Description of problem: SELinux is preventing switcheroo-cont from 'getattr' accesses on the filesystem /dev/shm. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that switcheroo-cont should be allowed getattr access on the shm filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'switcheroo-cont' --raw | audit2allow -M my-switcheroocont # semodule -X 300 -i my-switcheroocont.pp Additional Information: Source Context system_u:system_r:switcheroo_control_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /dev/shm [ filesystem ] Source switcheroo-cont Source Path switcheroo-cont Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.2-1.fc42.noarch Local Policy RPM selinux-policy-targeted-42.2-1.fc42.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.15.8-200.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jul 24 13:26:52 UTC 2025 x86_64 Alert Count 6 First Seen 2025-07-30 15:42:02 CEST Last Seen 2025-07-31 08:37:22 CEST Local ID 829422cb-9aed-427d-9f86-654a58840843 Raw Audit Messages type=AVC msg=audit(1753943842.431:76351): avc: denied { getattr } for pid=1134 comm="switcheroo-cont" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:switcheroo_control_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 Hash: switcheroo-cont,switcheroo_control_t,tmpfs_t,filesystem,getattr Version-Release number of selected component: selinux-policy-targeted-42.2-1.fc42.noarch Additional info: reporter: libreport-2.17.15 component: selinux-policy type: libreport hashmarkername: setroubleshoot package: selinux-policy-targeted-42.2-1.fc42.noarch kernel: 6.15.8-200.fc42.x86_64 reason: SELinux is preventing switcheroo-cont from 'getattr' accesses on the filesystem /dev/shm. component: selinux-policy
Created attachment 2100968 [details] File: os_info
Created attachment 2100969 [details] File: description
Hello, Is there any configuration change needed to trigger this denial? Can you set your system to permissive mode and try again to collect all denials? setenforce 0
Hi, I'm not aware of any changes apart from regular dnf updates. I started reporting these as I'm getting some unrelated AVC denials due to installing of an antivirus (this is my company laptop). I was mostly ignoring them before.. I'll try with permissive settings.
It happened again in Permissive mode: SELinux is preventing switcheroo-cont from getattr access on the filesystem /dev/shm. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that switcheroo-cont should be allowed getattr access on the shm filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'switcheroo-cont' --raw | audit2allow -M my-switcheroocont # semodule -X 300 -i my-switcheroocont.pp Additional Information: Source Context system_u:system_r:switcheroo_control_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /dev/shm [ filesystem ] Source switcheroo-cont Source Path switcheroo-cont Port <Unknown> Host fedora Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.2-1.fc42.noarch Local Policy RPM selinux-policy-targeted-42.2-1.fc42.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name fedora Platform Linux fedora 6.15.8-200.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jul 24 13:26:52 UTC 2025 x86_64 Alert Count 9 First Seen 2025-07-30 15:42:02 CEST Last Seen 2025-07-31 14:06:06 CEST Local ID 829422cb-9aed-427d-9f86-654a58840843 Raw Audit Messages type=AVC msg=audit(1753963566.784:87862): avc: denied { getattr } for pid=1134 comm="switcheroo-cont" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:switcheroo_control_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 Hash: switcheroo-cont,switcheroo_control_t,tmpfs_t,filesystem,getattr
FEDORA-2025-7a468a12c5 (selinux-policy-42.7-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-7a468a12c5
FEDORA-2025-7a468a12c5 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-7a468a12c5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-7a468a12c5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-7a468a12c5 (selinux-policy-42.7-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.