Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1694374 - SELinux is preventing abrt-action-gen from 'map' accesses on the file /run/media/vdiard/LinuxPart/UnrealEngine/Engine/Binaries/Linux/UE4Editor. [NEEDINFO]
Summary: SELinux is preventing abrt-action-gen from 'map' accesses on the file /run/me...
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b01ac38154cceb282c6fd752d69...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-30 21:34 UTC by Valentin Diard
Modified: 2019-04-02 14:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
zpytela: needinfo? (valentin.diard)


Attachments (Terms of Use)
File: Diagnostics.txt (deleted)
2019-03-30 21:34 UTC, Valentin Diard
no flags Details

Description Valentin Diard 2019-03-30 21:34:35 UTC
Description of problem:
Occur:

In exection of Unreal Engine 4.22 (Internal Build: Commit 87b58a0cc30ec15765f545769f7c9c27864b65fb).
During a in folder exploration by UE4.

UE4 execute with -vulkan

Issues fix, by this commands:

ausearch -c 'abrt-action-gen' --raw | audit2allow -M my-abrtactiongen
semodule -X 300 -i my-abrtactiongen.pp
Occur: In execute Unreal Engine 4 4.22, internal build.

OS: Fedora 29 (lastest stable build)

SELinux is preventing abrt-action-gen from 'map' accesses on the file /run/media/vdiard/LinuxPart/UnrealEngine/Engine/Binaries/Linux/UE4Editor.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that abrt-action-gen should be allowed map access on the UE4Editor file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-action-gen' --raw | audit2allow -M my-abrtactiongen
# semodule -X 300 -i my-abrtactiongen.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:unlabeled_t:s0
Target Objects                /run/media/vdiard/LinuxPart/UnrealEngine/Engine/Bi
                              naries/Linux/UE4Editor [ file ]
Source                        abrt-action-gen
Source Path                   abrt-action-gen
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-51.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.0.3-200.fc29.x86_64 #1 SMP Tue
                              Mar 19 15:07:58 UTC 2019 x86_64 x86_64
Alert Count                   3
First Seen                    2019-03-28 13:31:16 CET
Last Seen                     2019-03-30 22:12:53 CET
Local ID                      56cac398-eea5-493c-8af3-a16915a662f6

Raw Audit Messages
type=AVC msg=audit(1553980373.152:399): avc:  denied  { map } for  pid=11559 comm="abrt-action-gen" path="/run/media/vdiard/LinuxPart/UnrealEngine/Engine/Binaries/Linux/UE4Editor" dev="sda2" ino=16648791 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=1


Hash: abrt-action-gen,abrt_t,unlabeled_t,file,map

Version-Release number of selected component:
selinux-policy-3.14.2-51.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.3-200.fc29.x86_64
type:           libreport

Comment 1 Valentin Diard 2019-03-30 21:34:37 UTC
Created attachment 1549933 [details]
File: Diagnostics.txt

Comment 2 Lukas Vrabec 2019-04-01 11:29:32 UTC
Hi, 

Could you please run:

# restorecon -Rv / 

This should fix your issue.

Comment 3 Zdenek Pytela 2019-04-02 14:32:08 UTC
Hi Valentin,

The reason for this SELinux denial is that abrt does not have access to files with the special "unlabeled_t" label: this label is displayed when a file was created in SELinux disabled state or when its actual label does not currently exist. It can happen, for instance, when the volume mounted does not support security attributes, but there also can be other reasons.

One of the ways how to deal with the issue is mounting the volume with a particular label. Turning on the boolean as suggested would allow too much of permissions which should be assessed properly if it is desired.

Is there any actual problem with the application running or is it just the problem with abrt unable to access the file?

Does vendor of the application recommend usage, including labeling of files?


Note You need to log in before you can comment on or make changes to this bug.