Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1514800 - SELinux is preventing systemd from 'read' accesses on the lnk_file /var/lib/snapd/snap/core/current.
Summary: SELinux is preventing systemd from 'read' accesses on the lnk_file /var/lib/s...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:45114e32a5d27890c3fc9be4f70...
: 1514801 1514802 1514804 1514805 1514807 1514808 1514809 1514810 1514811 1514812 1514813 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-18 17:22 UTC by Predrag
Modified: 2018-05-04 12:44 UTC (History)
53 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-20 12:50:58 UTC


Attachments (Terms of Use)

Description Predrag 2017-11-18 17:22:36 UTC
Description of problem:
SELinux is preventing systemd from 'read' accesses on the lnk_file /var/lib/snapd/snap/core/current.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed read access on the current lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:snappy_var_lib_t:s0
Target Objects                /var/lib/snapd/snap/core/current [ lnk_file ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.12.13-300.fc26.x86_64 #1 SMP Thu
                              Sep 14 16:00:38 UTC 2017 x86_64 x86_64
Alert Count                   23
First Seen                    2017-06-02 21:51:26 CEST
Last Seen                     2017-09-30 14:27:59 CEST
Local ID                      b92921f9-a2a8-4935-9828-538030836418

Raw Audit Messages
type=AVC msg=audit(1506774479.970:155): avc:  denied  { read } for  pid=1 comm="systemd" name="current" dev="dm-1" ino=2100022 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:snappy_var_lib_t:s0 tclass=lnk_file permissive=0


Hash: systemd,init_t,snappy_var_lib_t,lnk_file,read


Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.12-300.fc27.x86_64
type:           libreport

Potential duplicate: bug 1444808

Comment 1 Lukas Vrabec 2017-11-20 12:35:11 UTC
*** Bug 1514801 has been marked as a duplicate of this bug. ***

Comment 2 Lukas Vrabec 2017-11-20 12:35:22 UTC
*** Bug 1514802 has been marked as a duplicate of this bug. ***

Comment 3 Lukas Vrabec 2017-11-20 12:35:31 UTC
*** Bug 1514804 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2017-11-20 12:35:37 UTC
*** Bug 1514805 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Vrabec 2017-11-20 12:35:55 UTC
*** Bug 1514807 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Vrabec 2017-11-20 12:35:59 UTC
*** Bug 1514808 has been marked as a duplicate of this bug. ***

Comment 7 Lukas Vrabec 2017-11-20 12:36:07 UTC
*** Bug 1514809 has been marked as a duplicate of this bug. ***

Comment 8 Lukas Vrabec 2017-11-20 12:36:15 UTC
*** Bug 1514810 has been marked as a duplicate of this bug. ***

Comment 9 Lukas Vrabec 2017-11-20 12:36:23 UTC
*** Bug 1514811 has been marked as a duplicate of this bug. ***

Comment 10 Lukas Vrabec 2017-11-20 12:36:29 UTC
*** Bug 1514812 has been marked as a duplicate of this bug. ***

Comment 11 Lukas Vrabec 2017-11-20 12:36:43 UTC
*** Bug 1514813 has been marked as a duplicate of this bug. ***

Comment 12 Lukas Vrabec 2017-11-20 12:50:58 UTC
Hi, 

I closed all bugs related to snappy_t SELinux domain, because as I said, this module is not part of Distribution selinux-policy rpm package. I'm here to help with this policy if you point me to right repository with policy sources. 

Closing this as CANTFIX. 

Lukas.

Comment 13 rugk 2017-11-20 19:38:10 UTC
Description of problem:
browsing in Nautilus/maybe NextCloud has something to do with it

Version-Release number of selected component:
selinux-policy-3.13.1-283.14.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.12-300.fc27.x86_64
type:           libreport

Comment 14 rugk 2017-12-02 09:47:31 UTC
Description of problem:
user login

Version-Release number of selected component:
selinux-policy-3.13.1-283.17.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.15-300.fc27.x86_64
type:           libreport

Comment 15 rugk 2017-12-02 09:59:26 UTC
> I'm here to help with this policy if you point me to right repository with policy sources. 

Ah, all right. I assume it happens, because I have installed VLC from https://rpmfusion.org/.

Just reported it there, too: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4725


Also seems to be related to Bug 1520031, Bug 1520032.
Also this happens from time to time:
setroubleshootd: SELinux is preventing snapd from getattr access on the lnk_file /etc/pki/tls/certs/ca-bundle.crt. For complete SELinux messages run: sealert -l 9cb8f0c9-ec37-4490-be62-97a6cffc550d

Comment 16 Nicolas Chauvet (kwizart) 2017-12-02 10:05:47 UTC
(In reply to rugk from comment #15)
> > I'm here to help with this policy if you point me to right repository with policy sources. 
> 
> Ah, all right. I assume it happens, because I have installed VLC from
> https://rpmfusion.org/.
NACK

vlc in rpmfusion can't cope with snapd. Sorry, you need to set a better description of your issue.

Comment 17 katrino.djx 2018-02-02 18:57:11 UTC
Description of problem:
sudo dnf install snapd
sudo ln -s /var/lib/snapd/snap /snap
snap install spotify

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.x86_64
type:           libreport

Comment 18 Marcel Samyn 2018-02-04 08:54:06 UTC
Description of problem:
I installed snapd (`sudo dnf install snapd`) and installed Spotify (`sudo snap install spotify`). All kinds of AVC denials came up during the install of snapd, spotify and launching spotify. 
Spotify doesn't launch. I tried reinstalling snapd and its dependencies.

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.16-300.fc27.x86_64
type:           libreport

Comment 19 Steffen Scheib 2018-02-08 10:54:11 UTC
Description of problem:
Installed snapd (sudo dnf install snapd). During the installation process several SELinux denials are raised

Version-Release number of selected component:
selinux-policy-3.13.1-283.24.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.16-300.fc27.x86_64
type:           libreport

Comment 20 Jonathan 2018-02-14 20:23:26 UTC
Description of problem:
Il m'est dit que snapd demande des autorisation mais il a jamais fonctionné sur mo pc alors je l'ai supprimé avec la commande:
"sudo dnf remove snapd"
Et malgré le fait qu'il n'est plus dans mon pc il me demande toujours des authorisations c'est étrange

The computer said to me snapd request authorisation but the problem it's simple I remove snapd because it doesn't work:
"sudo dnf remove snapd"
And weirdly it ask authorisation again but I don't find it in my system

Sorry if my translation is not good I learn English the best  I can.

Version-Release number of selected component:
selinux-policy-3.13.1-283.19.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.18-300.fc27.x86_64
type:           libreport

Comment 21 Joshua Rich 2018-02-20 12:03:51 UTC
Description of problem:
Installed snapd. Rebooted.  Getting this message.

Version-Release number of selected component:
selinux-policy-3.13.1-283.24.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.3-300.fc27.x86_64
type:           libreport

Comment 22 Daniel Linder 2018-02-24 19:45:50 UTC
Description of problem:
Followed the directions to install Spotify under Fedora from the FedoraProject.org wiki:
https://fedoraproject.org/wiki/Spotify

These are the three steps:
sudo dnf install snapd
sudo ln -s /var/lib/snapd/snap /snap
snap install spotify

The alert came up during the "snap install spotify" command.

Version-Release number of selected component:
selinux-policy-3.13.1-283.24.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.4-300.fc27.x86_64
type:           libreport

Comment 23 Andre Brait 2018-02-27 02:12:53 UTC
Description of problem:
Just enable snappy support in GNOME software and the pop up from SELinux will start appearing every couple seconds.

Version-Release number of selected component:
selinux-policy-3.13.1-283.24.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.4-300.fc27.x86_64
type:           libreport

Comment 24 Andre Brait 2018-02-27 02:15:12 UTC
Description of problem:
Enable Snappy support in GNOME software.

Version-Release number of selected component:
selinux-policy-3.13.1-283.24.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.4-300.fc27.x86_64
type:           libreport

Comment 25 Andre Brait 2018-02-27 02:16:19 UTC
Description of problem:
Enabling Snappy support in GNOME Software.

Version-Release number of selected component:
selinux-policy-3.13.1-283.24.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.4-300.fc27.x86_64
type:           libreport

Comment 26 Gregor D. 2018-03-08 08:35:57 UTC
Description of problem:
I got this error after login into my user after fresh boot.

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.6-300.fc27.x86_64
type:           libreport

Comment 27 Sai Krishna 2018-03-08 17:09:52 UTC
Description of problem:
restarting the system shows multiple such errors and keeps on showing them.

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.6-300.fc27.x86_64
type:           libreport

Comment 28 Michael Morasch 2018-03-11 16:09:22 UTC
Description of problem:
Booted from external hard drive via USB3-1, did nothing else..

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.6-300.fc27.x86_64
type:           libreport

Comment 29 Adam Farden 2018-03-11 18:26:27 UTC
Description of problem:
sudo dnf install snapd

After this SELinux goes wild - 50+ denials then PC locked up. After hard reset I had to immediately uninstall snapd due to a steady stream of SELinux denials.

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.6-300.fc27.x86_64
type:           libreport

Comment 30 Zsolt Doszkoty 2018-03-15 14:01:38 UTC
Description of problem:
SElinux blocking every snapd access not just 'getattr'. There are 40 other snapd function call alerts.

After installing the snapd package the problem starts immediately.

Snapd version is:
snapd   2.31.1-2.fc27


Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.8-300.fc27.x86_64
type:           libreport

Comment 31 Niki 2018-03-17 04:04:37 UTC
Description of problem:
i install snap

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.9-300.fc27.x86_64
type:           libreport

Comment 32 Diego Ordenes 2018-03-18 15:50:29 UTC
Description of problem:
I just turned on my pc and the notification pop-up, I don't even know what this problem is.

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.8-300.fc27.x86_64
type:           libreport

Comment 33 Matthew Brabham 2018-03-19 13:50:56 UTC
Description of problem:
just using a snap, phpstorm, from snapcraft.


Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.9-300.fc27.x86_64
type:           libreport

Comment 34 Ignacio 2018-03-20 13:13:22 UTC
Description of problem:
after the system update, remmina remote desktop does not work anymore, the last update

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.9-300.fc27.x86_64
type:           libreport

Comment 35 Javier Caride 2018-03-26 08:34:57 UTC
Description of problem:
Opening hiri e-mail client installed as a snap

Version-Release number of selected component:
selinux-policy-3.13.1-283.28.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.10-300.fc27.x86_64
type:           libreport

Comment 36 mister_t_stauss 2018-03-29 01:24:57 UTC
Description of problem:
I was watching a Hulu movie and the SELinux alert came up.  I recently installed the "snapd" package from Ubuntu, installed one trial "Snap", and I have been receiving SELinux alerts ever since.

Version-Release number of selected component:
selinux-policy-3.13.1-283.28.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.10-300.fc27.x86_64
type:           libreport

Comment 37 adrian.hasse 2018-03-31 17:08:24 UTC
Description of problem:
I installed snapd and afterwards the snap-package spotify

Version-Release number of selected component:
selinux-policy-3.13.1-283.29.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.13-300.fc27.x86_64
type:           libreport

Comment 38 Stephen A. Jarjoura 2018-04-02 14:27:01 UTC
Description of problem:
1) start laptop
2) enter password for encrypted harddrive
3) enter password for desktop session
4) GDM crashes and restarts
5) enter password for desktop session, again
6) logged in, but with reported error

Version-Release number of selected component:
selinux-policy-3.13.1-283.29.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.12-301.fc27.x86_64
type:           libreport

Comment 39 Anatoli Babenia 2018-04-08 06:49:39 UTC
Description of problem:
It just started to show. I don't know what is causing this. Maybe autoupdates.

Version-Release number of selected component:
selinux-policy-3.13.1-283.30.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.14-300.fc27.x86_64
type:           libreport

Comment 40 Checho Molinero 2018-04-15 15:32:11 UTC
Description of problem:
It just appeared as a notification. I understand systemd must have access to any file

Version-Release number of selected component:
selinux-policy-3.13.1-283.30.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.15-300.fc27.x86_64
type:           libreport

Comment 41 Anass Ahmed 2018-04-15 15:40:54 UTC
(In reply to Checho Molinero from comment #40)
> Description of problem:
> It just appeared as a notification. I understand systemd must have access to
> any file

I believe it's another systemd inside snap.

Comment 42 mr_heroin 2018-04-23 15:28:45 UTC
Description of problem:
Installed snapd & Spotify snap. Spotify works fine but SELinux throws a bunch of repetitive alerts. 

Version-Release number of selected component:
selinux-policy-3.13.1-283.30.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.17-300.fc27.x86_64
type:           libreport

Comment 43 edo 2018-04-26 16:50:02 UTC
Description of problem:
i got this bug when i boot my computer

Version-Release number of selected component:
selinux-policy-3.13.1-283.30.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.17-300.fc27.x86_64
type:           libreport

Comment 44 Gregório Bonfante Borba 2018-04-27 02:56:03 UTC
*** Bug 1572444 has been marked as a duplicate of this bug. ***

Comment 45 Raman Gupta 2018-04-28 16:38:53 UTC
Description of problem:
Running snapd

Version-Release number of selected component:
selinux-policy-3.13.1-283.30.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.16.3-200.fc27.x86_64
type:           libreport

Comment 46 Raman Gupta 2018-04-28 16:42:39 UTC
(In reply to Adam Farden from comment #29)
> Description of problem:
> sudo dnf install snapd
> 
> After this SELinux goes wild - 50+ denials then PC locked up. After hard
> reset I had to immediately uninstall snapd due to a steady stream of SELinux
> denials.

I had this problem too -- many selinux denials and then lock up. It wasn't a complete system hang, but X died. snapd on Fedora seems unusable for now.

Comment 47 Luis A O Cauro 2018-04-30 00:28:31 UTC
Description of problem:
Luego instalar spotify con snap y al reiniciar y iniciarla me solte este error luego de unos 3 min inicio la aplicacion

Version-Release number of selected component:
selinux-policy-3.13.1-283.32.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.9-300.fc27.x86_64
type:           libreport

Comment 48 Adrian Duque 2018-05-01 19:17:58 UTC
Description of problem:
al apagar la pc o reiniciar, no se apaga si no es aplastando el boton y teniendolo aplastado

Version-Release number of selected component:
selinux-policy-3.13.1-283.32.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.16.5-200.fc27.x86_64
type:           libreport

Comment 49 ketarino 2018-05-04 12:44:51 UTC
Description of problem:
This happened after a fresh install of snapd, when trying to install notepadqq (#snap install notepadqq) after that, 
I got multiple SElinux notifications. (https://imgur.com/a/dvsZMSa)
(snapd was installed using  #dnf install snapd; #ln -s /var/lib/snapd/snap /snap)
System is Fedora 27 xfce



Version-Release number of selected component:
selinux-policy-3.13.1-283.30.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.17-300.fc27.x86_64
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.