Description of problem: SELinux is preventing snapd from 'connectto' accesses on the unix_stream_socket /run/user/1000/snapd-session-agent.socket. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that snapd should be allowed connectto access on the snapd-session-agent.socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'snapd' --raw | audit2allow -M my-snapd # semodule -X 300 -i my-snapd.pp Additional Information: Source Context system_u:system_r:snappy_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Target Objects /run/user/1000/snapd-session-agent.socket [ unix_stream_socket ] Source snapd Source Path snapd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.10-1.fc36.noarch Local Policy RPM snapd-selinux-2.56.2-1.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.18.6-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jun 22 13:46:18 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-07-05 17:15:35 EDT Last Seen 2022-07-05 17:15:35 EDT Local ID 966d6878-fa6e-4f71-b2a1-934f272383fe Raw Audit Messages type=AVC msg=audit(1657055735.21:2636): avc: denied { connectto } for pid=327039 comm="snapd" path="/run/user/1000/snapd-session-agent.socket" scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 Hash: snapd,snappy_t,unconfined_t,unix_stream_socket,connectto Version-Release number of selected component: selinux-policy-targeted-36.10-1.fc36.noarch Additional info: component: snapd reporter: libreport-2.17.1 hashmarkername: setroubleshoot kernel: 5.18.6-200.fc36.x86_64 type: libreport
Similar problem has been detected: Nordpass [Snap] is trying to update. I would like to let it, so I followed the advice of the SELinux Alert Browser by allowing access so Snap can update Nordpass. Is there anything else I can do to make sure it will go through? I'll be rebooting soon to check.[0D] [0D] Thank you for your time! hashmarkername: setroubleshoot kernel: 5.18.11-200.fc36.x86_64 package: selinux-policy-targeted-36.10-1.fc36.noarch reason: SELinux is preventing snapd from 'connectto' accesses on the unix_stream_socket /run/user/1000/snapd-session-agent.socket. type: libreport
Similar problem has been detected: No specific steps involved. Installed snap and after the latest update selinux complained about an alert related to snapd. Also snap refresh reported all packages being up to date although there was at least one pending update. Applying the custom module recommended to create by setroubleshoot fixed the issue. hashmarkername: setroubleshoot kernel: 5.18.15-200.fc36.x86_64 package: selinux-policy-targeted-36.10-1.fc36.noarch reason: SELinux is preventing snapd from 'connectto' accesses on the unix_stream_socket /run/user/1000/snapd-session-agent.socket. type: libreport
Similar problem has been detected: I have just run this command : env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/signal-desktop_signal-desktop.desktop /var/lib/snapd/snap/bin/signal-desktop --no-sandbox %U hashmarkername: setroubleshoot kernel: 5.18.18-200.fc36.x86_64 package: selinux-policy-targeted-36.14-1.fc36.noarch reason: SELinux is preventing snapd from 'connectto' accesses on the unix_stream_socket /run/user/1000/snapd-session-agent.socket. type: libreport
Similar problem has been detected: SELinux is preventing snapd from connectto access on the unix_stream_socket /run/user/1000/snapd-session-agent.socket. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that snapd should be allowed connectto access on the snapd-session-agent.socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'snapd' --raw | audit2allow -M my-snapd # semodule -X 300 -i my-snapd.pp Additional Information: Source Context system_u:system_r:snappy_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Target Objects /run/user/1000/snapd-session-agent.socket [ unix_stream_socket ] Source snapd Source Path snapd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.14-1.fc36.noarch Local Policy RPM snapd-selinux-2.56.2-4.fc36.noarch Selinux Enabled True Policy Type targeted hashmarkername: setroubleshoot kernel: 5.19.6-200.fc36.x86_64 package: selinux-policy-targeted-36.14-1.fc36.noarch reason: SELinux is preventing snapd from 'connectto' accesses on the unix_stream_socket /run/user/1000/snapd-session-agent.socket. type: libreport
Similar problem has been detected: Booted PC Logged in Started the Shortwave application by clicking on icon hashmarkername: setroubleshoot kernel: 5.19.8-200.fc36.x86_64 package: selinux-policy-targeted-36.14-1.fc36.noarch reason: SELinux is preventing snapd from 'connectto' accesses on the unix_stream_socket /run/user/1000/snapd-session-agent.socket. type: libreport
Similar problem has been detected: Booted Logged in hashmarkername: setroubleshoot kernel: 5.19.8-200.fc36.x86_64 package: selinux-policy-targeted-36.14-1.fc36.noarch reason: SELinux is preventing snapd from 'connectto' accesses on the unix_stream_socket /run/user/1000/snapd-session-agent.socket. type: libreport
Similar problem has been detected: updated to Fedora 36 and have been getting snap selinux alerts ever since. I have updated often, but still get the alerts. hashmarkername: setroubleshoot kernel: 5.19.14-200.fc36.x86_64 package: selinux-policy-targeted-36.15-1.fc36.noarch reason: SELinux is preventing snapd from 'connectto' accesses on the unix_stream_socket /run/user/10240/snapd-session-agent.socket. type: libreport
This message is a reminder that Fedora Linux 36 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 36 on 2023-05-16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '36'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 36 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 36 entered end-of-life (EOL) status on 2023-05-16. Fedora Linux 36 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.