SELinux problems with snap and snapd

sambadevi · February 23, 2018, 8:11pm

Hi I am using snap with Fedora 27 and tried to install spotify and skype.
However I am getting SELinux errors and can’t start any snap.

Output of snap --version

snap    2.30-1.fc27
snapd   2.30-1.fc27
series  16
fedora  27
kernel  4.15.3-300.fc27.x86_64

In total I received 43 errors all with a similar message (this is just one of the messages):

If you believe that snapd should be allowed write access on the completions directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp

I already switched SELinux to permissive so I could at least start skype, but spotify won’t start in either mode

niemeyer · February 23, 2018, 8:12pm

@Conan_Kudo Any suggestions here?

Conan_Kudo · February 23, 2018, 10:28pm

It’s pretty obvious. I need to grant snapd access to the bash completions directory, apparently. This is new to me, though. I didn’t know we even support this in snaps (where completions are written out to the main filesystem).

chipaca · February 24, 2018, 1:51am

snapd’s been doing that since 2.28… but not that many snaps had completers.

sambadevi · February 24, 2018, 8:12am

@Conan_Kudo it’s not only completions. I also saw errors about getattr for example. I’ll boot up my system later and compile a list of all SELinux errors

ramblurr · February 24, 2018, 1:55pm

I’m seeing this on Fedora 27 too. Lots and lots of selinux violations.

snapd Version:

Name         : snapd
Version      : 2.30
Release      : 1.fc27
Arch         : x86_64
Size         : 37 M
Source       : snapd-2.30-1.fc27.src.rpm

snapd-selinux

The “snap” one for example is on the /home/<user>/snap dir.

sambadevi · February 28, 2018, 4:41pm

This is my output of sudo ausearch -m avc --start recent after a normal start on Fedora

(I removed spotify and skype alerts since they are installed snaps)

Audit Log

time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.860:161): avc:  denied  { search } for  pid=1284 comm="snap" name="mc" dev="dm-0" ino=2495234 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.860:162): avc:  denied  { read } for  pid=1284 comm="snap" name="passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.860:163): avc:  denied  { open } for  pid=1284 comm="snap" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.860:164): avc:  denied  { getattr } for  pid=1284 comm="snap" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.860:165): avc:  denied  { map } for  pid=1284 comm="snap" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.860:166): avc:  denied  { write } for  pid=1284 comm="snap" name="nss" dev="dm-0" ino=2494140 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
----
time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.860:167): avc:  denied  { connectto } for  pid=1284 comm="snap" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
----
time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.861:168): avc:  denied  { read } for  pid=1284 comm="snap" name="passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.861:169): avc:  denied  { open } for  pid=1284 comm="snap" path="/etc/passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.861:170): avc:  denied  { getattr } for  pid=1284 comm="snap" path="/etc/passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.877:171): avc:  denied  { write } for  pid=1284 comm="snap" name="snapd.socket" dev="tmpfs" ino=25695 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_var_run_t:s0 tclass=sock_file permissive=1
----
time->Wed Feb 28 17:33:16 2018
type=AVC msg=audit(1519835596.877:172): avc:  denied  { connectto } for  pid=1284 comm="snap" path="/run/snapd.socket" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=unix_stream_socket permissive=1
----
time->Wed Feb 28 17:33:19 2018
type=AVC msg=audit(1519835599.210:200): avc:  denied  { execute_no_trans } for  pid=1419 comm="snapd" path="/usr/libexec/snapd/snap-seccomp" dev="dm-0" ino=2363949 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_exec_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:20 2018
type=AVC msg=audit(1519835600.694:202): avc:  denied  { read } for  pid=1419 comm="snap-seccomp" name="passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:20 2018
type=AVC msg=audit(1519835600.694:203): avc:  denied  { open } for  pid=1419 comm="snap-seccomp" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:20 2018
type=AVC msg=audit(1519835600.694:204): avc:  denied  { getattr } for  pid=1419 comm="snap-seccomp" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:20 2018
type=AVC msg=audit(1519835600.694:205): avc:  denied  { map } for  pid=1419 comm="snap-seccomp" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:20 2018
type=AVC msg=audit(1519835600.695:206): avc:  denied  { write } for  pid=1419 comm="snap-seccomp" name="nss" dev="dm-0" ino=2494140 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
----
time->Wed Feb 28 17:33:20 2018
type=AVC msg=audit(1519835600.694:201): avc:  denied  { search } for  pid=1419 comm="snap-seccomp" name="mc" dev="dm-0" ino=2495234 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:33:20 2018
type=AVC msg=audit(1519835600.695:207): avc:  denied  { connectto } for  pid=1419 comm="snap-seccomp" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
----
time->Wed Feb 28 17:33:20 2018
type=AVC msg=audit(1519835600.695:208): avc:  denied  { read } for  pid=1419 comm="snap-seccomp" name="passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:20 2018
type=AVC msg=audit(1519835600.695:209): avc:  denied  { open } for  pid=1419 comm="snap-seccomp" path="/etc/passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:20 2018
type=AVC msg=audit(1519835600.695:210): avc:  denied  { getattr } for  pid=1419 comm="snap-seccomp" path="/etc/passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:43 2018
type=AVC msg=audit(1519835623.512:214): avc:  denied  { search } for  pid=1605 comm="snap-seccomp" name="mc" dev="dm-0" ino=2495234 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:33:43 2018
type=AVC msg=audit(1519835623.512:215): avc:  denied  { read } for  pid=1605 comm="snap-seccomp" name="passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:43 2018
type=AVC msg=audit(1519835623.512:216): avc:  denied  { open } for  pid=1605 comm="snap-seccomp" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:43 2018
type=AVC msg=audit(1519835623.512:217): avc:  denied  { getattr } for  pid=1605 comm="snap-seccomp" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:43 2018
type=AVC msg=audit(1519835623.512:218): avc:  denied  { map } for  pid=1605 comm="snap-seccomp" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:43 2018
type=AVC msg=audit(1519835623.513:219): avc:  denied  { read } for  pid=1605 comm="snap-seccomp" name="passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:43 2018
type=AVC msg=audit(1519835623.513:220): avc:  denied  { open } for  pid=1605 comm="snap-seccomp" path="/etc/passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:43 2018
type=AVC msg=audit(1519835623.513:221): avc:  denied  { getattr } for  pid=1605 comm="snap-seccomp" path="/etc/passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:46 2018
type=AVC msg=audit(1519835626.536:224): avc:  denied  { connectto } for  pid=1634 comm="snap" path="/run/snapd.socket" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=unix_stream_socket permissive=1
----
time->Wed Feb 28 17:33:46 2018
type=AVC msg=audit(1519835626.594:225): avc:  denied  { getattr } for  pid=1393 comm="snapd" path="/var/lib/snapd/snap/core/4110/lib64/ld-linux-x86-64.so.2" dev="loop1" ino=2504 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
----
time->Wed Feb 28 17:33:46 2018
type=AVC msg=audit(1519835626.594:226): avc:  denied  { read } for  pid=1393 comm="snapd" name="ld-linux-x86-64.so.2" dev="loop1" ino=2504 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
----
time->Wed Feb 28 17:33:47 2018
type=AVC msg=audit(1519835627.891:227): avc:  denied  { read } for  pid=1393 comm="snapd" name="certs" dev="dm-0" ino=1311562 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:33:47 2018
type=AVC msg=audit(1519835627.891:228): avc:  denied  { open } for  pid=1393 comm="snapd" path="/etc/pki/tls/certs" dev="dm-0" ino=1311562 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:33:47 2018
type=AVC msg=audit(1519835627.892:229): avc:  denied  { getattr } for  pid=1393 comm="snapd" path="/etc/pki/tls/certs/ca-bundle.trust.crt" dev="dm-0" ino=1311565 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1
----
time->Wed Feb 28 17:33:46 2018
type=AVC msg=audit(1519835626.536:223): avc:  denied  { write } for  pid=1634 comm="snap" name="snapd.socket" dev="tmpfs" ino=25695 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_var_run_t:s0 tclass=sock_file permissive=1
----
time->Wed Feb 28 17:33:52 2018
type=AVC msg=audit(1519835632.077:231): avc:  denied  { add_name } for  pid=1393 comm="snapd" name="sections.GspVqCLrSNH5" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:33:52 2018
type=AVC msg=audit(1519835632.077:232): avc:  denied  { create } for  pid=1393 comm="snapd" name="sections.GspVqCLrSNH5" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:52 2018
type=AVC msg=audit(1519835632.120:233): avc:  denied  { write open } for  pid=1393 comm="snapd" path="/var/cache/snapd/sections.GspVqCLrSNH5" dev="dm-0" ino=2628633 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:52 2018
type=AVC msg=audit(1519835632.120:234): avc:  denied  { read } for  pid=1393 comm="snapd" name="snapd" dev="dm-0" ino=2629283 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:33:52 2018
type=AVC msg=audit(1519835632.217:235): avc:  denied  { getattr } for  pid=1393 comm="snapd" path="/var/cache/snapd/sections" dev="dm-0" ino=2628613 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:52 2018
type=AVC msg=audit(1519835632.217:236): avc:  denied  { remove_name } for  pid=1393 comm="snapd" name="sections.GspVqCLrSNH5" dev="dm-0" ino=2628633 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:33:52 2018
type=AVC msg=audit(1519835632.077:230): avc:  denied  { write } for  pid=1393 comm="snapd" name="snapd" dev="dm-0" ino=2629283 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:33:52 2018
type=AVC msg=audit(1519835632.217:237): avc:  denied  { rename } for  pid=1393 comm="snapd" name="sections.GspVqCLrSNH5" dev="dm-0" ino=2628633 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:33:52 2018
type=AVC msg=audit(1519835632.217:238): avc:  denied  { unlink } for  pid=1393 comm="snapd" name="sections" dev="dm-0" ino=2628613 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:34:18 2018
type=AVC msg=audit(1519835658.756:249): avc:  denied  { getattr } for  pid=1393 comm="snapd" path="/var/lib/snapd/snap/core/4110/lib64/ld-linux-x86-64.so.2" dev="loop1" ino=2504 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
----
time->Wed Feb 28 17:34:18 2018
type=AVC msg=audit(1519835658.756:250): avc:  denied  { read } for  pid=1393 comm="snapd" name="ld-linux-x86-64.so.2" dev="loop1" ino=2504 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=1
----
time->Wed Feb 28 17:34:18 2018
type=AVC msg=audit(1519835658.757:251): avc:  denied  { execute } for  pid=1920 comm="snapd" name="ld-2.23.so" dev="loop1" ino=2168 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:34:18 2018
type=AVC msg=audit(1519835658.757:252): avc:  denied  { execute_no_trans } for  pid=1920 comm="snapd" path="/var/lib/snapd/snap/core/4110/lib/x86_64-linux-gnu/ld-2.23.so" dev="loop1" ino=2168 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:34:40 2018
type=AVC msg=audit(1519835680.728:284): avc:  denied  { read } for  pid=1393 comm="snapd" name="/" dev="dm-2" ino=2 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:34:40 2018
type=AVC msg=audit(1519835680.728:285): avc:  denied  { read } for  pid=1393 comm="snapd" name="lost+found" dev="dm-2" ino=11 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:lost_found_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:34:40 2018
type=AVC msg=audit(1519835680.728:286): avc:  denied  { dac_read_search } for  pid=1393 comm="snapd" capability=2  scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=capability permissive=1
----
time->Wed Feb 28 17:34:40 2018
type=AVC msg=audit(1519835680.728:287): avc:  denied  { getattr } for  pid=1393 comm="snapd" path="/home/tim/snap/spotify" dev="dm-2" ino=5505985 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:34:40 2018
type=AVC msg=audit(1519835680.728:288): avc:  denied  { read } for  pid=1393 comm="snapd" name="spotify" dev="dm-2" ino=5505985 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:34:40 2018
type=AVC msg=audit(1519835680.728:289): avc:  denied  { open } for  pid=1393 comm="snapd" path="/home/tim/snap/spotify" dev="dm-2" ino=5505985 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:34:52 2018
type=AVC msg=audit(1519835692.851:309): avc:  denied  { execute_no_trans } for  pid=2928 comm="snapd" path="/usr/libexec/snapd/snap-seccomp" dev="dm-0" ino=2363949 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_exec_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:34:52 2018
type=AVC msg=audit(1519835692.856:310): avc:  denied  { search } for  pid=2928 comm="snap-seccomp" name="mc" dev="dm-0" ino=2495234 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
----
time->Wed Feb 28 17:34:52 2018
type=AVC msg=audit(1519835692.856:311): avc:  denied  { read } for  pid=2928 comm="snap-seccomp" name="passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:34:52 2018
type=AVC msg=audit(1519835692.856:312): avc:  denied  { open } for  pid=2928 comm="snap-seccomp" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:34:52 2018
type=AVC msg=audit(1519835692.856:313): avc:  denied  { getattr } for  pid=2928 comm="snap-seccomp" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:34:52 2018
type=AVC msg=audit(1519835692.856:314): avc:  denied  { map } for  pid=2928 comm="snap-seccomp" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=2495133 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:34:52 2018
type=AVC msg=audit(1519835692.856:315): avc:  denied  { write } for  pid=2928 comm="snap-seccomp" name="nss" dev="dm-0" ino=2494140 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
----
time->Wed Feb 28 17:34:52 2018
type=AVC msg=audit(1519835692.856:316): avc:  denied  { connectto } for  pid=2928 comm="snap-seccomp" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
----
time->Wed Feb 28 17:34:52 2018
type=AVC msg=audit(1519835692.857:317): avc:  denied  { read } for  pid=2928 comm="snap-seccomp" name="passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:34:52 2018
type=AVC msg=audit(1519835692.857:318): avc:  denied  { open } for  pid=2928 comm="snap-seccomp" path="/etc/passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:34:52 2018
type=AVC msg=audit(1519835692.857:319): avc:  denied  { getattr } for  pid=2928 comm="snap-seccomp" path="/etc/passwd" dev="dm-0" ino=1314315 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed Feb 28 17:34:56 2018
type=AVC msg=audit(1519835696.794:324): avc:  denied  { write } for  pid=1634 comm="snap" name="snapd.socket" dev="tmpfs" ino=25695 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_var_run_t:s0 tclass=sock_file permissive=1
----
time->Wed Feb 28 17:34:56 2018
type=AVC msg=audit(1519835696.794:325): avc:  denied  { connectto } for  pid=1634 comm="snap" path="/run/snapd.socket" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=unix_stream_socket permissive=1
----
time->Wed Feb 28 17:34:54 2018
type=AVC msg=audit(1519835694.096:320): avc:  denied  { write } for  pid=1393 comm="snapd" name="completions" dev="dm-0" ino=2887438 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1

Conan_Kudo · March 1, 2018, 1:09pm

Many of this warnings are caused by the fact that snaps aren’t mounted with the snappy_var_lib_t label (note the unlabeled_t for files from snaps).

I’m a bit surprised by it accessing SSSD, as I don’t recall any specific integration there…

mborzecki · March 2, 2018, 7:39am

Probably nothing we can do about snap directories at this time, but we could try to at least clean up the denials from snap/snapd/snap-seccomp

Probably user lookups we do in snap and snap-seccomp. None of these binaries is built statically, so user.Current() goes through glibc getpw*|getgr* counterparts and ends up poking the pieces listed in nsswitch.conf (my bet is sss is one of them).

ramblurr · May 1, 2018, 6:10am

I ended up uninstalling snapd because the selinux warnings were just too annoying :\ I’m looking forward to trying it again in the future when hopefully the integration is better.

mati865 · May 2, 2018, 10:33pm

This is how it looks like on Fedora 28 with /snap symlink created and no snaps installed:

Click me

found 12 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing snapd from write access on the directory /var/cache/snapd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed write access on the snapd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/cache/snapd [ dir ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           snapd-2.32.4-1.fc28.x86_64
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   6
First Seen                    2018-05-02 01:23:17 CEST
Last Seen                     2018-05-03 00:13:13 CEST
Local ID                      a416f1a0-f3ce-41b1-920d-ca55182bed2c

Raw Audit Messages
type=AVC msg=audit(1525299193.577:287): avc:  denied  { write } for  pid=2795 comm="snapd" name="snapd" dev="sda2" ino=1182660 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1


Hash: snapd,snappy_t,var_t,dir,write

--------------------------------------------------------------------------------

SELinux is preventing snapd from add_name access on the directory sections.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed add_name access on the sections directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                sections [ dir ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   6
First Seen                    2018-05-02 01:23:17 CEST
Last Seen                     2018-05-03 00:13:13 CEST
Local ID                      62f6ac35-7a8a-4f05-9d28-756d05d20d0d

Raw Audit Messages
type=AVC msg=audit(1525299193.577:290): avc:  denied  { add_name } for  pid=2795 comm="snapd" name="sections" dev="sda2" ino=1182386 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1


Hash: snapd,snappy_t,var_t,dir,add_name

--------------------------------------------------------------------------------

SELinux is preventing snapd from create access on the file sections.gkdQ8ggJqylT~.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed create access on the sections.gkdQ8ggJqylT~ file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                sections.gkdQ8ggJqylT~ [ file ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   5
First Seen                    2018-05-02 01:23:17 CEST
Last Seen                     2018-05-03 00:13:10 CEST
Local ID                      ea281a12-8964-483d-ac00-1bc8c9d236b7

Raw Audit Messages
type=AVC msg=audit(1525299190.927:281): avc:  denied  { create } for  pid=2795 comm="snapd" name="sections.gkdQ8ggJqylT~" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1


Hash: snapd,snappy_t,var_t,file,create

--------------------------------------------------------------------------------

SELinux is preventing snapd from 'write, open' accesses on the file /var/cache/snapd/sections.gkdQ8ggJqylT~.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed write open access on the sections.gkdQ8ggJqylT~ file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/cache/snapd/sections.gkdQ8ggJqylT~ [ file ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   5
First Seen                    2018-05-02 01:23:17 CEST
Last Seen                     2018-05-03 00:13:10 CEST
Local ID                      029932f9-331f-45cd-b333-a117fe847f88

Raw Audit Messages
type=AVC msg=audit(1525299190.938:282): avc:  denied  { write open } for  pid=2795 comm="snapd" path="/var/cache/snapd/sections.gkdQ8ggJqylT~" dev="sda2" ino=1187637 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1


Hash: snapd,snappy_t,var_t,file,write,open

--------------------------------------------------------------------------------

SELinux is preventing snapd from read access on the directory /var/cache/snapd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed read access on the snapd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/cache/snapd [ dir ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           snapd-2.32.4-1.fc28.x86_64
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   6
First Seen                    2018-05-02 01:23:17 CEST
Last Seen                     2018-05-03 00:13:16 CEST
Local ID                      e5f8da6b-6246-45b9-8ad1-2eff451a9ace

Raw Audit Messages
type=AVC msg=audit(1525299196.543:295): avc:  denied  { read } for  pid=2795 comm="snapd" name="snapd" dev="sda2" ino=1182660 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1


Hash: snapd,snappy_t,var_t,dir,read

--------------------------------------------------------------------------------

SELinux is preventing snapd from remove_name access on the directory sections.gkdQ8ggJqylT~.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed remove_name access on the sections.gkdQ8ggJqylT~ directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                sections.gkdQ8ggJqylT~ [ dir ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   5
First Seen                    2018-05-02 01:23:17 CEST
Last Seen                     2018-05-03 00:13:13 CEST
Local ID                      710eb85b-530c-44cd-96e2-a88774335eb2

Raw Audit Messages
type=AVC msg=audit(1525299193.577:288): avc:  denied  { remove_name } for  pid=2795 comm="snapd" name="sections.gkdQ8ggJqylT~" dev="sda2" ino=1187637 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1


Hash: snapd,snappy_t,var_t,dir,remove_name

--------------------------------------------------------------------------------

SELinux is preventing snapd from rename access on the file sections.gkdQ8ggJqylT~.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed rename access on the sections.gkdQ8ggJqylT~ file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                sections.gkdQ8ggJqylT~ [ file ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   5
First Seen                    2018-05-02 01:23:17 CEST
Last Seen                     2018-05-03 00:13:13 CEST
Local ID                      4c0814d6-ba95-4eb8-8d8d-bcea41e41c89

Raw Audit Messages
type=AVC msg=audit(1525299193.577:289): avc:  denied  { rename } for  pid=2795 comm="snapd" name="sections.gkdQ8ggJqylT~" dev="sda2" ino=1187637 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1


Hash: snapd,snappy_t,var_t,file,rename

--------------------------------------------------------------------------------

SELinux is preventing snapd from read access on the file /var/cache/snapd/commands.db.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed read access on the commands.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/cache/snapd/commands.db [ file ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   5
First Seen                    2018-05-02 01:23:17 CEST
Last Seen                     2018-05-03 00:13:13 CEST
Local ID                      a70b460a-db40-409d-bc1a-c95b06f46079

Raw Audit Messages
type=AVC msg=audit(1525299193.582:292): avc:  denied  { read } for  pid=2795 comm="snapd" name="commands.db" dev="sda2" ino=1182965 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1


Hash: snapd,snappy_t,var_t,file,read

--------------------------------------------------------------------------------

SELinux is preventing snapd from lock access on the file /var/cache/snapd/commands.db.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed lock access on the commands.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/cache/snapd/commands.db [ file ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   5
First Seen                    2018-05-02 01:23:17 CEST
Last Seen                     2018-05-03 00:13:13 CEST
Local ID                      41f2bc30-8bcf-457f-b291-3c423d20e8e3

Raw Audit Messages
type=AVC msg=audit(1525299193.582:293): avc:  denied  { lock } for  pid=2795 comm="snapd" path="/var/cache/snapd/commands.db" dev="sda2" ino=1182965 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1


Hash: snapd,snappy_t,var_t,file,lock

--------------------------------------------------------------------------------

SELinux is preventing snapd from getattr access on the file /var/cache/snapd/sections.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed getattr access on the sections file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/cache/snapd/sections [ file ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   5
First Seen                    2018-05-02 01:23:17 CEST
Last Seen                     2018-05-03 00:13:13 CEST
Local ID                      497de857-4e50-49e6-b797-84fb16d1bf54

Raw Audit Messages
type=AVC msg=audit(1525299193.577:286): avc:  denied  { getattr } for  pid=2795 comm="snapd" path="/var/cache/snapd/sections" dev="sda2" ino=1182386 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1


Hash: snapd,snappy_t,var_t,file,getattr

--------------------------------------------------------------------------------

SELinux is preventing snapd from map access on the file /var/cache/snapd/commands.db.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed map access on the commands.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/cache/snapd/commands.db [ file ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   5
First Seen                    2018-05-02 01:23:17 CEST
Last Seen                     2018-05-03 00:13:13 CEST
Local ID                      7b20662f-ffe2-4ee4-8758-8054402489c9

Raw Audit Messages
type=AVC msg=audit(1525299193.590:294): avc:  denied  { map } for  pid=2795 comm="snapd" path="/var/cache/snapd/commands.db" dev="sda2" ino=1182965 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1


Hash: snapd,snappy_t,var_t,file,map

--------------------------------------------------------------------------------

SELinux is preventing snapd from unlink access on the file sections.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapd should be allowed unlink access on the sections file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp


Additional Information:
Source Context                system_u:system_r:snappy_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                sections [ file ]
Source                        snapd
Source Path                   snapd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.16.5-300.fc28.x86_64
                              #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64
Alert Count                   4
First Seen                    2018-05-02 09:50:48 CEST
Last Seen                     2018-05-03 00:13:13 CEST
Local ID                      4e8f7351-33fa-4644-901d-63f374b2566e

Raw Audit Messages
type=AVC msg=audit(1525299193.577:291): avc:  denied  { unlink } for  pid=2795 comm="snapd" name="sections" dev="sda2" ino=1182386 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1


Hash: snapd,snappy_t,var_t,file,unlink

They are related to the /var/cache/snap and should be easy to fix by someone who knows SELinux.
CC @Conan_Kudo

abitrolly · May 10, 2018, 12:35am

SELinux box flickering because of snaps for a half of a minute is really annoying.