Fedora 34 SELinux issue

[theKAKAN]

Hello, I just installed vnstat using sudo dnf install vnstat and after trying to start it using sudo systemctl start vnstat, I constantly ran into issues, and it stopped abruptly.
After poking around for some time, it seems like the issue is with SELinux policy not allowing read access on the database file(s). Here's the log that I had:

May 03 01:28:26 [REDACTED] setroubleshoot[19529]: SELinux is preventing vnstatd from getattr access on the file /var/lib/vnstat/vnstat.db.

                                             *****  Plugin restorecon (94.8 confidence) suggests   ************************

                                             If you want to fix the label. 
                                             /var/lib/vnstat/vnstat.db default label should be vnstatd_var_lib_t.
                                             Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent di>
                                             Do
                                             # /sbin/restorecon -v /var/lib/vnstat/vnstat.db

                                             *****  Plugin catchall_labels (5.21 confidence) suggests   *******************

                                             If you want to allow vnstatd to have getattr access on the vnstat.db file
                                             Then you need to change the label on /var/lib/vnstat/vnstat.db
                                             Do
                                             # semanage fcontext -a -t FILE_TYPE '/var/lib/vnstat/vnstat.db'
                                             where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_u>
                                             Then execute:
                                             restorecon -v '/var/lib/vnstat/vnstat.db'

                                             *****  Plugin catchall (1.44 confidence) suggests   **************************

                                             If you believe that vnstatd should be allowed getattr access on the vnstat.db file by default.
                                             Then you should report this as a bug.
                                             You can generate a local policy module to allow this access.
                                             Do
                                             allow this access for now by executing:
                                             # ausearch -c 'vnstatd' --raw | audit2allow -M my-vnstatd
                                             # semodule -X 300 -i my-vnstatd.pp

May 03 01:28:26 [REDACTED] setroubleshoot[19529]: SELinux is preventing vnstatd from getattr access on the file /var/lib/vnstat/vnstat.db. For complete SELinux messages run:>

After running:

semanage fcontext -a -t vnstatd_var_lib_t '/var/lib/vnstat/vnstat.db'
/sbin/restorecon -v /var/lib/vnstat/vnstat.db

I ran into issues with the DB's mmap access( which sounds more of a F34 issue than vnstat one tbh )

May 03 01:31:47 [REDACTED] setroubleshoot[19734]: SELinux is preventing vnstatd from map access on the file /var/lib/vnstat/vnstat.db-shm.

                                             *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

                                             If you want to allow domain to can mmap files
                                             Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

                                             Do
                                             setsebool -P domain_can_mmap_files 1

                                             *****  Plugin catchall (11.6 confidence) suggests   **************************

                                             If you believe that vnstatd should be allowed map access on the vnstat.db-shm file by default.
                                             Then you should report this as a bug.
                                             You can generate a local policy module to allow this access.
                                             Do
                                             allow this access for now by executing:
                                             # ausearch -c 'vnstatd' --raw | audit2allow -M my-vnstatd
                                             # semodule -X 300 -i my-vnstatd.pp

So, running:

setsebool -P domain_can_mmap_files 1

did fix it for me.

Thank you for this wonderful tool, and do say if you need any other information

In case it helps, I'm running stock Fedora 34 and here's some more information

$ uname -a
Linux [REDACTED] 5.11.16-300.fc34.x86_64 #1 SMP Wed Apr 21 13:18:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

vnStat version:

$ dnf info vnstat
Last metadata expiration check: 1:06:28 ago on Monday 03 May 2021 12:41:17 AM.
Installed Packages
Name         : vnstat
Version      : 2.6
Release      : 4.fc34
Architecture : x86_64
Size         : 352 k
Source       : vnstat-2.6-4.fc34.src.rpm
Repository   : @System
From repo    : fedora
Summary      : Console-based network traffic monitor
URL          : http://humdi.net/vnstat/
License      : GPLv2
Description  : vnStat is a console-based network traffic monitor that keeps a
             : log of daily network traffic for the selected interface(s).
             : vnStat isn't a packet sniffer. The traffic information is
             : analyzed from the /proc file-system, so vnStat can be used
             : without root permissions. See the web-page for few 'screenshots'.

[cgzones]

The SELinux policy is not part of vnstat, it is part of the Fedora package selinux-policy, see https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/vnstatd.te.

The first issue seems to be a wrong file context issue, which should have been resolved by running restorecon. The second issue looks like a missing permission, please report a bug to the Fedora package selinux-policy.

[theKAKAN]

I... didn't know about that. Sorry. And thanks for the help, I just cross-posted it to selinux-policy as a new issue Thank you