Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1932458
Summary: | SELinux is preventing login from 'getattr' accesses on the filesystem /. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matt Fagnani <matthew.fagnani> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 34 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:c7f4f32f6d9b6d80f205b2c260cbb9048305f00172f6d276e37160a38c5f9136;VARIANT_ID=kde; | ||
Fixed In Version: | selinux-policy-3.14.7-25.fc34 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-16 00:28:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matt Fagnani
2021-02-24 16:29:59 UTC
Matt, What is the dm-o filesystem mounted on? If it is the root filesystem, it should have root_t type: # ls -Zd / system_u:object_r:root_t:s0 / # restorecon -vn / <> (In reply to Zdenek Pytela from comment #1) > Matt, > > What is the dm-o filesystem mounted on? If it is the root filesystem, it > should have root_t type: > > > # ls -Zd / > system_u:object_r:root_t:s0 / > > # restorecon -vn / > <> Zdenek, the dm-0 filesystem is mounted on /, and / does have root_t type. / has inode=2 like in the denial. ls -Zdil / 2 dr-xr-xr-x. 21 root root system_u:object_r:root_t:s0 4096 Feb 3 00:21 / I ran sudo restorecon -vn / but no change was shown. I'm unsure why the fs_t type was the target context, but maybe SELinux was operating on the root filesystem level instead of the / directory. I saw this denial 5/5 times when logging into a VT today. I don't remember seeing this denial before though. It might have something to do with systemd 248 as that was the most relevant update I made in the last day or so. I ran the following commands to allow login to getattr / sudo ausearch -c 'login' --raw | audit2allow -M my-login sudo semodule -X 300 -i my-login.pp No denials were shown when I logged into a VT after that. Thanks. I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/621 FEDORA-2021-1cb3d5cac1 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-1cb3d5cac1 FEDORA-2021-1cb3d5cac1 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1cb3d5cac1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1cb3d5cac1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1e99f2ed79` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |