Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2024489 - SELinux is preventing (o-bridge) from 'ioctl' accesses on the unix_stream_socket unix_stream_socket.
Summary: SELinux is preventing (o-bridge) from 'ioctl' accesses on the unix_stream_soc...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:cd8922fc870c981adeae7badada...
: 2024445 2039987 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-18 06:57 UTC by Davide Repetto
Modified: 2022-01-19 02:11 UTC (History)
17 users (show)

Fixed In Version: selinux-policy-35.10-1.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-19 02:11:26 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Davide Repetto 2021-11-18 06:57:12 UTC
Description of problem:
SELinux is preventing (o-bridge) from 'ioctl' accesses on the unix_stream_socket unix_stream_socket.

*****  Plugin catchall (100. confidence) suggests   **************************

Se ci credi (o-bridge) dovrebbe essere consentito ioctl accesso al unix_stream_socket unix_stream_socket per impostazione predefinita.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
consentire questo accesso per ora eseguendo:
# ausearch -c '(o-bridge)' --raw | audit2allow -M my-$MODULE_NOME
# semodule -X 300 -i miei-obridge.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                unconfined_u:unconfined_r:rpm_script_t:s0-
                              s0:c0.c1023
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        (o-bridge)
Source Path                   (o-bridge)
Port                          <Sconosciuto>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.5-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.5-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.14.17-301.fc35.x86_64 #1 SMP Mon
                              Nov 8 13:57:43 UTC 2021 x86_64 x86_64
Alert Count                   3
First Seen                    2021-11-18 07:53:12 CET
Last Seen                     2021-11-18 07:53:18 CET
Local ID                      7455d334-0def-4cbe-9bec-c9d1c98624d0

Raw Audit Messages
type=AVC msg=audit(1637218398.533:2223): avc:  denied  { ioctl } for  pid=346362 comm="(o-bridge)" path="socket:[14969251]" dev="sockfs" ino=14969251 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1


Hash: (o-bridge),init_t,rpm_script_t,unix_stream_socket,ioctl

Version-Release number of selected component:
selinux-policy-targeted-35.5-1.fc35.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.15.2
hashmarkername: setroubleshoot
kernel:         5.14.17-301.fc35.x86_64
type:           libreport

Comment 1 Davide Repetto 2021-11-19 08:26:08 UTC
Similar problem has been detected:

This denial happened during a "dnf  upgrde" thich tuched:

  corosync-3.1.6-1.fc35.x86_64                                  corosynclib-3.1.6-1.fc35.x86_64                                      
  google-chrome-beta-97.0.4692.20-1.x86_64                      ibus-typing-booster-2.15.0-1.fc35.noarch                             
  java-1.8.0-openjdk-1:1.8.0.312.b07-2.fc35.x86_64              java-1.8.0-openjdk-headless-1:1.8.0.312.b07-2.fc35.x86_64            
  libqb-2.0.4-1.fc35.x86_64                                     libsmbclient-2:4.15.2-3.fc35.x86_64                                  
  libwbclient-2:4.15.2-3.fc35.x86_64                            perl-HTTP-Tiny-0.080-1.fc35.noarch                                   
  python-pip-wheel-21.2.3-4.fc35.noarch                         python3-pip-21.2.3-4.fc35.noarch                                     
  python3-reportlab-3.6.2-2.fc35.x86_64                         python3-samba-2:4.15.2-3.fc35.x86_64                                 
  samba-2:4.15.2-3.fc35.x86_64                                  samba-client-2:4.15.2-3.fc35.x86_64                                  
  samba-client-libs-2:4.15.2-3.fc35.x86_64                      samba-common-2:4.15.2-3.fc35.noarch                                  
  samba-common-libs-2:4.15.2-3.fc35.x86_64                      samba-common-tools-2:4.15.2-3.fc35.x86_64                            
  samba-dc-libs-2:4.15.2-3.fc35.x86_64                          samba-libs-2:4.15.2-3.fc35.x86_64                                    
  samba-winbind-2:4.15.2-3.fc35.x86_64                          samba-winbind-clients-2:4.15.2-3.fc35.x86_64                         
  samba-winbind-modules-2:4.15.2-3.fc35.x86_64                  swtpm-0.7.0-1.20211109gitb79fd91.fc35.x86_64                         
  swtpm-libs-0.7.0-1.20211109gitb79fd91.fc35.x86_64             swtpm-tools-0.7.0-1.20211109gitb79fd91.fc35.x86_64                   

hashmarkername: setroubleshoot
kernel:         5.14.17-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing (o-bridge) from 'ioctl' accesses on the unix_stream_socket unix_stream_socket.
type:           libreport

Comment 2 Ian Laurie 2021-11-23 22:37:31 UTC
I'm also seeing this on Rawhide (36).

Comment 3 Davide Repetto 2021-12-20 14:41:00 UTC
Similar problem has been detected:

Gt this during this dnf upgrade:

[davide@dave ~]$ dnf history info last
ID transazione : 165
Ora inizio     : lun 20 dic 2021, 15:27:03
rpmdb iniziale : 4699:cd5413e1521b873fad026ad62e510e5fd6b55a56
Ora termine    : lun 20 dic 2021, 15:27:30 (27 secondi)
rpmdb finale   : 4699:c8d309c738778e5c8751e9959f3c3ce7d9d41959
Utente         : Davide <davide>
Codice di uscita    : Completato
Rilascio: 35
Linea di comando   : -y upgrade
Commento        : 
Pacchetti modificati:
    Upgrade  cmake-3.22.1-4.fc35.x86_64                         @updates
    Upgraded cmake-3.22.1-1.fc35.x86_64                         @@System
    Upgrade  cmake-data-3.22.1-4.fc35.noarch                    @updates
    Upgraded cmake-data-3.22.1-1.fc35.noarch                    @@System
    Upgrade  cmake-filesystem-3.22.1-4.fc35.x86_64              @updates
    Upgraded cmake-filesystem-3.22.1-1.fc35.x86_64              @@System
    Upgrade  cmake-rpm-macros-3.22.1-4.fc35.noarch              @updates
    Upgraded cmake-rpm-macros-3.22.1-1.fc35.noarch              @@System
    Upgrade  fwupd-1.7.3-1.fc35.x86_64                          @updates
    Upgraded fwupd-1.7.2-1.fc35.x86_64                          @@System
    Upgrade  fwupd-plugin-flashrom-1.7.3-1.fc35.x86_64          @updates
    Upgraded fwupd-plugin-flashrom-1.7.2-1.fc35.x86_64          @@System
    Upgrade  fwupd-plugin-modem-manager-1.7.3-1.fc35.x86_64     @updates
    Upgraded fwupd-plugin-modem-manager-1.7.2-1.fc35.x86_64     @@System
    Upgrade  fwupd-plugin-uefi-capsule-data-1.7.3-1.fc35.x86_64 @updates
    Upgraded fwupd-plugin-uefi-capsule-data-1.7.2-1.fc35.x86_64 @@System
    Upgrade  guestfs-tools-1.47.3-1.fc35.x86_64                 @updates
    Upgraded guestfs-tools-1.47.2-2.fc35.x86_64                 @@System
    Upgrade  libvmaf-2.1.1-3.fc35.x86_64                        @updates
    Upgraded libvmaf-2.1.1-2.fc35.x86_64                        @@System
    Upgrade  libxcrypt-4.4.27-1.fc35.i686                       @updates
    Upgraded libxcrypt-4.4.26-4.fc35.i686                       @@System
    Upgrade  libxcrypt-4.4.27-1.fc35.x86_64                     @updates
    Upgraded libxcrypt-4.4.26-4.fc35.x86_64                     @@System
    Upgrade  libxcrypt-compat-4.4.27-1.fc35.i686                @updates
    Upgraded libxcrypt-compat-4.4.26-4.fc35.i686                @@System
    Upgrade  libxcrypt-compat-4.4.27-1.fc35.x86_64              @updates
    Upgraded libxcrypt-compat-4.4.26-4.fc35.x86_64              @@System
    Upgrade  libxcrypt-devel-4.4.27-1.fc35.x86_64               @updates
    Upgraded libxcrypt-devel-4.4.26-4.fc35.x86_64               @@System
    Upgrade  mesa-dri-drivers-21.3.2-1.fc35.i686                @updates
    Upgraded mesa-dri-drivers-21.3.1-2.fc35.i686                @@System
    Upgrade  mesa-dri-drivers-21.3.2-1.fc35.x86_64              @updates
    Upgraded mesa-dri-drivers-21.3.1-2.fc35.x86_64              @@System
    Upgrade  mesa-filesystem-21.3.2-1.fc35.i686                 @updates
    Upgraded mesa-filesystem-21.3.1-2.fc35.i686                 @@System
    Upgrade  mesa-filesystem-21.3.2-1.fc35.x86_64               @updates
    Upgraded mesa-filesystem-21.3.1-2.fc35.x86_64               @@System
    Upgrade  mesa-libEGL-21.3.2-1.fc35.i686                     @updates
    Upgraded mesa-libEGL-21.3.1-2.fc35.i686                     @@System
    Upgrade  mesa-libEGL-21.3.2-1.fc35.x86_64                   @updates
    Upgraded mesa-libEGL-21.3.1-2.fc35.x86_64                   @@System
    Upgrade  mesa-libGL-21.3.2-1.fc35.i686                      @updates
    Upgraded mesa-libGL-21.3.1-2.fc35.i686                      @@System
    Upgrade  mesa-libGL-21.3.2-1.fc35.x86_64                    @updates
    Upgraded mesa-libGL-21.3.1-2.fc35.x86_64                    @@System
    Upgrade  mesa-libOSMesa-21.3.2-1.fc35.i686                  @updates
    Upgraded mesa-libOSMesa-21.3.1-2.fc35.i686                  @@System
    Upgrade  mesa-libOSMesa-21.3.2-1.fc35.x86_64                @updates
    Upgraded mesa-libOSMesa-21.3.1-2.fc35.x86_64                @@System
    Upgrade  mesa-libOpenCL-21.3.2-1.fc35.i686                  @updates
    Upgraded mesa-libOpenCL-21.3.1-2.fc35.i686                  @@System
    Upgrade  mesa-libOpenCL-21.3.2-1.fc35.x86_64                @updates
    Upgraded mesa-libOpenCL-21.3.1-2.fc35.x86_64                @@System
    Upgrade  mesa-libgbm-21.3.2-1.fc35.i686                     @updates
    Upgraded mesa-libgbm-21.3.1-2.fc35.i686                     @@System
    Upgrade  mesa-libgbm-21.3.2-1.fc35.x86_64                   @updates
    Upgraded mesa-libgbm-21.3.1-2.fc35.x86_64                   @@System
    Upgrade  mesa-libglapi-21.3.2-1.fc35.i686                   @updates
    Upgraded mesa-libglapi-21.3.1-2.fc35.i686                   @@System
    Upgrade  mesa-libglapi-21.3.2-1.fc35.x86_64                 @updates
    Upgraded mesa-libglapi-21.3.1-2.fc35.x86_64                 @@System
    Upgrade  mesa-libxatracker-21.3.2-1.fc35.x86_64             @updates
    Upgraded mesa-libxatracker-21.3.1-2.fc35.x86_64             @@System
    Upgrade  mesa-vdpau-drivers-21.3.2-1.fc35.x86_64            @updates
    Upgraded mesa-vdpau-drivers-21.3.1-2.fc35.x86_64            @@System
    Upgrade  mesa-vulkan-drivers-21.3.2-1.fc35.i686             @updates
    Upgraded mesa-vulkan-drivers-21.3.1-2.fc35.i686             @@System
    Upgrade  mesa-vulkan-drivers-21.3.2-1.fc35.x86_64           @updates
    Upgraded mesa-vulkan-drivers-21.3.1-2.fc35.x86_64           @@System
    Upgrade  openvpn-2.5.5-2.fc35.x86_64                        @updates
    Upgraded openvpn-2.5.4-1.fc35.x86_64                        @@System
    Upgrade  osinfo-db-20211216-1.fc35.noarch                   @updates
    Upgraded osinfo-db-20211013-1.fc35.noarch                   @@System
    Upgrade  pdfarranger-1.8.1-1.fc35.noarch                    @updates
    Upgraded pdfarranger-1.7.1-3.fc35.noarch                    @@System
    Upgrade  python3-pyatspi-2.38.2-1.fc35.noarch               @updates
    Upgraded python3-pyatspi-2.38.1-3.fc35.noarch               @@System
    Upgrade  rb_libtorrent-2.0.5-1.fc35.x86_64                  @updates
    Upgraded rb_libtorrent-2.0.4-5.fc35.x86_64                  @@System

hashmarkername: setroubleshoot
kernel:         5.15.8-200.fc35.x86_64
package:        selinux-policy-targeted-35.6-1.fc35.noarch
reason:         SELinux is preventing (o-bridge) from 'ioctl' accesses on the unix_stream_socket unix_stream_socket.
type:           libreport

Comment 4 Davide Repetto 2022-01-08 14:41:45 UTC
Similar problem has been detected:

This appeared during a dnf update of the following:

  bluez-5.63-1.fc35.x86_64                        bluez-cups-5.63-1.fc35.x86_64            bluez-libs-5.63-1.fc35.i686              
  bluez-libs-5.63-1.fc35.x86_64                   bluez-obexd-5.63-1.fc35.x86_64           gegl04-0.4.34-1.fc35.x86_64              
  libwebp-1.2.1-3.fc35.i686                       libwebp-1.2.1-3.fc35.x86_64              netpbm-10.97.00-1.fc35.x86_64            
  netpbm-progs-10.97.00-1.fc35.x86_64             python3-paramiko-2.9.1-1.fc35.noarch     python3-requests-2.27.0-1.fc35.noarch    
  python3-requests+socks-2.27.0-1.fc35.noarch     python3-urllib3-1.26.7-2.fc35.noarch     vivaldi-stable-5.0.2497.35-1.x86_64      

hashmarkername: setroubleshoot
kernel:         5.15.12-200.fc35.x86_64
package:        selinux-policy-targeted-35.7-1.fc35.noarch
reason:         SELinux is preventing (o-bridge) from 'ioctl' accesses on the unix_stream_socket unix_stream_socket.
type:           libreport

Comment 5 Davide Repetto 2022-01-08 14:45:09 UTC
Similar problem has been detected:

(after the dnf upgrade) This also appears after closing the mate session and loggin back in.

hashmarkername: setroubleshoot
kernel:         5.15.12-200.fc35.x86_64
package:        selinux-policy-targeted-35.7-1.fc35.noarch
reason:         SELinux is preventing (o-bridge) from 'ioctl' accesses on the unix_stream_socket unix_stream_socket.
type:           libreport

Comment 6 Micah Shennum 2022-01-10 00:58:51 UTC
Similar problem has been detected:

I am seeing this each time I run `sudo dnf upgrade` the past couple weeks. I am using permissive mode at the moment, so I have not noticed anything breaking. I was not able to find much about o-bridge online, and am therfor not sure what it is for/what might be different.

hashmarkername: setroubleshoot
kernel:         5.15.12-200.fc35.x86_64
package:        selinux-policy-targeted-35.8-1.fc35.noarch
reason:         SELinux is preventing (o-bridge) from 'ioctl' accesses on the unix_stream_socket unix_stream_socket.
type:           libreport

Comment 7 Justin Albstmeijer 2022-01-13 16:56:39 UTC
Similar problem has been detected:

while doing these upgrades;

#dnf upgrade
Fedora 35 - x86_64 - Updates                     48 kB/s |  15 kB     00:00    
Fedora 35 - x86_64 - Updates                    897 kB/s | 2.1 MB     00:02    
Fedora Modular 35 - x86_64 - Updates             44 kB/s |  22 kB     00:00    
Dependencies resolved.
================================================================================
 Package               Architecture  Version               Repository      Size
================================================================================
Upgrading:
 gnome-desktop3        x86_64        41.3-1.fc35           updates        601 k
 gnome-shell           x86_64        41.3-1.fc35           updates        1.6 M
 mutter                x86_64        41.3-1.fc35           updates        2.3 M

Transaction Summary
================================================================================
Upgrade  3 Packages

Total download size: 4.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): gnome-desktop3-41.2-1.fc35_41.3-1.fc35.x 233 kB/s |  80 kB     00:00    
(2/3): gnome-shell-41.2-1.fc35_41.3-1.fc35.x86_ 390 kB/s | 173 kB     00:00    
(3/3): mutter-41.2-2.fc35_41.3-1.fc35.x86_64.dr 387 kB/s | 217 kB     00:00    
[DRPM 1/3] gnome-desktop3-41.2-1.fc35_41.3-1.fc35.x86_64.drpm: done            
[DRPM 2/3] gnome-shell-41.2-1.fc35_41.3-1.fc35.x86_64.drpm: done               
[DRPM 3/3] mutter-41.2-2.fc35_41.3-1.fc35.x86_64.drpm: done                    
--------------------------------------------------------------------------------
Total                                            71 kB/s | 470 kB     00:06     
Delta RPMs reduced 4.5 MB of updates to 0.5 MB (89.9% saved)
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Upgrading        : gnome-desktop3-41.3-1.fc35.x86_64                      1/6 
  Upgrading        : mutter-41.3-1.fc35.x86_64                              2/6 
  Upgrading        : gnome-shell-41.3-1.fc35.x86_64                         3/6 
  Cleanup          : gnome-shell-41.2-1.fc35.x86_64                         4/6 
  Cleanup          : mutter-41.2-2.fc35.x86_64                              5/6 
  Cleanup          : gnome-desktop3-41.2-1.fc35.x86_64                      6/6 
  Running scriptlet: gnome-desktop3-41.2-1.fc35.x86_64                      6/6 
  Verifying        : gnome-desktop3-41.3-1.fc35.x86_64                      1/6 
  Verifying        : gnome-desktop3-41.2-1.fc35.x86_64                      2/6 
  Verifying        : gnome-shell-41.3-1.fc35.x86_64                         3/6 
  Verifying        : gnome-shell-41.2-1.fc35.x86_64                         4/6 
  Verifying        : mutter-41.3-1.fc35.x86_64                              5/6 
  Verifying        : mutter-41.2-2.fc35.x86_64                              6/6 

Upgraded:
  gnome-desktop3-41.3-1.fc35.x86_64        gnome-shell-41.3-1.fc35.x86_64       
  mutter-41.3-1.fc35.x86_64               

Complete!

hashmarkername: setroubleshoot
kernel:         5.15.13-200.fc35.x86_64
package:        selinux-policy-targeted-35.8-1.fc35.noarch
reason:         SELinux is preventing (o-bridge) from 'ioctl' accesses on the unix_stream_socket unix_stream_socket.
type:           libreport

Comment 8 Zdenek Pytela 2022-01-13 21:18:54 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1000

Unfortunately I cannot reproduce it, so it may be incomplete.

For further details on similar problems refer to
https://github.com/fedora-selinux/selinux-policy/commit/6a6fff9f00a02723d3a9c58e892e12a527df8efa

Comment 9 Zdenek Pytela 2022-01-14 08:07:48 UTC
*** Bug 2024445 has been marked as a duplicate of this bug. ***

Comment 10 Zdenek Pytela 2022-01-14 08:07:52 UTC
*** Bug 2039987 has been marked as a duplicate of this bug. ***

Comment 11 Fedora Update System 2022-01-18 10:09:41 UTC
FEDORA-2022-41fa7610dd has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-41fa7610dd

Comment 12 Fedora Update System 2022-01-19 02:11:26 UTC
FEDORA-2022-41fa7610dd has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.