expected results:
Runs without SELinux warnings/errors

Additional info:
This is on a fully updated RHEL7 system:

SELinux is preventing snap-confine from mounton access on the directory /tmp.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/tmp default label should be tmp_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /tmp

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that snap-confine should be allowed mounton access on the tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snap-confine' --raw | audit2allow -M my-snapconfine
# semodule -i my-snapconfine.pp

Additional Information:
Source Context                system_u:system_r:snappy_confine_t:s0
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                /tmp [ dir ]
Source                        snap-confine
Source Path                   snap-confine
Port                          <Unknown>
Host                          <removed>
Source RPM Packages           
Target RPM Packages           filesystem-3.2-25.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-268.el7_9.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <removed>
Platform                      Linux <removed>
                              3.10.0-1160.59.1.el7.x86_64 #1 SMP Wed Feb 16
                              12:17:35 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-03-22 04:15:42 GMT
Last Seen                     2022-03-22 04:15:42 GMT
Local ID                      a8d253e4-b710-4a24-b6a6-eb6252294b78

Raw Audit Messages
type=AVC msg=audit(1647922542.803:26988): avc:  denied  { mounton } for  pid=10455 comm="snap-confine" path="/tmp" dev="md127" ino=6032773 scontext=system_u:system_r:snappy_confine_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1


Hash: snap-confine,snappy_confine_t,user_tmp_t,dir,mounton

Note You need to log in before you can comment on or make changes to this bug.