multipass
snap under SELinux (Fedora 28) can not execute its own files and fails.
Summary
SELinux is preventing multipassd from execute access on the file /var/lib/snapd/snap/multipass/200/usr/sbin/dnsmasq.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow multipassd to have execute access on the dnsmasq file
Then you need to change the label on /var/lib/snapd/snap/multipass/200/usr/sbin/dnsmasq
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/snapd/snap/multipass/200/usr/sbin/dnsmasq'
where FILE_TYPE is one of the following: abrt_helper_exec_t, bin_t, ld_so_t, lib_t, mount_exec_t, prelink_exec_t, snappy_exec_t, ssh_keygen_exec_t, systemd_passwd_agent_exec_t, systemd_systemctl_exec_t, textrel_shlib_t, udev_exec_t.
Then execute:
restorecon -v '/var/lib/snapd/snap/multipass/200/usr/sbin/dnsmasq'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that multipassd should be allowed execute access on the dnsmasq file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'multipassd' --raw | audit2allow -M my-multipassd
# semodule -X 300 -i my-multipassd.pp
Additional Information:
Source Context system_u:system_r:snappy_t:s0
Target Context system_u:object_r:unlabeled_t:s0
Target Objects /var/lib/snapd/snap/multipass/200/usr/sbin/dnsmasq
[ file ]
Source multipassd
Source Path multipassd
Port <Unknown>
Host blackred
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-24.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name blackred
Platform Linux blackred 4.16.6-302.fc28.x86_64 #1 SMP Wed
May 2 00:07:06 UTC 2018 x86_64 x86_64
Alert Count 41
First Seen 2018-05-09 22:09:23 +03
Last Seen 2018-05-10 03:08:14 +03
Local ID 3f3d97db-a3b1-4b9c-82d8-52673f3a3cd3
Raw Audit Messages
type=AVC msg=audit(1525910894.712:19502): avc: denied { execute } for pid=8039 comm="multipassd" name="dnsmasq" dev="loop10" ino=914 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Hash: multipassd,snappy_t,unlabeled_t,file,execute
Is it possible to label files so that processes from the same snap can run each other?