SELinux Alert Browser- Colord

I seem to have an error with SELinux. This error appears to be saying :

SELinux is preventing colord from ‘getattr’ accesses on the file /var/lib/flatpak/exports/share/mime/magic.

******* Plugin catchall_labels (83.8 confidence) suggests *********************

If you want to allow colord to have getattr access on the magic file
Then you need to change the label on /var/lib/flatpak/exports/share/mime/magic

Dear @bennyisaiah, please don’t post text as screenshot. Explanation: PSA: Please don't post images of text - Unix & Linux Meta Stack Exchange

I received a similar selinux-flatpak error message just a few minutes ago. In my case, SELinux denied access to /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache and it completely froze my gnome-session. I had to switch to another VT and run kill -s USR1 <pid-of-gnome-session> to get my desktop going again. From sealert:

SELinux is preventing gnome-shell from map access on the file /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache.

*****  Plugin catchall_boolean (57.6 confidence) suggests   ******************

If you want to allow any process to mmap any file on system with attribute file_type.
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall_labels (36.2 confidence) suggests   *******************

If you want to allow gnome-shell to have map access on the icon-theme.cache file
Then you need to change the label on /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache'
where FILE_TYPE is one of the following: NetworkManager_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_var_cache_t, accountsd_exec_t, acct_exec_t, admin_passwd_exec_t, aide_exec_t, alsa_exec_t, amanda_exec_t, amanda_recover_exec_t, amtu_exec_t, anacron_exec_t, apm_exec_t, audisp_exec_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, avahi_exec_t, bacula_admin_exec_t, bacula_unconfined_script_exec_t, bin_t, blueman_exec_t, bluetooth_helper_exec_t, boot_t, bootloader_exec_t, brctl_exec_t, cache_home_t, calamaris_exec_t, cardctl_exec_t, cdcc_exec_t, cdrecord_exec_t, cert_t, certmonger_unconfined_exec_t, certwatch_exec_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, colord_exec_t, config_home_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, courier_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crontab_exec_t, cupsd_config_exec_t, cvs_exec_t, cyphesis_exec_t, data_home_t, dbus_home_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, debuginfo_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, dhcpc_exec_t, disk_munin_plugin_exec_t, dmesg_exec_t, dmidecode_exec_t, etc_runtime_t, etc_t, exim_exec_t, fail2ban_client_exec_t, fetchmail_exec_t, file_context_t, firewalld_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, ftpdctl_exec_t, fusermount_exec_t, fwupd_exec_t, games_exec_t, gconf_home_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, getty_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpsd_exec_t, groupadd_exec_t, gstreamer_home_t, hostname_exec_t, httpd_passwd_exec_t, hwclock_exec_t, hwloc_dhwd_exec_t, icc_data_home_t, iceauth_exec_t, icecast_exec_t, ifconfig_exec_t, init_exec_t, install_exec_t, iotop_exec_t, ipa_helper_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, irc_exec_t, irssi_exec_t, jockey_exec_t, journalctl_exec_t, kdump_exec_t, kdumpgui_exec_t, keepalived_unconfined_script_exec_t, kismet_exec_t, kmod_exec_t, kpatch_exec_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, lib_t, livecd_exec_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logwatch_exec_t, lpr_exec_t, lsmd_plugin_exec_t, lvm_exec_t, mail_munin_plugin_exec_t, mcelog_exec_t, mencoder_exec_t, mirrormanager_exec_t, mock_build_exec_t, mock_exec_t, modemmanager_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_exec_t, mplayer_exec_t, mrtg_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netutils_exec_t, newrole_exec_t, nscd_var_run_t, ntpdate_exec_t, obex_exec_t, oddjob_mkhomedir_exec_t, openshift_cgroup_read_exec_t, openshift_net_read_exec_t, pads_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passwd_exec_t, passwd_file_t, pdns_control_exec_t, pinentry_exec_t, ping_exec_t, pkcs11_modules_conf_t, plymouth_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, portmap_helper_exec_t, postfix_exec_t, postfix_map_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_showq_exec_t, pppd_exec_t, prelink_exec_t, preupgrade_exec_t, procmail_exec_t, ptchown_exec_t, pulseaudio_exec_t, puppetca_exec_t, pwauth_exec_t, qemu_exec_t, qmail_tcp_env_exec_t, quota_exec_t, readahead_exec_t, realmd_exec_t, rhsmcertd_exec_t, rpm_exec_t, rpm_var_lib_t, rpmdb_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtkit_daemon_exec_t, run_init_exec_t, samba_net_exec_t, sambagui_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, showmount_exec_t, smbcontrol_exec_t, smoltclient_exec_t, snapperd_exec_t, sosreport_exec_t, spamc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, squid_cron_exec_t, src_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sssd_public_t, sssd_selinux_manager_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, sysstat_exec_t, system_conf_t, system_db_t, system_munin_plugin_exec_t, systemd_coredump_exec_t, systemd_hwdb_etc_t, systemd_passwd_agent_exec_t, systemd_systemctl_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, textrel_shlib_t, thumb_exec_t, tmpreaper_exec_t, traceroute_exec_t, tvtime_exec_t, uml_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uux_exec_t, var_log_t, virsh_exec_t, virt_qemu_ga_unconfined_exec_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vnstat_exec_t, vpnc_exec_t, watchdog_unconfined_exec_t, webalizer_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xdm_var_lib_t, xdm_var_run_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, xsession_exec_t, zabbix_script_exec_t, zos_remote_exec_t.
Then execute:
restorecon -v '/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache'


*****  Plugin catchall (7.64 confidence) suggests   **************************

If you believe that gnome-shell should be allowed map access on the icon-theme.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp


Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/flatpak/exports/share/icons/hicolor/icon-
                              theme.cache [ file ]
Source                        gnome-shell
Source Path                   gnome-shell
Port                          <Unknown>
Host                          hal9000
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-35.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-35.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hal9000
Platform                      Linux hal9000 5.10.21-200.fc33.x86_64 #1 SMP Mon
                              Mar 8 00:24:40 UTC 2021 x86_64 x86_64
Alert Count                   11
First Seen                    2021-03-18 09:22:17 CDT
Last Seen                     2021-03-18 09:22:17 CDT
Local ID                      65d37f61-dd68-4e82-aee2-cab928cb75b4

Raw Audit Messages
type=AVC msg=audit(1616077337.702:2200): avc:  denied  { map } for  pid=2577331 comm="gnome-shell" path="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" dev="zfs" ino=1487124 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0


Hash: gnome-shell,xdm_t,var_lib_t,file,map

Sure no problems, I didn’t know

1 Like

It seems very irrelevant, I started to get these errors when i installed snap and the snapstore