stable

container-selinux-2.123.0-2.fc31 and selinux-policy-3.14.4-43.fc31

FEDORA-2019-fefda9dd5e created by zpytela 5 years ago for Fedora 31

Update selinux-policy https://koji.fedoraproject.org/koji/taskinfo?taskID=39199869

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2019-fefda9dd5e

This update has been submitted for testing by zpytela.

5 years ago

This update's test gating status has been changed to 'waiting'.

5 years ago

This update's test gating status has been changed to 'ignored'.

5 years ago
User Icon adamwill commented & provided feedback 5 years ago
karma

This breaks gnome-software in openQA testing. Trying to install updates it just gets stuck at "Software catalog is being downloaded". The system journal shows quite a lot of AVCs, including ones for flatpak_helper_t which are probably the issue here:

[adamw@adam tmp]$ journalctl --file var/log/journal/574fce5929ad42c790052a6349619665/system.journal  | grep -i avc
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:37 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[708]: USER_AVC pid=708 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[708]: USER_AVC pid=708 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signal } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signal } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:44 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[708]: USER_AVC pid=708 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Nov 22 08:48:45 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[708]: USER_AVC pid=708 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Nov 22 08:48:45 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[2461]: AVC avc:  denied  { read } for  pid=2461 comm="gdbus" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=unix_stream_socket permissive=0 srawcon="system_u:system_r:flatpak_helper_t:s0" trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:45 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[2461]: AVC avc:  denied  { search } for  pid=2461 comm="gdbus" name="/" dev="dm-0" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 srawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:50:17 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1944]: AVC avc:  denied  { execute } for  pid=1944 comm="(m-helper)" name="flatpak-system-helper" dev="dm-0" ino=272205 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:flatpak_helper_exec_t:s0"

This update has been pushed to testing.

5 years ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

5 years ago
User Icon bojan commented & provided feedback 5 years ago
karma

Works here, but with one -1 already, it should be fixed before it goes to stable.

BZ#1770698 SELinux is preventing 11-dhclient from 'add_name' accesses on the directory chrony.servers.wlp61s0.
User Icon decathorpe commented & provided feedback 5 years ago
karma

There are multiple issues with this update - first it doesn't seem to install correctly:

  Running scriptlet: selinux-policy-targeted-3.14.4-42.fc31.noarch          2/4 
Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1651
Failed to generate binary
/usr/sbin/semodule:  Failed!

And after rebooting the system, I'm locked out from logging in (both via GDM and TTY) until I reboot with enforcing=0 since setroubleshoot complains about two mislabeled files:

  • /usr/lib/systemd/systemd default label should be init_exec_t
  • /etc/gdm/PreSession/Default default label should be bin_t

Also I'm wondering why this package isn't a critpath package ...

User Icon clnetbox commented & provided feedback 5 years ago
karma

Doesn't report "SELinux is preventing 11-dhclient from add_name access on the directory chrony.servers.wlp3s0." any longer, but generates new trouble.

https://bugzilla.redhat.com/show_bug.cgi?id=1770698#c29

User Icon decathorpe commented & provided feedback 5 years ago

EDIT: Sorry, nevermind, it's a critpath package after all, the icon is just really small in the new bodhi interface.

User Icon akors commented & provided feedback 5 years ago
karma

Not good at all! Broke system login with user accounts, root account and even emergency shell login. Had to add selinux=0 as a kernel parameter at boot to get into my system.

This update has been obsoleted.

5 years ago
User Icon imabug commented & provided feedback 5 years ago
karma

Unable to add local policy modules with this version using semodule. I end up getting

Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786
Failed to generate binary
semodule:  Failed!

errors. Downgrading to the previous version (3.14.4-40.fc31) allows me to add local policies

User Icon chrismurphy commented & provided feedback 5 years ago
karma

During dnf update: Upgrading : rpm-plugin-selinux-4.15.1-1.fc31.x86_64 11/142 Upgrading : selinux-policy-3.14.4-42.fc31.noarch 12/142 Running scriptlet: selinux-policy-3.14.4-42.fc31.noarch 12/142 Running scriptlet: selinux-policy-targeted-3.14.4-42.fc31.noarch 13/142 Upgrading : selinux-policy-targeted-3.14.4-42.fc31.noarch 13/142 Running scriptlet: selinux-policy-targeted-3.14.4-42.fc31.noarch 13/142 Conflicting name type transition rules Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786 Failed to generate binary /usr/sbin/semodule: Failed!

User Icon lvrabec commented & provided feedback 5 years ago

Hi All, Thank you for reports.
Both policies mentioned in the report are not shipped by selinux-policy package, (containers-selinux and flatpak) but we're investigating the issue.

Thanks, Lukas.

User Icon lvrabec commented & provided feedback 5 years ago

Workaround described here: https://bugzilla.redhat.com/show_bug.cgi?id=1776034#c5

User Icon lslebodn commented & provided feedback 5 years ago

Workaround described here: https://bugzilla.redhat.com/show_bug.cgi?id=1776034#c5

There is also another workaround downgrade selinux-policcy to -41 + reinstall the package container-slienux https://bugzilla.redhat.com/show_bug.cgi?id=1776248#c5

User Icon zpytela commented & provided feedback 5 years ago

Seems to be more of an issue with container-selinux:

https://github.com/containers/container-selinux/pull/84

User Icon decathorpe commented & provided feedback 5 years ago

I doubt it - I don't even have container-selinux installed on my system.

User Icon adamwill commented & provided feedback 5 years ago

The openQA update tests are strictly limited to the update in question: we start from a disk image built by virt-install, update it from the stable update repository, then add a repository containing only packages from the update. The openQA test fails consistently when run on this update, but passes when run on other updates. So the problem is definitely caused by this update, not by anything else.

User Icon lvrabec commented & provided feedback 5 years ago

@adamwill, would it be possible to run testsuite with scratch builds? (I could provide scratch builds)

THanks, Lukas.

User Icon lslebodn commented & provided feedback 5 years ago

@adamwill, Sure this bodhi update caused issues in openQA tests. But it does not mean that the real bug was in selinux-policy. It could just reveal bug in container-selinux.

I rebuild the latest container-selinux from rawhide on f31[1] and I cannot reproduce BZ1776248 with selinux-policy-3.14.4-42.fc31.noarch + container-selinux-2:2.123.0-0.1.dev.git661a904.fc31.noarch

[1] https://koji.fedoraproject.org/koji/taskinfo?taskID=39375295

User Icon adamwill commented & provided feedback 5 years ago

@lvrabec yes, I can test scratch builds. Just give me the link and I can fire it. @lslebodn , if you think this should be fixed by changing container-selinux, we need to confirm it with container-selinux devs and add a container-selinux build to this update...@dwalsh , ping on this?

User Icon lvrabec commented & provided feedback 5 years ago

@adamwill, I worked with @dwalsh on fixes, so from my POV it's good to go, but let's wait for formal ack from @dwalsh. As @lslebodn proposed on IRC, this should be in group update selinux-policy + container-selinux package. BUT we need increase selinux-policy required in container-selinux package.

User Icon zpytela commented & provided feedback 5 years ago

I can confirm the updated container-selinux-2.123.0-1.fc31 package does not trigger an error any longer on either of my systems together with selinux-policy-3.14.4-42.fc31.

User Icon adamwill commented & provided feedback 5 years ago

so @dwalsh , could you update container-selinux to depend on a newer selinux-policy , and then we can add the new container-selinux build to this update and obsolete FEDORA-2019-edc1551b22 ? thanks!

User Icon aanno commented & provided feedback 5 years ago
karma

In regard to BZ#1755396:

Package selinux-policy-3.14.4-42.fc31 works better - but the problem is not gone with it. I now find the following in dmesg:

[ 23.565628] audit: type=1130 audit(1574968794.744:64): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd- cryptsetup@luks\x2dstratis\x2dssd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 23.574364] device-mapper: table: 253:11: cache: unknown target type [ 23.574396] audit: type=1400 audit(1574968794.753:65): avc: denied { module_request } for pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 [ 23.575494] device-mapper: ioctl: error adding target to table [ 23.632232] device-mapper: table: 253:11: cache: unknown target type [ 23.632265] audit: type=1400 audit(1574968794.811:66): avc: denied { module_request } for pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 [ 23.633468] device-mapper: ioctl: error adding target to table [ 23.637369] audit: type=1130 audit(1574968794.816:67): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 23.676220] device-mapper: table: 253:11: cache: unknown target type [ 23.676252] audit: type=1400 audit(1574968794.855:68): avc: denied { module_request } for pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 [ 23.677704] device-mapper: ioctl: error adding target to table

BZ#1755396 SELinux is preventing /usr/libexec/stratisd from 'getattr' accesses on the blk_file /dev/sdb1.
User Icon aanno commented & provided feedback 5 years ago

In regard to BZ#1755396, With the selinux warning browser, I see the following problems with selinux-policy-3.14.4-42.fc31:

* SELinux is preventing mount from 'read' accesses on the blk_file loop1.
Raw Audit Messages
type=AVC msg=audit(1557599764.3:347): avc:  denied  { read } for  pid=5364 comm="mount" name="loop1" dev="devtmpfs" ino=34913 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1

* SELinux is preventing mount from 'open' accesses on the blk_file /dev/loop1.
Raw Audit Messages
type=AVC msg=audit(1557599764.3:348): avc:  denied  { open } for  pid=5364 comm="mount" path="/dev/loop1" dev="devtmpfs" ino=34913 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1

* SELinux is preventing mount from 'ioctl' accesses on the blk_file /dev/loop1.
type=AVC msg=audit(1557599764.3:349): avc:  denied  { ioctl } for  pid=5364 comm="mount" path="/dev/loop1" dev="devtmpfs" ino=34913 ioctlcmd=0x4c05 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1

* SELinux is preventing mount from read, write access on the chr_file loop-control.
type=AVC msg=audit(1557599764.3:350): avc:  denied  { read write } for  pid=5364 comm="mount" name="loop-control" dev="devtmpfs" ino=27710 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1

* SELinux is preventing mount from 'open' accesses on the chr_file /dev/loop-control.
type=AVC msg=audit(1557599764.3:351): avc:  denied  { open } for  pid=5364 comm="mount" path="/dev/loop-control" dev="devtmpfs" ino=27710 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1

* SELinux is preventing mount from 'ioctl' accesses on the chr_file /dev/loop-control.
type=AVC msg=audit(1557599764.3:352): avc:  denied  { ioctl } for  pid=5364 comm="mount" path="/dev/loop-control" dev="devtmpfs" ino=27710 ioctlcmd=0x4c82 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1

* SELinux is preventing mount from 'write' accesses on the blk_file loop2.
type=AVC msg=audit(1557599764.4:353): avc:  denied  { write } for  pid=5364 comm="mount" name="loop2" dev="devtmpfs" ino=67850 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1

* SELinux is preventing systemd from 'create' accesses on the Verzeichnis recordings.
type=AVC msg=audit(1567538795.411:845): avc:  denied  { create } for  pid=1 comm="systemd" name="recordings" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0

* SELinux is preventing cp from using the 'setfscreate' accesses on a process.
type=AVC msg=audit(1569263071.507:365): avc:  denied  { setfscreate } for  pid=8657 comm="cp" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=process permissive=1

* Process stratisd tried to access system with module_request.
* SELinux is preventing stratisd from 'execute' accesses on the Datei /usr/sbin/pdata_tools.
type=AVC msg=audit(1572608333.230:776): avc:  denied  { execute } for  pid=16969 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

* SELinux is preventing stratisd from 'execute_no_trans' accesses on the Datei /usr/sbin/pdata_tools.
type=AVC msg=audit(1572608333.230:777): avc:  denied  { execute_no_trans } for  pid=16969 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

* Process thin_check tried to access /usr/sbin/pdata_tools with map.
* Process stratisd tried to write to directory /stratis
* Process stratisd tried to access directory .mdv-093c... with add_name.
* Process stratisd tried to access directory .mdv-093c... with create.
type=AVC msg=audit(1572695079.107:482): avc:  denied  { create } for  pid=6651 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1

* Process stratisd tried to access directory .mdv-093c... with mounton.
* Process stratisd tried to access filesystem /.
type=AVC msg=audit(1572695079.135:484): avc:  denied  { mount } for  pid=6651 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1

* Process stratisd tried to access directory 'filesystems' with read.
type=AVC msg=audit(1572695079.136:486): avc:  denied  { read } for  pid=6651 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

* Process stratisd tried to access directory 'filesystems' with open.
* Process stratisd tried to access directory 'filesystems' with getattr.
* Process stratisd tried to access filesystem with unmount.
type=AVC msg=audit(1572695079.136:489): avc:  denied  { unmount } for  pid=6651 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1

* Process stratisd tried to access directory .mdv-093c... with remove_name.
* Process stratisd tried to access directory .mdv-093c... with rmdir.
type=AVC msg=audit(1572695079.220:491): avc:  denied  { rmdir } for  pid=6651 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=134343861 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1

* Process stratisd tried to access directory 'filesystems' with search.
type=AVC msg=audit(1572695079.247:492): avc:  denied  { search } for  pid=6651 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

* Process stratisd tried to access file 1715509...4d.json with read.
type=AVC msg=audit(1572695079.247:493): avc:  denied  { read } for  pid=6651 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

* Process stratisd tried to access file 1715509...4d.json with open.
* Process stratisd tried to access /mnt/opt with getattr.
type=AVC msg=audit(1572695079.338:495): avc:  denied  { getattr } for  pid=6651 comm="stratisd" name="/" dev="dm-17" ino=2048 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1

* Process stratisd tried to access lnk_file /stratis/stratis_hdd/opt with unlink.
type=AVC msg=audit(1572695079.339:496): avc:  denied  { unlink } for  pid=6651 comm="stratisd" name="opt" dev="dm-4" ino=146941056 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1

* Process stratisd tried to access lnk_file /opt with create.
type=AVC msg=audit(1572695079.339:497): avc:  denied  { create } for  pid=6651 comm="stratisd" name="opt" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1

* Process systemd tried to access capability2 with mac_admin.
type=AVC msg=audit(1575127332.448:120): avc:  denied  { mac_admin } for  pid=1 comm="systemd" capability=33  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1

* Process mandb tried to access directory /var/lib/snapd with search.
type=AVC msg=audit(1575127443.105:355): avc:  denied  { search } for  pid=5298 comm="mandb" name="snapd" dev="dm-4" ino=134536464 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 trawcon="system_u:object_r:snappy_var_lib_t:s0"

adamwill edited this update.

New build(s):

  • container-selinux-2.123.0-2.fc31
  • selinux-policy-3.14.4-43.fc31

Removed build(s):

  • selinux-policy-3.14.4-42.fc31

Karma has been reset.

5 years ago

This update has been submitted for testing by adamwill.

5 years ago
User Icon adamwill commented & provided feedback 5 years ago

OK, so I updated container-selinux's dependency on selinux-policy and bumped the update. Hopefully everything should work now, except possibly @aanno 's bug, but unless the update makes it worse, that's not a reason to -1 it. Please let us know if anyone still sees things worse than the previous stable policy.

User Icon zpytela commented & provided feedback 5 years ago

@adamwill, thank you for your help, on my vms the update goes well with no errors reported and the system overall looks good. I am going to create another selinux-policy build soon for both f31 and f30 once this update and its f30 version get into stable repos as there are enough of new bugs which need to be addressed.

@aanno, there are a lot of unlabeled_t types which can mislead in troubleshooting, please test this build and then run ausearch again to identify additional possible missing permissions.

User Icon adamwill commented & provided feedback 5 years ago
karma

openQA updates all pass, so looks good to me too.

This update has been pushed to testing.

5 years ago
User Icon decathorpe commented & provided feedback 5 years ago

The upgrade to -43 still causes this scriptlet failure:

  Running scriptlet: selinux-policy-targeted-3.14.4-43.fc31.noarch                                                      2/4 
Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1651
Failed to generate binary
/usr/sbin/semodule:  Failed!

Note that I don't have container-selinux installed on this system.

Reinstalling this package with sudo dnf reinstall selinux-policy-targeted worked, rebooted the system, and don't get any AVC denials (so far) ... so I'm withholding judgement for now, because of the scriptlet failure

User Icon aanno commented & provided feedback 5 years ago
karma

Regarding BZ#1755396 I find the following in /var/log/message:

Dec  8 16:42:49 blacksnapper audit[854]: AVC avc:  denied  { remove_name } for  pid=854 comm="stratisd" name="home" dev="dm-4" ino=134774209 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec  8 16:42:49 blacksnapper audit[854]: AVC avc:  denied  { unlink } for  pid=854 comm="stratisd" name="home" dev="dm-4" ino=134774209 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1
Dec  8 16:42:49 blacksnapper audit[854]: AVC avc:  denied  { rmdir } for  pid=854 comm="stratisd" name="stratis_hdd" dev="dm-4" ino=134774208 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1

Dec  8 16:42:52 blacksnapper audit[854]: AVC avc:  denied  { module_request } for  pid=854 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
Dec  8 16:42:52 blacksnapper kernel: audit: type=1400 audit(1575819772.851:65): avc:  denied  { module_request } for  pid=854 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1

Dec  8 16:42:52 blacksnapper audit[1435]: AVC avc:  denied  { execute } for  pid=1435 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Dec  8 16:42:52 blacksnapper audit[1435]: AVC avc:  denied  { execute_no_trans } for  pid=1435 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Dec  8 16:42:52 blacksnapper kernel: audit: type=1400 audit(1575819772.880:66): avc:  denied  { execute } for  pid=1435 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Dec  8 16:42:52 blacksnapper kernel: audit: type=1400 audit(1575819772.880:66): avc:  denied  { execute_no_trans } for  pid=1435 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Dec  8 16:42:52 blacksnapper kernel: audit: type=1400 audit(1575819772.880:66): avc:  denied  { map } for  pid=1435 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Dec  8 16:42:52 blacksnapper audit[1435]: AVC avc:  denied  { map } for  pid=1435 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Dec  8 16:42:52 blacksnapper systemd[1]: Started Cryptography Setup for luks-stratis-hdd-vg.
Dec  8 16:42:52 blacksnapper audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec  8 16:42:52 blacksnapper kernel: audit: type=1130 audit(1575819772.900:67): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec  8 16:42:52 blacksnapper audit[854]: AVC avc:  denied  { write } for  pid=854 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec  8 16:42:52 blacksnapper audit[854]: AVC avc:  denied  { add_name } for  pid=854 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper kernel: audit: type=1400 audit(1575819772.995:68): avc:  denied  { write } for  pid=854 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper kernel: audit: type=1400 audit(1575819772.995:68): avc:  denied  { add_name } for  pid=854 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem
Dec  8 16:42:53 blacksnapper kernel: audit: type=1400 audit(1575819772.995:68): avc:  denied  { create } for  pid=854 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { create } for  pid=854 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { mounton } for  pid=854 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=20415 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1

Dec  8 16:42:53 blacksnapper kernel: audit: type=1400 audit(1575819772.995:69): avc:  denied  { mounton } for  pid=854 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=20415 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper kernel: XFS (dm-15): Ending clean mount
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { mount } for  pid=854 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { search } for  pid=854 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { read } for  pid=854 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { open } for  pid=854 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { getattr } for  pid=854 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { unmount } for  pid=854 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Dec  8 16:42:53 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded.
Dec  8 16:42:53 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { remove_name } for  pid=854 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=20415 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { rmdir } for  pid=854 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=20415 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem
Dec  8 16:42:53 blacksnapper kernel: XFS (dm-15): Ending clean mount
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { search } for  pid=854 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { read } for  pid=854 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { open } for  pid=854 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems/17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec  8 16:42:53 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded.
Dec  8 16:42:53 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem
Dec  8 16:42:53 blacksnapper stratisd[854]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 13
Dec  8 16:42:53 blacksnapper audit[854]: AVC avc:  denied  { create } for  pid=854 comm="stratisd" name="home" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1
BZ#1755396 SELinux is preventing /usr/libexec/stratisd from 'getattr' accesses on the blk_file /dev/sdb1.

This update can be pushed to stable now if the maintainer wishes

5 years ago
User Icon zpytela commented & provided feedback 5 years ago

@decathorpe, did you have container-selinux installed at some point in the past? Please check if the module exists on the filesystem and try to remove it manually:

ls -la /var/lib/selinux/targeted/active/modules/200/container/ semodule -X200 -r container

User Icon zpytela commented & provided feedback 5 years ago

This is a formated version of the 2 commands:

ls -la /var/lib/selinux/targeted/active/modules/200/container/
semodule -X200 -r container
User Icon decathorpe commented & provided feedback 5 years ago
karma

@zpytela yes, I once had that package installed (I think it was pulled in by podman, but I removed that container stuff again). the directory was present, but "semodule -X100 -r container" removed it. downgrading and upgrading selinux-policy again now works without problems, thanks :)

This update has been submitted for stable by adamwill.

5 years ago

This update has been pushed to stable.

5 years ago

Please log in to add feedback.

Metadata
Type
bugfix
Severity
medium
Karma
3
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
5 years ago
in testing
5 years ago
in stable
5 years ago
Builds
2
container-selinux-2.123.0-2.fc31
selinux-policy-3.14.4-43.fc31
BZ#1751766 SELinux is preventing systemd-logind from 'read' accesses on the arquivo loader.conf.
0
0
BZ#1755396 SELinux is preventing /usr/libexec/stratisd from 'getattr' accesses on the blk_file /dev/sdb1.
-1
0
BZ#1767394 SELinux is preventing systemd-tmpfile from using the 'setrlimit' accesses on a process.
0
0
BZ#1769228 systemd triggers SELinux denials when confined users run systemctl --user status
0
0
BZ#1770186 restart of lldpd service triggers SELinux denials
0
0
BZ#1770221 Allow cockpit-session to glob /run/cockpit/tls/
0
0
BZ#1770698 SELinux is preventing 11-dhclient from 'add_name' accesses on the directory chrony.servers.wlp61s0.
0
0
container-selinux-2.123.0-2.fc31
selinux-policy-3.14.4-43.fc31

Automated Test Results

Copyright © 2007-2025 Red Hat, Inc. and others.

Running bodhi-server 25.5.1 on bodhi-web-181-phpnd.

bodhi is Free Software. Please file issues if you have any problems. Read the documentation.

Composes Legal Privacy policy