View Issue Details

IDProjectCategoryView StatusLast Update
0013784CentOS-7selinux-policypublic2017-11-29 19:23
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0013784: SELinux is preventing /usr/libexec/gvfs-udisks2-volume-monitor from 'getattr' accesses on the file /run/mount/utab.
DescriptionDescription of problem:
SELinux error started showing up after installing MATE (which also needed the updated glib2 from the cr repo) and logging into the MATE desktop environment.
The following commands were used to install:
  216 sudo yum --enablerepo=cr install glib2
  217 sudo yum groupinstall mate-desktop
SELinux is preventing /usr/libexec/gvfs-udisks2-volume-monitor from 'getattr' accesses on the file /run/mount/utab.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that gvfs-udisks2-volume-monitor should be allowed getattr access on the utab file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'gvfs-udisks2-vo' --raw | audit2allow -M my-gvfsudisks2vo
# semodule -i my-gvfsudisks2vo.pp

Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:mount_var_run_t:s0
Target Objects /run/mount/utab [ file ]
Source gvfs-udisks2-vo
Source Path /usr/libexec/gvfs-udisks2-volume-monitor
Port <Unknown>
Host (removed)
Source RPM Packages gvfs-1.22.4-8.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-514.26.2.el7.x86_64 #1 SMP
                              Tue Jul 4 15:04:05 UTC 2017 x86_64 x86_64
Alert Count 145
First Seen 2017-09-03 06:10:53 PDT
Last Seen 2017-09-08 10:52:22 PDT
Local ID 121a87f9-95f7-4d3e-9228-ad2bc1f2726c

Raw Audit Messages
type=AVC msg=audit(1504893142.856:6989): avc: denied { getattr } for pid=1508 comm="gvfs-udisks2-vo" path="/run/mount/utab" dev="tmpfs" ino=232792 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file

type=SYSCALL msg=audit(1504893142.856:6989): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7f3450c1a988 a1=7ffd9762a100 a2=7ffd9762a100 a3=10 items=0 ppid=1 pid=1508 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=gvfs-udisks2-vo exe=/usr/libexec/gvfs-udisks2-volume-monitor subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: gvfs-udisks2-vo,xdm_t,mount_var_run_t,file,getattr

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-514.26.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2017-11-18 02:21

reporter   ~0030602

Another user experienced a similar problem:

The message popped up on booting.

reporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-514.10.2.el7.x86_64
package: selinux-policy-3.13.1-102.el7_3.15.noarch
reason: SELinux is preventing /usr/libexec/gvfs-udisks2-volume-monitor from 'getattr' accesses on the file /run/mount/utab.
reproducible: Not sure how to reproduce the problem
type: libreport


2017-11-29 19:18

reporter   ~0030677

Similar message here:

SELinux is preventing /usr/libexec/gvfs-udisks2-volume-monitor from read access on the file fstab


2017-11-29 19:23

reporter   ~0030678

Disregard, it seems Amazon AWS munged the file:
-rw-r--r--. root root system_u:object_r:unlabeled_t:s0 fstab
-rw-r--r--. root root system_u:object_r:etc_t:s0 fstab.orig

Issue History

Date Modified Username Field Change
2017-09-08 18:01 spohaver New Issue
2017-11-18 02:21 sjose Note Added: 0030602
2017-11-29 19:18 BlueH2O Note Added: 0030677
2017-11-29 19:23 BlueH2O Note Added: 0030678