1514272 – SELinux breaks snapper {status,diff,undochange,xadiff}

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1514272 - SELinux breaks snapper {status,diff,undochange,xadiff}

Summary: SELinux breaks snapper {status,diff,undochange,xadiff}

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	LVM and device-mapper development team
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-16 23:30 UTC by Dag Odenhall
Modified:	2018-03-07 00:42 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.13.1-283.26.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-27 17:21:51 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
ausearch -c 'snapperd' --raw \| audit2allow -M my-snapperd (1.85 KB, text/plain) 2017-11-26 11:58 UTC, Dag Odenhall	no flags	Details
ausearch -a 4294967295 --raw \| audit2allow -M my-pam_snapper (3.66 KB, text/plain) 2017-11-26 12:00 UTC, Dag Odenhall	no flags	Details
ausearch -m AVC,USER_AVC -ts today (18.54 KB, text/plain) 2017-12-14 15:06 UTC, Dag Odenhall	no flags	Details
View All

Description Dag Odenhall 2017-11-16 23:30:06 UTC

With SELinux in Enforcing mode, snapper fails with an IO Error for the commands that compute differences between snapshots:

$ sudo snapper status 52..53
IO Error (open failed path://.snapshots/53/snapshot/etc/polkit-1 errno:1 (Operation not permitted)).

$ cat /var/log/snapper.log
[...]
2017-11-16 23:49:08 MIL libsnapper(13840) snapperd.cc(main):275 - Requesting DBus name
2017-11-16 23:49:08 MIL libsnapper(13840) snapperd.cc(main):279 - Loading snapper configs
2017-11-16 23:49:08 MIL libsnapper(13840) Snapper.cc(getConfigs):269 - Snapper get-configs
2017-11-16 23:49:08 MIL libsnapper(13840) Snapper.cc(getConfigs):270 - libsnapper version 0.5.0
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(reload):114 - loading file /etc/sysconfig/snapper
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:SNAPPER_CONFIGS value:root home var
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(reload):114 - loading file /etc/snapper/configs/root
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:SUBVOLUME value:/
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(reload):114 - loading file /etc/snapper/configs/home
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:SUBVOLUME value:/home
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(reload):114 - loading file /etc/snapper/configs/var
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:SUBVOLUME value:/var
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:ALLOW_USERS value:
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:ALLOW_GROUPS value:
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:ALLOW_USERS value:
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:ALLOW_GROUPS value:
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:ALLOW_USERS value:
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:ALLOW_GROUPS value:
2017-11-16 23:49:08 MIL libsnapper(13840) snapperd.cc(main):283 - Listening for method calls and signals
2017-11-16 23:49:08 MIL libsnapper(13840) Snapper.cc(Snapper):91 - Snapper constructor
2017-11-16 23:49:08 MIL libsnapper(13840) Snapper.cc(Snapper):92 - libsnapper version 0.5.0
2017-11-16 23:49:08 MIL libsnapper(13840) Snapper.cc(Snapper):93 - config_name:root disable_filters:false
2017-11-16 23:49:08 MIL libsnapper(13840) Selinux.cc(_is_selinux_enabled):137 - Selinux support enabled
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(reload):114 - loading file /etc/snapper/configs/root
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:SUBVOLUME value:/
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:FSTYPE value:btrfs
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:QGROUP value:1/0
2017-11-16 23:49:08 MIL libsnapper(13840) AsciiFile.cc(getValue):235 - key:SYNC_ACL value:no
2017-11-16 23:49:08 MIL libsnapper(13840) Snapper.cc(Snapper):125 - subvolume:/ filesystem:btrfs
2017-11-16 23:49:08 MIL libsnapper(13840) Snapper.cc(loadIgnorePatterns):174 - number of ignore patterns:8
2017-11-16 23:49:08 MIL libsnapper(13840) Snapshot.cc(read):245 - found 54 snapshots
2017-11-16 23:49:08 MIL libsnapper(13840) Comparison.cc(Comparison):57 - num1:52 num2:53
2017-11-16 23:49:08 MIL libsnapper(13840) Comparison.cc(load):163 - num1:52 num2:53
2017-11-16 23:49:08 MIL libsnapper(13840) Comparison.cc(create):138 - num1:52 num2:53
2017-11-16 23:49:08 MIL libsnapper(13840) Btrfs.cc(cmpDirs):1385 - special btrfs cmpDirs
2017-11-16 23:49:08 MIL libsnapper(13840) Btrfs.cc(process):1356 - dir1:'//.snapshots/52/snapshot' dir2:'//.snapshots/53/snapshot'
2017-11-16 23:49:08 ERR libsnapper(13840) Btrfs.cc(dumper):1250 - btrfs_read_and_process_send_stream failed
2017-11-16 23:49:08 WAR libsnapper(13840) Btrfs.cc(do_send):1312 - THROW: btrfs send/receive error
2017-11-16 23:49:08 ERR libsnapper(13840) Btrfs.cc(cmpDirs):1401 - special btrfs cmpDirs failed, btrfs send/receive error
2017-11-16 23:49:08 MIL libsnapper(13840) Btrfs.cc(cmpDirs):1402 - cmpDirs fallback
2017-11-16 23:49:08 MIL libsnapper(13840) Compare.cc(cmpDirs):431 - path1://.snapshots/52/snapshot path2://.snapshots/53/snapshot
2017-11-16 23:49:08 MIL libsnapper(13840) Compare.cc(cmpDirs):450 - dev1:143 dev2:146
2017-11-16 23:49:08 ERR libsnapper(13840) XAttributes.cc(XAttributes):154 - Couldn't get xattributes names-list size. link: //.snapshots/52/snapshot/etc/polkit-1/rules.d, error: Operation not permitted
2017-11-16 23:49:08 WAR libsnapper(13840) XAttributes.cc(XAttributes):155 - THROW: XAttributes error
2017-11-16 23:49:08 ERR libsnapper(13840) Compare.cc(cmpFilesXattrs):484 - extended attributes or ACL compare failed
2017-11-16 23:49:08 WAR libsnapper(13840) FileUtils.cc(SDir):88 - THROW: open failed path://.snapshots/53/snapshot/etc/polkit-1 errno:1 (Operation not permitted)
2017-11-16 23:49:08 WAR libsnapper(13840) Client.cc(dispatch):1634 - CAUGHT: open failed path://.snapshots/53/snapshot/etc/polkit-1 errno:1 (Operation not permitted)


Setting SELinux to Permissive makes it all work:


$ sudo setenforce 0
$ sudo snapper status 51..52
c..... /etc/cups/subscriptions.conf
c..... /etc/cups/subscriptions.conf.O


The journal ends up full of stuff like this:

Nov 17 00:19:34 vaio org.fedoraproject.Setroubleshootd[852]: symlink_realpath(/.snapshots/1/snapshot/etc/httpd/run) realpath() failed: Permission denied
Nov 17 00:19:34 vaio setroubleshoot[14661]: SELinux is preventing snapperd from getattr access on the lnk_file /.snapshots/1/snapshot/etc/httpd/run. For complete SELinux messages run: sealert -l 108cccdf-2fbc-42
Nov 17 00:19:34 vaio python3[14661]: SELinux is preventing snapperd from getattr access on the lnk_file /.snapshots/1/snapshot/etc/httpd/run.
                                     
                                     *****  Plugin catchall (100. confidence) suggests   **************************
                                     
                                     If you believe that snapperd should be allowed getattr access on the run lnk_file by default.
                                     Then you should report this as a bug.
                                     You can generate a local policy module to allow this access.
                                     Do
                                     allow this access for now by executing:
                                     # ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
                                     # semodule -X 300 -i my-snapperd.pp
                                     
Nov 17 00:19:34 vaio setroubleshoot[14661]: SELinux is preventing snapperd from using the fowner capability. For complete SELinux messages run: sealert -l e63d9aa8-757d-4d89-a26f-639a909f831b
Nov 17 00:19:34 vaio python3[14661]: SELinux is preventing snapperd from using the fowner capability.
                                     
                                     *****  Plugin catchall (100. confidence) suggests   **************************
                                     
                                     If you believe that snapperd should have the fowner capability by default.
                                     Then you should report this as a bug.
                                     You can generate a local policy module to allow this access.
                                     Do
                                     allow this access for now by executing:
                                     # ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
                                     # semodule -X 300 -i my-snapperd.pp


And this:

Nov 17 00:19:29 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/etc/NetworkManager/dispatcher.d/no-wait.d/10-ifcfg-rh-routes.sh" dev="dm-0" ino=155924 scontext=system_u:sys
Nov 17 00:19:29 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/.snapshots/1/snapshot/etc/NetworkManager/dispatcher.d/no-wait.d/10-ifcfg-rh-routes.sh" dev="dm-0" ino=436 sc
Nov 17 00:19:29 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/etc/NetworkManager/dispatcher.d/pre-up.d/10-ifcfg-rh-routes.sh" dev="dm-0" ino=155925 scontext=system_u:syst
Nov 17 00:19:29 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/.snapshots/1/snapshot/etc/NetworkManager/dispatcher.d/pre-up.d/10-ifcfg-rh-routes.sh" dev="dm-0" ino=437 sco
Nov 17 00:19:29 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/etc/firewalld/firewalld.conf" dev="dm-0" ino=581 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tconte
Nov 17 00:19:29 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/.snapshots/1/snapshot/etc/firewalld/firewalld.conf" dev="dm-0" ino=581 scontext=system_u:system_r:snapperd_t
Nov 17 00:19:30 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/etc/gdm/Xsession" dev="dm-0" ino=187531 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system
Nov 17 00:19:30 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/.snapshots/1/snapshot/etc/gdm/Xsession" dev="dm-0" ino=685 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1
Nov 17 00:19:30 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/etc/httpd/logs" dev="dm-0" ino=194530 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u
Nov 17 00:19:30 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/.snapshots/1/snapshot/etc/httpd/logs" dev="dm-0" ino=695 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c102
Nov 17 00:19:30 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/etc/httpd/modules" dev="dm-0" ino=194531 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=syste
Nov 17 00:19:30 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/.snapshots/1/snapshot/etc/httpd/modules" dev="dm-0" ino=696 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c
Nov 17 00:19:30 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/etc/httpd/run" dev="dm-0" ino=194532 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:
Nov 17 00:19:30 vaio audit[13924]: AVC avc:  denied  { getattr } for  pid=13924 comm="snapperd" path="/.snapshots/1/snapshot/etc/httpd/run" dev="dm-0" ino=697 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023
Nov 17 00:19:30 vaio audit[13924]: AVC avc:  denied  { fowner } for  pid=13924 comm="snapperd" capability=3  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1
Nov 17 00:19:30 vaio audit[13924]: AVC avc:  denied  { fowner } for  pid=13924 comm="snapperd" capability=3  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1

Comment 1 Dag Odenhall 2017-11-16 23:35:53 UTC

Trying

$ sudo restorecon -Rvn /.snapshots

I get stuff like this for seemingly every file in the snapshot:

Would relabel /.snapshots/1/snapshot/etc/system-release from system_u:object_r:etc_t:s0 to system_u:object_r:snapperd_data_t:s0

I don't dare run it without -n to see if that fixes anything, because I don't know how to revert that if it ends up making things worse.

Comment 2 Dag Odenhall 2017-11-16 23:58:57 UTC

So I tried restorecon on two throwaway snapshots:

# snapper create
# echo test > test
# snapper create
# restorecon -Rv /.snapshots/55
# restorecon -Rv /.snapshots/56
# snapper diff 55..56
IO Error (open failed path://.snapshots/56/snapshot/etc/polkit-1 errno:1 (Operation not permitted)).

So that didn't fix anything, but the restorecons didn't really manage to do much, and mostly produced output like this:

[...]
restorecon: Could not set context for /.snapshots/56/snapshot/usr/src:  Read-only file system
restorecon: Could not set context for /.snapshots/56/snapshot/usr/src/debug:  Read-only file system
restorecon: Could not set context for /.snapshots/56/snapshot/usr/src/kernels:  Read-only file system
Relabeled /.snapshots/56/snapshot/.snapshots from system_u:object_r:unlabeled_t:s0 to system_u:object_r:snapperd_data_t:s0

Makes sense; snapper snapshots are read-only.

Comment 3 Dag Odenhall 2017-11-18 09:59:39 UTC

This also breaks the snapper-cleanup.timeline systemd timer:

# /usr/libexec/snapper/systemd-helper --cleanup
IO Error (open failed path://.snapshots/104/snapshot/etc/polkit-1 errno:1 (Operation not permitted)).

Meaning snapshots never get pruned.

Comment 4 Dag Odenhall 2017-11-19 06:22:00 UTC

It also breaks pam_snapper. For some reason it still works with the sudo and sudo-i services, but not with any other PAM service I tried, such as login.

Comment 5 Dag Odenhall 2017-11-19 11:23:14 UTC

I tried

# semanage permissive -a snapperd_t

which seems to be enough to make the snapper commands work without making all of SELinux permissive. However, pam_snapper still isn't working, and of course this fix means running snapper without SELinux protection.

Comment 6 Dag Odenhall 2017-11-26 11:32:31 UTC

I followed the advice in the journal and did:

# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
# semodule -X 300 -i my-snapperd.pp
# semanage permissive -d snapperd_t

That seems to have made snapper work in Enforcing, however pam_snapper still isn't working and there's no such advice in the journal.

If I see this in the journal:

Nov 26 12:10:57 vaio audit[862]: USER_AVC pid=862 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.opensuse.Snapper member=CreatePreSnapshot dest=org.opensuse.Snapper spid=12204 tpid=12206 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=dbus permissive=0

does that then mean I can do this using that auid?

# ausearch -a 4294967295 | audit2allow -M my-pam_snapper
# semodule -X 300 -i my-pam_snapper.pp

Well I did, and it seems to have made pam_snapper work for login. I'll have to reboot and see if everything works in Enforcing now, and I'll post the .te files audit2allow produced.

Comment 7 Dag Odenhall 2017-11-26 11:58:02 UTC

Created attachment 1359139 [details]
ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd

Comment 8 Dag Odenhall 2017-11-26 12:00:02 UTC

Created attachment 1359140 [details]
ausearch -a 4294967295 --raw | audit2allow -M my-pam_snapper

Contains a lot of this:

#!!!! This avc is allowed in the current policy

I'm guessing it's because of overlap with the above my-snapperd module.

Comment 9 Lukas Vrabec 2017-12-11 14:15:23 UTC

Hi Dag, 

Could you remove your local SELinux module, then try to reproduce the scenario and attach output of:

# ausearch -m AVC, USER_AVC -ts today 

THanks,
Lukas.

Comment 10 Dag Odenhall 2017-12-14 15:06:13 UTC

Created attachment 1368049 [details]
ausearch -m AVC,USER_AVC -ts today

Some notes:

* I collected these AVCs in Enforcing mode. Would it be better to do it in Permissive, so that early AVCs don't block later ones?

* Snapper creates an arbitrary and growing number of snapshots of whole subvolumes, and walks the whole tree to compute differences, so the paths you see in this AVC log are arbitrary. The snapshots are numbered and kept under SUBVOL/.snapshot/NUMBER/snapshot

* Snapper wants to be able to read all files in the snapshots to be able to compute differences between snapshots. That rather sounds like a security nightmare, but maybe I'm misunderstanding how it works because it's supposed to have some support for SELinux built in, for example https://github.com/openSUSE/snapper/blob/master/snapper/Selinux.cc and https://github.com/openSUSE/snapper/blob/master/doc/selinux-readme.txt

* That readme mentions a snapperd_data_t context/type, and that seems to be applied to the .snapshots subvolume, the numbered directories containing the snapshots, and the snapshot metadata files, but not to the snapshots themselves which are root_t. I don't know of that is correct or not, although the readme only says that the metadata should have that context and doesn't specifically dictate a context for the snapshots themselves, so maybe it's right.

# ls -lZ /.snapshots/726
total 640
-rw-------. 1 root root system_u:object_r:snapperd_data_t:s0 650817 Dec 13 22:12 filelist-681.txt
-rw-------. 1 root root system_u:object_r:snapperd_data_t:s0    434 Dec 13 22:11 info.xml
dr-xr-xr-x. 1 root root system_u:object_r:root_t:s0             172 Dec 11 14:34 snapshot
# ls -lZd /.snapshots/726
drwxr-xr-x. 1 root root system_u:object_r:snapperd_data_t:s0 64 Dec 13 22:12 /.snapshots/726
# ls -lZd /.snapshots
drwxr-x---. 1 root root system_u:object_r:snapperd_data_t:s0 608 Dec 14 15:36 /.snapshots

Comment 11 Dag Odenhall 2017-12-16 14:03:19 UTC

Regarding the potential security nightmare, I've confirmed through testing that the process for creating a comparison between snapshots runs with root privileges, regardless of the calling user, but only root is allowed to be the calling user unless configured otherwise with SYNC_ACL and ALLOW_USERS/ALLOW_GROUPS. With SYNC_ACL=yes ALLOW_GROUPS=wheel I'm able to create such a comparison as non-root that spots a change to /etc/shadow, but I'm not able to see what the change is nor read that file in either snapshot. Snapper will simply say,

$ snapper -c root status 788..789
c..... /etc/shadow

But if I try,

$ snapper -c root diff 788..789
/usr/bin/diff: /.snapshots/788/snapshot/etc/shadow: Permission denied
/usr/bin/diff: /.snapshots/789/snapshot/etc/shadow: Permission denied
$ cat /.snapshots/78{8,9}/snapshot/etc/shadow
cat: /.snapshots/788/snapshot/etc/shadow: Permission denied
cat: /.snapshots/789/snapshot/etc/shadow: Permission denied

With the default configuration, you have to be root to do anything; with a configuration allowing access to other users, all they can do is spot changes without seeing what the changes are.

(This is with my policy modules installed, to make snapper work as intended.)

Comment 12 Fedora Update System 2018-02-20 11:15:11 UTC

selinux-policy-3.13.1-283.26.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2

Comment 13 Fedora Update System 2018-02-20 18:19:24 UTC

selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9711c96b2

Comment 14 Fedora Update System 2018-02-27 17:21:51 UTC

selinux-policy-3.13.1-283.26.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Nathan Morell 2018-03-07 00:42:56 UTC

Still seems to be broken for me:

# snapper diff 111..113
IO Error (open failed path://.snapshots/113/snapshot/etc/polkit-1 errno:1 (Operation not permitted)).

# ausearch -m AVC,USER_AVC -ts today --raw | tail -4
type=AVC msg=audit(1520383234.761:2266): avc:  denied  { getattr } for  pid=4815 comm="snapperd" path="/.snapshots/113/snapshot/etc/httpd/run" dev="sda4" ino=8522 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_config_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1520383234.778:2267): avc:  denied  { fowner } for  pid=4815 comm="snapperd" capability=3  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1520383234.778:2268): avc:  denied  { fowner } for  pid=4815 comm="snapperd" capability=3  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1520383234.723:2253): avc:  denied  { getattr } for  pid=4815 comm="snapperd" path="/.snapshots/111/snapshot/etc/NetworkManager/dispatcher.d/no-wait.d/10-ifcfg-rh-routes.sh" dev="sda4" ino=4970 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:NetworkManager_initrc_exec_t:s0 tclass=lnk_file permissive=0

All seem to be issues reported earlier about this.

# rpm -q selinux-policy
selinux-policy-3.13.1-283.26.fc27.noarch

Note You need to log in before you can comment on or make changes to this bug.