1333778 – SELinux is preventing gssproxy from 'getattr' accesses on the filesystem /.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1333778 - SELinux is preventing gssproxy from 'getattr' accesses on the filesystem /.

Summary: SELinux is preventing gssproxy from 'getattr' accesses on the filesystem /.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	24
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:666a05b8674ca197437eb3d6dd9...
Depends On:
Blocks:	F24FinalBlocker
TreeView+	depends on / blocked

Reported:	2016-05-06 12:06 UTC by Joachim Frieben
Modified:	2016-06-03 12:05 UTC (History)
CC List:	30 users (show)
Fixed In Version:	selinux-policy-3.13.1-190.fc24
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-02 21:56:09 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joachim Frieben 2016-05-06 12:06:00 UTC

Description of problem:
SELinux is preventing gssproxy from 'getattr' accesses on the filesystem /.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gssproxy should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c gssproxy --raw | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:gssproxy_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                / [ filesystem ]
Source                        gssproxy
Source Path                   gssproxy
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-184.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.5.3-300.fc24.x86_64 #1 SMP Thu
                              May 5 01:56:27 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-05-06 13:58:40 CEST
Last Seen                     2016-05-06 13:58:40 CEST
Local ID                      565f1d28-b145-4fb8-a6d0-b6b7f07e017a

Raw Audit Messages
type=AVC msg=audit(1462535920.435:82): avc:  denied  { getattr } for  pid=804 comm="gssproxy" name="/" dev="dm-0" ino=2 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0


Hash: gssproxy,gssproxy_t,fs_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-184.fc24.noarch

Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.5.3-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 1 Luya Tshimbalanga 2016-05-06 17:54:46 UTC

Description of problem:
Upgrade gssproxy on Fedora 24 Alpha.

Version-Release number of selected component:
selinux-policy-3.13.1-184.fc24.noarch

Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.5.2-302.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 2 Zdenek Sedlak 2016-05-07 07:30:39 UTC

Description of problem:
dnf update

Version-Release number of selected component:
selinux-policy-3.13.1-184.fc24.noarch

Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.5.2-302.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 3 Lukas Slebodnik 2016-05-11 06:19:00 UTC

Description of problem:
systemctl restart gssproxy

Version-Release number of selected component:
selinux-policy-3.13.1-184.fc24.noarch

Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.5.3-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 4 abyss.7 2016-05-12 07:31:22 UTC

Description of problem:
Start KDE after reboot and upgrade to Fedora 24

Version-Release number of selected component:
selinux-policy-3.13.1-184.fc24.noarch

Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.5.3-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 5 Bernardo Donadio 2016-05-15 10:30:04 UTC

Description of problem:
This AVC denial happened just after the first boot of Fedora 24 updating from Fedora 23.

Version-Release number of selected component:
selinux-policy-3.13.1-185.fc24.noarch

Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.5.3-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 6 Adam Williamson 2016-05-18 14:45:38 UTC

Description of problem:
Happened during regular use of the system. I was running a 'dnf update' in the background, it was at the cleanup stage, that may have been involved.


Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.5.2-302.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 7 GuL 2016-05-20 14:29:53 UTC

Description of problem:
Hello,
It happened after a fresh install of Fedora 24 beta, conserving only an old /home.
Cheers

Version-Release number of selected component:
selinux-policy-3.13.1-185.fc24.noarch

Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.5.2-302.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 8 Giulio 'juliuxpigface' 2016-05-20 20:42:25 UTC

Description of problem:
I've found this after the login on a Xfce session.

Version-Release number of selected component:
selinux-policy-3.13.1-185.fc24.noarch

Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.5.4-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 9 jrweare 2016-05-24 23:07:37 UTC

Description of problem:
start Google Chrome beta  51.0.2704.54 beta (64-bit)

Version-Release number of selected component:
selinux-policy-3.13.1-185.fc24.noarch

Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.7.0-0.rc0.git5.2.fc25.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 10 Kamil Páral 2016-05-31 13:55:50 UTC

Description of problem:
This happened on a default KDE install, probably during switching users.

Version-Release number of selected component:
selinux-policy-3.13.1-189.fc24.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.5.5-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 11 Miroslav Suchý 2016-05-31 18:57:34 UTC

Description of problem:
I started openVPN in KDE using KDE NetworkManager applet.

Version-Release number of selected component:
selinux-policy-3.13.1-189.fc24.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.5.5-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 12 Joachim Frieben 2016-05-31 19:05:36 UTC

(In reply to Miroslav Suchý from comment #11)
Please update to selinux-policy-3.13.1-190.fc24 which fixes the problem.

Comment 13 Chris Murphy 2016-06-01 01:37:19 UTC

Happens with selinux-policy-3.13.1-189.fc24.noarch in Fedora-Workstation-Live-x86_64-24-20160531.n.0.iso during startup.

Comment 14 Fedora Blocker Bugs Application 2016-06-01 02:04:47 UTC

Proposed as a Blocker for 24-final by Fedora user chrismurphy using the blocker tracking app because:

 There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop.

Comment 15 Adam Williamson 2016-06-01 04:04:11 UTC

This is fixed with -190, I checked.

Comment 16 Adam Williamson 2016-06-02 21:56:09 UTC

-190 has gone stable.

Note You need to log in before you can comment on or make changes to this bug.

akurtako
asidorov95
awilliam
bcdonadio
belozi
bugzilla
bugzilla
c.steinseifer
decathorpe
dev
dominick.grift
dwalsh
fedora.243908
fedora
g.laurent
jrweare
juliux.pigface
kparal
lmacken
lslebodn
luya
lvrabec
mgrepl
mikhail.v.gavrilov
msuchy
nicolas.mailhot
plautrba
robatino
sgallagh
zyxsamys