Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1333778
| Summary: | SELinux is preventing gssproxy from 'getattr' accesses on the filesystem /. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Joachim Frieben <jfrieben> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 24 | CC: | akurtako, asidorov95, awilliam, bcdonadio, belozi, bugzilla, bugzilla, c.steinseifer, decathorpe, dev, dominick.grift, dwalsh, fedora.243908, fedora, g.laurent, jrweare, juliux.pigface, kparal, lmacken, lslebodn, luya, lvrabec, mgrepl, mikhail.v.gavrilov, msuchy, nicolas.mailhot, plautrba, robatino, sgallagh, zyxsamys |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:666a05b8674ca197437eb3d6dd99a6bef631402aee13a47666b2a48916f3c8d6;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.13.1-190.fc24 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-06-02 21:56:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1230435 | ||
Description of problem: Upgrade gssproxy on Fedora 24 Alpha. Version-Release number of selected component: selinux-policy-3.13.1-184.fc24.noarch Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.5.2-302.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: dnf update Version-Release number of selected component: selinux-policy-3.13.1-184.fc24.noarch Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.5.2-302.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: systemctl restart gssproxy Version-Release number of selected component: selinux-policy-3.13.1-184.fc24.noarch Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.5.3-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: Start KDE after reboot and upgrade to Fedora 24 Version-Release number of selected component: selinux-policy-3.13.1-184.fc24.noarch Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.5.3-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: This AVC denial happened just after the first boot of Fedora 24 updating from Fedora 23. Version-Release number of selected component: selinux-policy-3.13.1-185.fc24.noarch Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.5.3-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: Happened during regular use of the system. I was running a 'dnf update' in the background, it was at the cleanup stage, that may have been involved. Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.5.2-302.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: Hello, It happened after a fresh install of Fedora 24 beta, conserving only an old /home. Cheers Version-Release number of selected component: selinux-policy-3.13.1-185.fc24.noarch Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.5.2-302.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: I've found this after the login on a Xfce session. Version-Release number of selected component: selinux-policy-3.13.1-185.fc24.noarch Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.5.4-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: start Google Chrome beta 51.0.2704.54 beta (64-bit) Version-Release number of selected component: selinux-policy-3.13.1-185.fc24.noarch Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.7.0-0.rc0.git5.2.fc25.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: This happened on a default KDE install, probably during switching users. Version-Release number of selected component: selinux-policy-3.13.1-189.fc24.noarch Additional info: reporter: libreport-2.7.1 hashmarkername: setroubleshoot kernel: 4.5.5-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: I started openVPN in KDE using KDE NetworkManager applet. Version-Release number of selected component: selinux-policy-3.13.1-189.fc24.noarch Additional info: reporter: libreport-2.7.1 hashmarkername: setroubleshoot kernel: 4.5.5-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport (In reply to Miroslav Suchý from comment #11) Please update to selinux-policy-3.13.1-190.fc24 which fixes the problem. Happens with selinux-policy-3.13.1-189.fc24.noarch in Fedora-Workstation-Live-x86_64-24-20160531.n.0.iso during startup. Proposed as a Blocker for 24-final by Fedora user chrismurphy using the blocker tracking app because: There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. This is fixed with -190, I checked. -190 has gone stable. |
Description of problem: SELinux is preventing gssproxy from 'getattr' accesses on the filesystem /. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gssproxy should be allowed getattr access on the filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c gssproxy --raw | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:gssproxy_t:s0 Target Context system_u:object_r:fs_t:s0 Target Objects / [ filesystem ] Source gssproxy Source Path gssproxy Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages filesystem-3.2-37.fc24.x86_64 Policy RPM selinux-policy-3.13.1-184.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.5.3-300.fc24.x86_64 #1 SMP Thu May 5 01:56:27 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-05-06 13:58:40 CEST Last Seen 2016-05-06 13:58:40 CEST Local ID 565f1d28-b145-4fb8-a6d0-b6b7f07e017a Raw Audit Messages type=AVC msg=audit(1462535920.435:82): avc: denied { getattr } for pid=804 comm="gssproxy" name="/" dev="dm-0" ino=2 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 Hash: gssproxy,gssproxy_t,fs_t,filesystem,getattr Version-Release number of selected component: selinux-policy-3.13.1-184.fc24.noarch Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.5.3-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport