SELinux Alert when installing packages via R console on F36
Closed this issue · 5 comments
On Fedora 36 I get this SELinux alert when installing packages trough install.packages().
SELinux is preventing CoprManager.py from write access on the directory fd.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that CoprManager.py should be allowed write access on the fd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'CoprManager.py' --raw | audit2allow -M my-CoprManagerpy
# semodule -X 300 -i my-CoprManagerpy.pp
Additional Information:
Source Context system_u:system_r:unconfined_service_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023
Target Objects fd [ dir ]
Source CoprManager.py
Source Path CoprManager.py
Port <Unknown>
Host fdr-ext-1
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-36.15-1.fc36.noarch
Local Policy RPM selinux-policy-targeted-36.15-1.fc36.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name fdr-ext-1
Platform Linux fdr-ext-1 5.19.11-200.fc36.x86_64 #1 SMP
PREEMPT_DYNAMIC Fri Sep 23 15:07:44 UTC 2022
x86_64 x86_64
Alert Count 2
First Seen 2022-09-26 16:19:35 CEST
Last Seen 2022-09-28 13:36:55 CEST
Local ID 8239e050-d1a2-40ee-af89-fb5af98db148
Raw Audit Messages
type=AVC msg=audit(1664365015.311:454): avc: denied { write } for pid=18035 comm="CoprManager.py" name="fd" dev="proc" ino=210208 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0
Hash: CoprManager.py,unconfined_service_t,unconfined_t,dir,write
Oh, yes, I should ship a SELinux policy in the R-CoprManager package, but it is like black magic, and I never managed to do that (I suppose you can't help with this either?).
But anyway this shouldn't be "unconfined". That's weird. Some questions:
- Is this preventing the service from working properly or is it just an annoying warning?
- Did you install the R-CoprManager package as indicated in the README?
- Could you please run
ls -lZ /usr/share/R/library/CoprManager/serviceand paste the output here?
Oh, yes, I should ship a SELinux policy in the R-CoprManager package, but it is like black magic, and I never managed to do that (I suppose you can't help with this either?).
No, this is unfortunately beyond my expertise.
- Is this preventing the service from working properly or is it just an annoying warning?
The packages were installed and function properly as far as I can tell.
- Did you install the R-CoprManager package as indicated in the README?
I followed the instructions from CRAN.
- Could you please run
ls -lZ /usr/share/R/library/CoprManager/serviceand paste the output here?
[steffen@fdr-ext-1 ~]$ ls -lZ /usr/share/R/library/CoprManager/service
total 16
drwxr-xr-x. 1 root root system_u:object_r:usr_t:s0 100 Sep 26 15:42 backend
-rw-r--r--. 1 root root system_u:object_r:usr_t:s0 0 Sep 24 09:44 bspm.excl
-rw-r--r--. 1 root root system_u:object_r:usr_t:s0 8 Sep 24 09:44 bspm.pref
-rwxr-xr-x. 1 root root system_u:object_r:usr_t:s0 4213 Sep 24 09:44 CoprManager.py
-rw-r--r--. 1 root root system_u:object_r:usr_t:s0 145 Sep 24 09:44 dbus-paths
-rw-r--r--. 1 root root system_u:object_r:usr_t:s0 0 Sep 24 09:44 nodiscover
Ok, nice, so it's working despite the warning, as expected. As a workaround, you can follow the instructions shown there, i.e.
# ausearch -c 'CoprManager.py' --raw | audit2allow -M my-CoprManagerpy
# semodule -X 300 -i my-CoprManagerpy.pp
Probably with sudo. It's completely safe. This generates an adhoc policy, which effectively silences the warning. In the long term, I'd like to investigate this and ship a proper policy in the package, so let's keep this open.
This should be fixed with the latest update.