snapd

Aggregate bug for SELinux denials

Bug #1863747 reported by Zygmunt Krynicki
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Confirmed
Medium
Unassigned

Bug Description

This bug contains multiple SELinux denials that are often automatically reported by our Fedora friends.

The first batch contains 25 bugs, in markdown (which is not supported here but can be used if you paste it to other locations).

# SELinux bugs reported
## https://bugzilla.redhat.com/show_bug.cgi?id=1689167
```
Failed to resolve roletype statement at /var/lib/selinux/targeted/tmp/modules/200/snappy/cil:12
/usr/sbin/semodule: Failed!
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1577288
```
type=AVC msg=audit(1563518753.470:869): avc: denied { setattr } for pid=4461 comm="cp" name="user-dirs.locale" dev="dm-3" ino=11291731 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1693176
```
type=AVC msg=audit(1553679923.809:137): avc: denied { check_context } for pid=2455 comm="matchpathcon" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1693177
```
type=AVC msg=audit(1553679923.808:136): avc: denied { write } for pid=2455 comm="matchpathcon" name="context" dev="selinuxfs" ino=5 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1693204
```
type=AVC msg=audit(1553683319.601:137): avc: denied { search } for pid=2302 comm="matchpathcon" name="contexts" dev="dm-3" ino=8477 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1694156
```
type=AVC msg=audit(1553876840.968:272): avc: denied { getattr } for pid=5348 comm="umount" name="/" dev="loop0" ino=2 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1697026
```
type=AVC msg=audit(1554613575.901:259): avc: denied { search } for pid=3399 comm="mandb" name="snapd" dev="sdb3" ino=1572023 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:object_r:snappy_var_lib_t:s0 tclass=dir permissive=0
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1697100
```
type=AVC msg=audit(1554645282.535:6325): avc: denied { unlink } for pid=26016 comm="ld-2.23.so" name="CACHEDIR.TAG" dev="dm-3" ino=88736 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1699360
```
type=AVC msg=audit(1555077265.384:270): avc: denied { module_request } for pid=2018 comm="mount" kmod="char-major-10-237" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1703226
```
type=AVC msg=audit(1556216965.699:2149): avc: denied { search } for pid=29384 comm="udevadm" name="udev" dev="tmpfs" ino=1275 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1707758
```
type=AVC msg=audit(1557308098.309:366): avc: denied { write } for pid=7542 comm="mount" name="loop1" dev="devtmpfs" ino=104319 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1713975
```
type=AVC msg=audit(1558855685.572:299): avc: denied { read } for pid=3007 comm="mount" name="loop1" dev="devtmpfs" ino=25385 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1708012
```
type=AVC msg=audit(1557359465.28:297): avc: denied { create } for pid=2921 comm="snapd" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1707975
```
type=AVC msg=audit(1557344835.617:520): avc: denied { bind } for pid=931 comm="snapd" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=netlink_kobject_uevent_socket permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1707758
```
type=AVC msg=audit(1557308098.309:366): avc: denied { write } for pid=7542 comm="mount" name="loop1" dev="devtmpfs" ino=104319 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1729003
```
type=AVC msg=audit(1562745226.786:1599): avc: denied { rmdir } for pid=4387 comm="snapd" name="snap.rambox" dev="tmpfs" ino=895840 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1729001
```
type=AVC msg=audit(1562745226.786:1600): avc: denied { write } for pid=4387 comm="snapd" name="snap.rambox" dev="tmpfs" ino=895840 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1729000
```
type=AVC msg=audit(1562745226.786:1601): avc: denied { remove_name } for pid=4387 comm="snapd" name="wayland-0" dev="tmpfs" ino=899794 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1728999
```
type=AVC msg=audit(1562745226.786:1602): avc: denied { unlink } for pid=4387 comm="snapd" name="wayland-0" dev="tmpfs" ino=899794 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1725476
```
type=AVC msg=audit(1561794847.909:360): avc: denied { map } for pid=10285 comm="journalctl" path="/var/log/journal/fdf02e3ac2b2404e83063f7f76f8149c/user-1000@5ed61e690b194b5c829197e2f3c58e77-0000000000273bac-000588dc45301e17.journal” dev=„dm-1” ino=1312698 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1717735
```
type=AVC msg=audit(1559791515.565:567): avc: denied { read } for pid=16737 comm="(er_check)" name="nsswitch.conf" dev="loop0" ino=748 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:snappy_snap_t:s0 tclass=file permissive=0
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1717673
```
type=AVC msg=audit(1559773844.842:395): avc: denied { remount } for pid=5197 comm="(upowerd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:snappy_snap_t:s0 tclass=filesystem permissive=0
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1717607
```
type=AVC msg=audit(1559762360.51:292): avc: denied { remount } for pid=4360 comm="(resolved)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:snappy_snap_t:s0 tclass=filesystem permissive=0
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1717358
```
Jun 04 18:31:55 localhost.localdomain audit[26019]: AVC avc: denied { remount } for pid=26019 comm="(upowerd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:snappy_snap_t:s0 tclass=filesyst>
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1715587
```
type=AVC msg=audit(1559237867.515:324): avc: denied { search } for pid=8433 comm="udevadm" name="contexts" dev="dm-1" ino=134218256 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1714323
```
type=AVC msg=audit(1558977973.361:300): avc: denied { ioctl } for pid=3326 comm="mount" path="/dev/loop-control" dev="devtmpfs" ino=14540 ioctlcmd=0x4c82 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
```
## https://bugzilla.redhat.com/show_bug.cgi?id=1729006
```
type=AVC msg=audit(1562745226.785:1596): avc: denied { unlink } for pid=4387 comm="snapd" name="user-dirs.locale" dev="dm-3" ino=5379387 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=1
```

See original description
Zygmunt Krynicki (zyga)
Changed in snapd:
status: New → Confirmed
Zygmunt Krynicki (zyga)
description: updated
Changed in snapd:
importance: Undecided → Medium
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I started working on understanding how to chew through this list (and more more more) but it will need some time to get accustomed to (the process, that is). I think having a recurring bug is better than the list of small bugs in the bug tracker we don't visit very often. Many of the bugs may have the same origin or be fixed at the same time.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.