Description of problem: SELinux is preventing snapperd from 'read' accesses on the sock_file bus_0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that snapperd should be allowed read access on the bus_0 sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd # semodule -X 300 -i my-snapperd.pp Additional Information: Source Context system_u:system_r:snapperd_t:s0 Target Context unconfined_u:object_r:cache_home_t:s0 Target Objects bus_0 [ sock_file ] Source snapperd Source Path snapperd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.17-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.17-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.3.8-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jun 15 02:15:40 UTC 2023 x86_64 Alert Count 1 First Seen 2023-06-28 08:45:58 CEST Last Seen 2023-06-28 08:45:58 CEST Local ID e34e621c-e958-42aa-81ef-2b2f69e09db7 Raw Audit Messages type=AVC msg=audit(1687934758.259:441): avc: denied { read } for pid=9224 comm="snapperd" name="bus_0" dev="nvme0n1p2" ino=3558541 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file permissive=0 Hash: snapperd,snapperd_t,cache_home_t,sock_file,read Version-Release number of selected component: selinux-policy-targeted-38.17-1.fc38.noarch Additional info: reporter: libreport-2.17.10 reason: SELinux is preventing snapperd from 'read' accesses on the sock_file bus_0. package: selinux-policy-targeted-38.17-1.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.3.8-200.fc38.x86_64 component: selinux-policy
Created attachment 1972958 [details] File: description
Created attachment 1972959 [details] File: os_info
Hello, Do you know at which moment this denial appears and which configuration change is needed? I cannot reproduce this problem.
(In reply to Zdenek Pytela from comment #3) > Hello, > > Do you know at which moment this denial appears and which configuration > change is needed? I cannot reproduce this problem. Hi! I have Snapper configured to take a snapshot before and after I execute 'sudo dnf up'. I get this denial after I execute the upgrade command.
(In reply to Thomas from comment #4) > (In reply to Zdenek Pytela from comment #3) > > Hello, > > > > Do you know at which moment this denial appears and which configuration > > change is needed? I cannot reproduce this problem. > > Hi! I have Snapper configured to take a snapshot before and after I execute > 'sudo dnf up'. I get this denial after I execute the upgrade command. Thank you. And what is the bus_0 file, how it was created?
Honestly, I have no idea. Do you know how I can find out? Thank you.
With full auditing enabled: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today we can gather more information, but I suppose the file usage is set somewhere in snapperd configuration. Are there any logs in journal?
(In reply to Zdenek Pytela from comment #7) > With full auditing enabled: > > 1) Open the /etc/audit/rules.d/audit.rules file in an editor. > 2) Remove the following line if it exists: > -a task,never > 3) Add the following line to the end of the file: > -w /etc/shadow -p w > 4) Restart the audit daemon: > # service auditd restart > 5) Re-run your scenario. > 6) Collect AVC denials: > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today > > we can gather more information, but I suppose the file usage is set > somewhere in snapperd configuration. > Are there any logs in journal? the logs have one entry when I search on bus_0: 2023-06-28 08:45:58 ERR libsnapper(9224) XAttributes.cc(XAttributes):153 - Couldn't get xattributes names-list size. link: //.snapshots/2284/snapshot/root/.cache/at-spi/bus_0, error: Permission denied The AVC denials after executing dnf up: ---- type=PROCTITLE msg=audit(29/06/23 09:33:36.273:494) : proctitle=/usr/sbin/snapperd type=PATH msg=audit(29/06/23 09:33:36.273:494) : item=0 name=bus_0 inode=3558541 dev=00:24 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:cache_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(29/06/23 09:33:36.273:494) : cwd=/ type=SYSCALL msg=audit(29/06/23 09:33:36.273:494) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xd a1=0x7f73a9bfc568 a2=O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_NOATIME|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=16924 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snapperd exe=/usr/sbin/snapperd subj=system_u:system_r:snapperd_t:s0 key=(null) type=AVC msg=audit(29/06/23 09:33:36.273:494) : avc: denied { read } for pid=16924 comm=snapperd name=bus_0 dev="nvme1n1p2" ino=3558541 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file permissive=0
Created attachment 1973392 [details] Snapper cil module Hi, can you please try to install this snapper cil module and rerun your scenario? # semodule -i snapper.cil Thank you, Nikola
(In reply to Nikola Knazekova from comment #9) > Created attachment 1973392 [details] > Snapper cil module > > Hi, can you please try to install this snapper cil module and rerun your > scenario? > > # semodule -i snapper.cil > > Thank you, > Nikola Hello, When I try to click the link I get an error: "Sorry, you are not authorized to access attachment #1973392 [details]." Thank you. Best regards, Thomas
(In reply to Nikola Knazekova from comment #9) > Created attachment 1973392 [details] > Snapper cil module > > Hi, can you please try to install this snapper cil module and rerun your > scenario? > > # semodule -i snapper.cil > > Thank you, > Nikola Hello Nikola, I installed the snapper cil module, but after running dnf up and installing the updates I still get the same AVC denial message. Best regards, Thomas
Can you please give me output of this? semodule -lfull | grep snapper
Here you go: $ semodule -lfull | grep snapper 400 snapper cil 300 my-snapperd pp 100 snapper pp(In reply to Nikola Knazekova from comment #12) > Can you please give me output of this? > semodule -lfull | grep snapper
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21. Fedora Linux 38 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.