View Issue Details

IDProjectCategoryView StatusLast Update
0016847CentOS-7selinux-policypublic2019-12-19 14:52
Reporternvycent 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0016847: SELinux is preventing /usr/libexec/snapd/snap-update-ns from 'setattr' accesses on the file labeled tmpfs_t.
DescriptionDescription of problem:
SELinux is preventing /usr/libexec/snapd/snap-update-ns from 'setattr' accesses on the file labeled tmpfs_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that snap-update-ns should be allowed setattr access on file labeled tmpfs_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snap-update-ns' --raw | audit2allow -M my-snapupdatens
# semodule -i my-snapupdatens.pp

Additional Information:
Source Context system_u:system_r:snappy_mount_t:s0
Target Context system_u:object_r:tmpfs_t:s0
Target Objects (null) [ file ]
Source snap-update-ns
Source Path /usr/libexec/snapd/snap-update-ns
Port <Unknown>
Host (removed)
Source RPM Packages snap-confine-2.42.1-1.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-252.el7.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-1062.4.1.el7.x86_64 #1 SMP
                              Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64
Alert Count 1
First Seen 2019-11-13 11:09:19 +08
Last Seen 2019-11-13 11:09:19 +08
Local ID aac01cf4-3378-4ab7-b4ba-9a317def67c7

Raw Audit Messages
type=AVC msg=audit(1573614559.202:12057): avc: denied { setattr } for pid=10964 comm="snap-update-ns" name="command-cli.wrapper" dev="tmpfs" ino=216519 scontext=system_u:system_r:snappy_mount_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1573614559.202:12057): arch=x86_64 syscall=fchown success=yes exit=0 a0=7 a1=0 a2=0 a3=0 items=1 ppid=10362 pid=10964 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=snap-update-ns exe=/usr/libexec/snapd/snap-update-ns subj=system_u:system_r:snappy_mount_t:s0 key=(null)

type=PATH msg=audit(1573614559.202:12057): item=0 name=(null) inode=216519 dev=00:2f mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: snap-update-ns,snappy_mount_t,tmpfs_t,file,setattr

Version-Release number of selected component:
selinux-policy-3.13.1-252.el7.1.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-1062.9.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash47bbb8ce0f9b479bf5cc9b6e52e49042311688a02f0d900ff9d6a8bf71dc9dd9
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-12-19 14:52 nvycent New Issue