Daily bogus SELinux alerts from snap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
New
|
Undecided
|
Unassigned |
Bug Description
At least once a day my Fedora 37 workstation pops up SELinux alerts like the ones below.
The SELinux alert text says that if I believe that snap should be allowed to do what it is is trying to do, I should report it at as a bug. Since it does not look like snap is doing anything nefarious, here is the bug report.
Below are the SELinux alerts I am getting daily:
SELinux is preventing snap from search access on the directory fs.
***** Plugin catchall (100. confidence) suggests *******
If you believe that snap should be allowed search access on the fs directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snap' --raw | audit2allow -M my-snap
# semodule -X 300 -i my-snap.pp
Additional Information:
Source Context system_
Target Context system_
Target Objects fs [ dir ]
Source snap
Source Path snap
Port <Unknown>
Host hood.handysoftw
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-
Local Policy RPM snapd-selinux-
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name hood.handysoftw
Platform Linux hood.handysoftw
Alert Count 1
First Seen 2023-02-07 09:01:06 EST
Last Seen 2023-02-07 09:01:06 EST
Local ID 3de537df-
Raw Audit Messages
type=AVC msg=audit(
Hash: snap,snappy_
SELinux is preventing snap from search access on the directory /proc/sys/
***** Plugin catchall (100. confidence) suggests *******
If you believe that snap should be allowed search access on the binfmt_misc directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snap' --raw | audit2allow -M my-snap
# semodule -X 300 -i my-snap.pp
Additional Information:
Source Context system_
Target Context system_
Target Objects /proc/sys/
Source snap
Source Path snap
Port <Unknown>
Host hood.handysoftw
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-
Local Policy RPM snapd-selinux-
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name hood.handysoftw
Platform Linux hood.handysoftw
Alert Count 1
First Seen 2023-02-07 09:01:06 EST
Last Seen 2023-02-07 09:01:06 EST
Local ID f99df951-
Raw Audit Messages
type=AVC msg=audit(
Hash: snap,snappy_
More details: I am running SELinux in permissive mode, so these alerts are not preventing snap from running.
I did look over the other SELinux-related snap tickets in launchpad and didn't find one quite like this. The other (older) SELinux tickets seem to be reporting different symptoms or different issues.