This is how it looks like on Fedora 28 with /snap
symlink created and no snaps installed:
Click me
found 12 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing snapd from write access on the directory /var/cache/snapd.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed write access on the snapd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/snapd [ dir ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages snapd-2.32.4-1.fc28.x86_64
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 6
First Seen 2018-05-02 01:23:17 CEST
Last Seen 2018-05-03 00:13:13 CEST
Local ID a416f1a0-f3ce-41b1-920d-ca55182bed2c
Raw Audit Messages
type=AVC msg=audit(1525299193.577:287): avc: denied { write } for pid=2795 comm="snapd" name="snapd" dev="sda2" ino=1182660 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
Hash: snapd,snappy_t,var_t,dir,write
--------------------------------------------------------------------------------
SELinux is preventing snapd from add_name access on the directory sections.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed add_name access on the sections directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects sections [ dir ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 6
First Seen 2018-05-02 01:23:17 CEST
Last Seen 2018-05-03 00:13:13 CEST
Local ID 62f6ac35-7a8a-4f05-9d28-756d05d20d0d
Raw Audit Messages
type=AVC msg=audit(1525299193.577:290): avc: denied { add_name } for pid=2795 comm="snapd" name="sections" dev="sda2" ino=1182386 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
Hash: snapd,snappy_t,var_t,dir,add_name
--------------------------------------------------------------------------------
SELinux is preventing snapd from create access on the file sections.gkdQ8ggJqylT~.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed create access on the sections.gkdQ8ggJqylT~ file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects sections.gkdQ8ggJqylT~ [ file ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 5
First Seen 2018-05-02 01:23:17 CEST
Last Seen 2018-05-03 00:13:10 CEST
Local ID ea281a12-8964-483d-ac00-1bc8c9d236b7
Raw Audit Messages
type=AVC msg=audit(1525299190.927:281): avc: denied { create } for pid=2795 comm="snapd" name="sections.gkdQ8ggJqylT~" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
Hash: snapd,snappy_t,var_t,file,create
--------------------------------------------------------------------------------
SELinux is preventing snapd from 'write, open' accesses on the file /var/cache/snapd/sections.gkdQ8ggJqylT~.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed write open access on the sections.gkdQ8ggJqylT~ file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/snapd/sections.gkdQ8ggJqylT~ [ file ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 5
First Seen 2018-05-02 01:23:17 CEST
Last Seen 2018-05-03 00:13:10 CEST
Local ID 029932f9-331f-45cd-b333-a117fe847f88
Raw Audit Messages
type=AVC msg=audit(1525299190.938:282): avc: denied { write open } for pid=2795 comm="snapd" path="/var/cache/snapd/sections.gkdQ8ggJqylT~" dev="sda2" ino=1187637 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
Hash: snapd,snappy_t,var_t,file,write,open
--------------------------------------------------------------------------------
SELinux is preventing snapd from read access on the directory /var/cache/snapd.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed read access on the snapd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/snapd [ dir ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages snapd-2.32.4-1.fc28.x86_64
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 6
First Seen 2018-05-02 01:23:17 CEST
Last Seen 2018-05-03 00:13:16 CEST
Local ID e5f8da6b-6246-45b9-8ad1-2eff451a9ace
Raw Audit Messages
type=AVC msg=audit(1525299196.543:295): avc: denied { read } for pid=2795 comm="snapd" name="snapd" dev="sda2" ino=1182660 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
Hash: snapd,snappy_t,var_t,dir,read
--------------------------------------------------------------------------------
SELinux is preventing snapd from remove_name access on the directory sections.gkdQ8ggJqylT~.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed remove_name access on the sections.gkdQ8ggJqylT~ directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects sections.gkdQ8ggJqylT~ [ dir ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 5
First Seen 2018-05-02 01:23:17 CEST
Last Seen 2018-05-03 00:13:13 CEST
Local ID 710eb85b-530c-44cd-96e2-a88774335eb2
Raw Audit Messages
type=AVC msg=audit(1525299193.577:288): avc: denied { remove_name } for pid=2795 comm="snapd" name="sections.gkdQ8ggJqylT~" dev="sda2" ino=1187637 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
Hash: snapd,snappy_t,var_t,dir,remove_name
--------------------------------------------------------------------------------
SELinux is preventing snapd from rename access on the file sections.gkdQ8ggJqylT~.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed rename access on the sections.gkdQ8ggJqylT~ file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects sections.gkdQ8ggJqylT~ [ file ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 5
First Seen 2018-05-02 01:23:17 CEST
Last Seen 2018-05-03 00:13:13 CEST
Local ID 4c0814d6-ba95-4eb8-8d8d-bcea41e41c89
Raw Audit Messages
type=AVC msg=audit(1525299193.577:289): avc: denied { rename } for pid=2795 comm="snapd" name="sections.gkdQ8ggJqylT~" dev="sda2" ino=1187637 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
Hash: snapd,snappy_t,var_t,file,rename
--------------------------------------------------------------------------------
SELinux is preventing snapd from read access on the file /var/cache/snapd/commands.db.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed read access on the commands.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/snapd/commands.db [ file ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 5
First Seen 2018-05-02 01:23:17 CEST
Last Seen 2018-05-03 00:13:13 CEST
Local ID a70b460a-db40-409d-bc1a-c95b06f46079
Raw Audit Messages
type=AVC msg=audit(1525299193.582:292): avc: denied { read } for pid=2795 comm="snapd" name="commands.db" dev="sda2" ino=1182965 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
Hash: snapd,snappy_t,var_t,file,read
--------------------------------------------------------------------------------
SELinux is preventing snapd from lock access on the file /var/cache/snapd/commands.db.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed lock access on the commands.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/snapd/commands.db [ file ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 5
First Seen 2018-05-02 01:23:17 CEST
Last Seen 2018-05-03 00:13:13 CEST
Local ID 41f2bc30-8bcf-457f-b291-3c423d20e8e3
Raw Audit Messages
type=AVC msg=audit(1525299193.582:293): avc: denied { lock } for pid=2795 comm="snapd" path="/var/cache/snapd/commands.db" dev="sda2" ino=1182965 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
Hash: snapd,snappy_t,var_t,file,lock
--------------------------------------------------------------------------------
SELinux is preventing snapd from getattr access on the file /var/cache/snapd/sections.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed getattr access on the sections file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/snapd/sections [ file ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 5
First Seen 2018-05-02 01:23:17 CEST
Last Seen 2018-05-03 00:13:13 CEST
Local ID 497de857-4e50-49e6-b797-84fb16d1bf54
Raw Audit Messages
type=AVC msg=audit(1525299193.577:286): avc: denied { getattr } for pid=2795 comm="snapd" path="/var/cache/snapd/sections" dev="sda2" ino=1182386 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
Hash: snapd,snappy_t,var_t,file,getattr
--------------------------------------------------------------------------------
SELinux is preventing snapd from map access on the file /var/cache/snapd/commands.db.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed map access on the commands.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/snapd/commands.db [ file ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 5
First Seen 2018-05-02 01:23:17 CEST
Last Seen 2018-05-03 00:13:13 CEST
Local ID 7b20662f-ffe2-4ee4-8758-8054402489c9
Raw Audit Messages
type=AVC msg=audit(1525299193.590:294): avc: denied { map } for pid=2795 comm="snapd" path="/var/cache/snapd/commands.db" dev="sda2" ino=1182965 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
Hash: snapd,snappy_t,var_t,file,map
--------------------------------------------------------------------------------
SELinux is preventing snapd from unlink access on the file sections.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed unlink access on the sections file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects sections [ file ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.16.5-300.fc28.x86_64
#1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count 4
First Seen 2018-05-02 09:50:48 CEST
Last Seen 2018-05-03 00:13:13 CEST
Local ID 4e8f7351-33fa-4644-901d-63f374b2566e
Raw Audit Messages
type=AVC msg=audit(1525299193.577:291): avc: denied { unlink } for pid=2795 comm="snapd" name="sections" dev="sda2" ino=1182386 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
Hash: snapd,snappy_t,var_t,file,unlink
They are related to the /var/cache/snap
and should be easy to fix by someone who knows SELinux.
CC @Conan_Kudo