I saw SELinux violations while uninstalling the authy
snaps on a freshly installed Fedora 31 machine. Unfortunately this is not 100% reproducible.
Here are the audit logs, they have to do with /home/username/snap/authy/1/.config/user-dirs.locale
as far as I can see:
SELinux is preventing tar from getattr access on the file /home/username/snap/authy/1/.config/user-dirs.locale.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/home/username/snap/authy/1/.config/user-dirs.locale default label should be snappy_home_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /home/username/snap/authy/1/.config/user-dirs.locale
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that tar should be allowed getattr access on the user-dirs.locale file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tar' --raw | audit2allow -M my-tar
# semodule -X 300 -i my-tar.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context unconfined_u:object_r:config_home_t:s0
Target Objects /home/username/snap/authy/1/.config/user-
dirs.locale [ file ]
Source tar
Source Path tar
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch
Local Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 5.5.17-200.fc31.x86_64
#1 SMP Mon Apr 13 15:29:42 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-04-24 11:16:28 CEST
Last Seen 2020-04-24 11:16:28 CEST
Local ID c4c07830-2176-4b55-801d-968e19f9e8ff
Raw Audit Messages
type=AVC msg=audit(1587719788.414:301): avc: denied { getattr } for pid=2522 comm="tar" path="/home/username/snap/authy/1/.config/user-dirs.locale" dev="dm-0" ino=305825 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=1
Hash: tar,snappy_t,config_home_t,file,getattr
SELinux is preventing snapd from unlink access on the file user-dirs.locale.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that snapd should be allowed unlink access on the user-dirs.locale file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapd' --raw | audit2allow -M my-snapd
# semodule -X 300 -i my-snapd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context unconfined_u:object_r:config_home_t:s0
Target Objects user-dirs.locale [ file ]
Source snapd
Source Path snapd
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch
Local Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 5.5.17-200.fc31.x86_64
#1 SMP Mon Apr 13 15:29:42 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-04-24 11:16:28 CEST
Last Seen 2020-04-24 11:16:28 CEST
Local ID 9be0b446-a474-4114-931f-2e6fde062fd6
Raw Audit Messages
type=AVC msg=audit(1587719788.922:306): avc: denied { unlink } for pid=2417 comm="snapd" name="user-dirs.locale" dev="dm-0" ino=305825 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=1
Hash: snapd,snappy_t,config_home_t,file,unlink