online icon indicating copy to clipboard operation
online copied to clipboard

Published 20 hours ago verified publisher icon CollaboraOnline

Collabora causing corrupt SELinux AVC denials

Open Bockeman opened this issue 5 months ago • 0 comments

Describe the Bug

I am getting floods of AVC denials like these:

May 17 23:40:00 vericalm audit[711160]: AVC avc:  denied  { search } for  pid=711160 comm="admin" name="13419" dev="proc" ino=67936 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=dir permissive=1
May 17 23:40:00 vericalm audit[711160]: AVC avc:  denied  { read } for  pid=711160 comm="admin" name="comm" dev="proc" ino=67983 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=file permissive=1
May 17 23:40:00 vericalm audit[711160]: AVC avc:  denied  { open } for  pid=711160 comm="admin" path="/proc/13419/comm" dev="proc" ino=67983 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=file permissive=1
May 17 23:40:00 vericalm audit[711160]: AVC avc:  denied  { getattr } for  pid=711160 comm="admin" path="/proc/13419/comm" dev="proc" ino=67983 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=file permissive=1

These denial messages are corrupt because the comm= name "admin" does not correspond to the process name of the pid=, it should be "coolwsd". Furthermore this corrupt denial then goes on to cause SELinux crash and coredump.

  May 17 23:15:17 vericalm systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
  May 17 23:15:18 vericalm systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
  May 17 23:15:18 vericalm audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023"
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_record: could not create context structure
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_string: could not create context structure
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 to sid
  May 17 23:15:18 vericalm setroubleshoot[711238]: Unable to process audit event: cannot access local variable 'syslog' where it is not associated with a value
  May 17 23:15:18 vericalm setroubleshoot[711238]: Traceback (most recent call last):
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1106, in compute_avcs
  May 17 23:15:18 vericalm setroubleshoot[711238]:    avcs.append(AVC(audit_event, record))
  May 17 23:15:18 vericalm setroubleshoot[711238]:                ~~~^^^^^^^^^^^^^^^^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 675, in __init__
  May 17 23:15:18 vericalm setroubleshoot[711238]:    self.derive_avc_info_from_audit_event(avc_record)
  May 17 23:15:18 vericalm setroubleshoot[711238]:    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1027, in derive_avc_info_from_audit_event
  May 17 23:15:18 vericalm setroubleshoot[711238]:    raise AVCError(_("%s \n**** Invalid AVC: bad target context ****\n") % self.avc_record)
  May 17 23:15:18 vericalm setroubleshoot[711238]: setroubleshoot.audit_data.AVCError: node=vericalm type=AVC msg=audit(1747520115.945:106546): avc:  denied  { search } for  pid=711160 comm="admin" name="13419" dev="proc" ino=67936 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=dir permissive=1
  May 17 23:15:18 vericalm setroubleshoot[711238]: 
  May 17 23:15:18 vericalm setroubleshoot[711238]: **** Invalid AVC: bad target context ****
  May 17 23:15:18 vericalm setroubleshoot[711238]: During handling of the above exception, another exception occurred:
  May 17 23:15:18 vericalm setroubleshoot[711238]: Traceback (most recent call last):
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1108, in compute_avcs
  May 17 23:15:18 vericalm setroubleshoot[711238]:    syslog.syslog(syslog.LOG_ERR, "%s" % e)
  May 17 23:15:18 vericalm setroubleshoot[711238]:    ^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]: UnboundLocalError: cannot access local variable 'syslog' where it is not associated with a value
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023"
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_record: could not create context structure
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_string: could not create context structure
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 to sid
  May 17 23:15:18 vericalm setroubleshoot[711238]: Unable to process audit event: cannot access local variable 'syslog' where it is not associated with a value
  May 17 23:15:18 vericalm setroubleshoot[711238]: Traceback (most recent call last):
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1106, in compute_avcs
  May 17 23:15:18 vericalm setroubleshoot[711238]:    avcs.append(AVC(audit_event, record))
  May 17 23:15:18 vericalm setroubleshoot[711238]:                ~~~^^^^^^^^^^^^^^^^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 675, in __init__
  May 17 23:15:18 vericalm setroubleshoot[711238]:    self.derive_avc_info_from_audit_event(avc_record)
  May 17 23:15:18 vericalm setroubleshoot[711238]:    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1027, in derive_avc_info_from_audit_event
  May 17 23:15:18 vericalm setroubleshoot[711238]:    raise AVCError(_("%s \n**** Invalid AVC: bad target context ****\n") % self.avc_record)
  May 17 23:15:18 vericalm setroubleshoot[711238]: setroubleshoot.audit_data.AVCError: node=vericalm type=AVC msg=audit(1747520115.945:106547): avc:  denied  { read } for  pid=711160 comm="admin" name="comm" dev="proc" ino=67983 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=file permissive=1
  May 17 23:15:18 vericalm setroubleshoot[711238]: 
  May 17 23:15:18 vericalm setroubleshoot[711238]: **** Invalid AVC: bad target context ****
  May 17 23:15:18 vericalm setroubleshoot[711238]: During handling of the above exception, another exception occurred:
  May 17 23:15:18 vericalm setroubleshoot[711238]: Traceback (most recent call last):
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1108, in compute_avcs
  May 17 23:15:18 vericalm setroubleshoot[711238]:    syslog.syslog(syslog.LOG_ERR, "%s" % e)
  May 17 23:15:18 vericalm setroubleshoot[711238]:    ^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]: UnboundLocalError: cannot access local variable 'syslog' where it is not associated with a value
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023"
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_record: could not create context structure
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_string: could not create context structure
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 to sid
  May 17 23:15:18 vericalm setroubleshoot[711238]: Unable to process audit event: cannot access local variable 'syslog' where it is not associated with a value
  May 17 23:15:18 vericalm setroubleshoot[711238]: Traceback (most recent call last):
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1106, in compute_avcs
  May 17 23:15:18 vericalm setroubleshoot[711238]:    avcs.append(AVC(audit_event, record))
  May 17 23:15:18 vericalm setroubleshoot[711238]:                ~~~^^^^^^^^^^^^^^^^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 675, in __init__
  May 17 23:15:18 vericalm setroubleshoot[711238]:    self.derive_avc_info_from_audit_event(avc_record)
  May 17 23:15:18 vericalm setroubleshoot[711238]:    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1027, in derive_avc_info_from_audit_event
  May 17 23:15:18 vericalm setroubleshoot[711238]:    raise AVCError(_("%s \n**** Invalid AVC: bad target context ****\n") % self.avc_record)
  May 17 23:15:18 vericalm setroubleshoot[711238]: setroubleshoot.audit_data.AVCError: node=vericalm type=AVC msg=audit(1747520115.945:106548): avc:  denied  { open } for  pid=711160 comm="admin" path="/proc/13419/comm" dev="proc" ino=67983 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=file permissive=1
  May 17 23:15:18 vericalm setroubleshoot[711238]: 
  May 17 23:15:18 vericalm setroubleshoot[711238]: **** Invalid AVC: bad target context ****
  May 17 23:15:18 vericalm setroubleshoot[711238]: During handling of the above exception, another exception occurred:
  May 17 23:15:18 vericalm setroubleshoot[711238]: Traceback (most recent call last):
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1108, in compute_avcs
  May 17 23:15:18 vericalm setroubleshoot[711238]:    syslog.syslog(syslog.LOG_ERR, "%s" % e)
  May 17 23:15:18 vericalm setroubleshoot[711238]:    ^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]: UnboundLocalError: cannot access local variable 'syslog' where it is not associated with a value
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023"
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_record: could not create context structure
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_string: could not create context structure
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 to sid
  May 17 23:15:18 vericalm setroubleshoot[711238]: Unable to process audit event: cannot access local variable 'syslog' where it is not associated with a value
  May 17 23:15:18 vericalm setroubleshoot[711238]: Traceback (most recent call last):
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1106, in compute_avcs
  May 17 23:15:18 vericalm setroubleshoot[711238]:    avcs.append(AVC(audit_event, record))
  May 17 23:15:18 vericalm setroubleshoot[711238]:                ~~~^^^^^^^^^^^^^^^^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 675, in __init__
  May 17 23:15:18 vericalm setroubleshoot[711238]:    self.derive_avc_info_from_audit_event(avc_record)
  May 17 23:15:18 vericalm setroubleshoot[711238]:    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1027, in derive_avc_info_from_audit_event
  May 17 23:15:18 vericalm setroubleshoot[711238]:    raise AVCError(_("%s \n**** Invalid AVC: bad target context ****\n") % self.avc_record)
  May 17 23:15:18 vericalm setroubleshoot[711238]: setroubleshoot.audit_data.AVCError: node=vericalm type=AVC msg=audit(1747520115.945:106549): avc:  denied  { getattr } for  pid=711160 comm="admin" path="/proc/13419/comm" dev="proc" ino=67983 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=file permissive=1
  May 17 23:15:18 vericalm setroubleshoot[711238]: 
  May 17 23:15:18 vericalm setroubleshoot[711238]: **** Invalid AVC: bad target context ****
  May 17 23:15:18 vericalm setroubleshoot[711238]: During handling of the above exception, another exception occurred:
  May 17 23:15:18 vericalm setroubleshoot[711238]: Traceback (most recent call last):
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1108, in compute_avcs
  May 17 23:15:18 vericalm setroubleshoot[711238]:    syslog.syslog(syslog.LOG_ERR, "%s" % e)
  May 17 23:15:18 vericalm setroubleshoot[711238]:    ^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]: UnboundLocalError: cannot access local variable 'syslog' where it is not associated with a value
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023"
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_record: could not create context structure
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.context_from_string: could not create context structure
  May 17 23:15:18 vericalm setroubleshootd[711238]: libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 to sid
  May 17 23:15:18 vericalm setroubleshoot[711238]: Unable to process audit event: cannot access local variable 'syslog' where it is not associated with a value
  May 17 23:15:18 vericalm setroubleshoot[711238]: Traceback (most recent call last):
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1106, in compute_avcs
  May 17 23:15:18 vericalm setroubleshoot[711238]:    avcs.append(AVC(audit_event, record))
  May 17 23:15:18 vericalm setroubleshoot[711238]:                ~~~^^^^^^^^^^^^^^^^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 675, in __init__
  May 17 23:15:18 vericalm setroubleshoot[711238]:    self.derive_avc_info_from_audit_event(avc_record)
  May 17 23:15:18 vericalm setroubleshoot[711238]:    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1027, in derive_avc_info_from_audit_event
  May 17 23:15:18 vericalm setroubleshoot[711238]:    raise AVCError(_("%s \n**** Invalid AVC: bad target context ****\n") % self.avc_record)
  May 17 23:15:18 vericalm setroubleshoot[711238]: setroubleshoot.audit_data.AVCError: node=vericalm type=AVC msg=audit(1747520115.950:106550): avc:  denied  { search } for  pid=711160 comm="admin" name="13419" dev="proc" ino=67936 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:unconfined_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=dir permissive=1
  May 17 23:15:18 vericalm setroubleshoot[711238]: 
  May 17 23:15:18 vericalm setroubleshoot[711238]: **** Invalid AVC: bad target context ****
  May 17 23:15:18 vericalm setroubleshoot[711238]: During handling of the above exception, another exception occurred:
  May 17 23:15:18 vericalm setroubleshoot[711238]: Traceback (most recent call last):
  May 17 23:15:18 vericalm setroubleshoot[711238]:  File "/usr/lib/python3.13/site-packages/setroubleshoot/audit_data.py", line 1108, in compute_avcs
  May 17 23:15:18 vericalm setroubleshoot[711238]:    syslog.syslog(syslog.LOG_ERR, "%s" % e)
  May 17 23:15:18 vericalm setroubleshoot[711238]:    ^^^^^^
  May 17 23:15:18 vericalm setroubleshoot[711238]: UnboundLocalError: cannot access local variable 'syslog' where it is not associated with a value

More details present on Fedora Discussion.

Steps to reproduce

  1. Standard Nextcloud setup on Fedora.
  2. Ensure everything up to date.
  3. Enable richdocuments.

Expected behavior

No AVC denials. No corrupt AVC denails.

Actual Behavior

Nextcloud Server version

31

Collabora version

Collabora Online - Built-in CODE Server 24.4.402

Screenshots Desktop or Smartphone

This is a server side issue, no applicable client side info.

Additional Context

Original Fedora discussion Then reported as a Nextcloud server issue and possible integration issue and also here

Bockeman avatar May 29 '25 14:05 Bockeman