View Issue Details

IDProjectCategoryView StatusLast Update
0016256CentOS-7selinux-policypublic2019-07-10 05:20
ReporterzypA13510 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0016256: SELinux is preventing /usr/libexec/snapd/snapd from 'getattr' accesses on the file /proc/<pid>/stat.
DescriptionDescription of problem:
run snap install without sudo (and then enter password interactively)
SELinux is preventing /usr/libexec/snapd/snapd from 'getattr' accesses on the file /proc/<pid>/stat.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that snapd should be allowed getattr access on the stat file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -i my-snapd.pp

Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:system_r:unconfined_service_t:s0
Target Objects /proc/<pid>/stat [ file ]
Source snapd
Source Path /usr/libexec/snapd/snapd
Port <Unknown>
Host (removed)
Source RPM Packages snapd-2.39.2-1.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.12.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-957.21.3.el7.x86_64 #1 SMP
                              Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64
Alert Count 1
First Seen 2019-07-10 11:38:37 HKT
Last Seen 2019-07-10 11:38:37 HKT
Local ID 84bc0ad4-bd7a-4be2-b217-c8d5555196a6

Raw Audit Messages
type=AVC msg=audit(1562729917.74:15794): avc: denied { getattr } for pid=13934 comm="snapd" path="/proc/21191/stat" dev="proc" ino=503589881 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1562729917.74:15794): arch=x86_64 syscall=fstat success=yes exit=0 a0=5 a1=c0005f8518 a2=0 a3=0 items=0 ppid=1 pid=13934 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=snapd exe=/usr/libexec/snapd/snapd subj=system_u:system_r:snappy_t:s0 key=(null)

Hash: snapd,snappy_t,unconfined_service_t,file,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-229.el7_6.12.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-957.21.3.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash9619916d0d69e94e9eb660975661e409053f09563e95405a0e47c9c0c1cbc44e
URL

Activities

zypA13510

zypA13510

2019-07-10 05:20

reporter   ~0034797

Related issue: https://bugzilla.redhat.com/show_bug.cgi?id=1520102

Maybe I should raise this issue in the EPEL bug tracker?

Issue History

Date Modified Username Field Change
2019-07-10 03:49 zypA13510 New Issue
2019-07-10 05:20 zypA13510 Note Added: 0034797