Bug 1022567

Summary: avc denied: systemd-tmpfile, systemd-readhahe, console-kit-dae, sulogin
Product: [Fedora] Fedora Reporter: Pavel Sedlák <psedlak>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, lvrabec, mgrepl, psedlak
Target Milestone: ---Flags: mgrepl: needinfo? (psedlak)
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-22 12:32:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Pavel Sedlák 2013-10-23 14:32:50 UTC 
Description of problem:
After upgrade from F18 to F20 I've gathered few interesting denied entries in audit.log.

I was running with SELinux disabled, then switched to permissive and relabeled (after reboot) - from that the first lines (systemd-tmpfile) probably.

Other denials appeared during few days of usage and because of permissive I'm not sure what they would/could really break.

> type=AVC msg=audit(1382389290.662:9): avc:  denied  { setattr } for  pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
> type=AVC msg=audit(1382389290.663:10): avc:  denied  { relabelfrom } for  pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
> type=AVC msg=audit(1382389290.663:11): avc:  denied  { relabelto } for  pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
> type=AVC msg=audit(1382389290.950:17): avc:  denied  { getattr } for  pid=614 comm="sulogin" path="/dev/initctl" dev="devtmpfs" ino=11280 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
> type=AVC msg=audit(1382389290.950:18): avc:  denied  { getattr } for  pid=614 comm="sulogin" path="/proc/kcore" dev="proc" ino=4026532044 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
> type=AVC msg=audit(1382392266.078:29): avc:  denied  { read } for  pid=430 comm="systemd-readahe" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382392266.078:30): avc:  denied  { open } for  pid=430 comm="systemd-readahe" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382392288.000:720): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file
> type=AVC msg=audit(1382392292.537:726): avc:  denied  { read } for  pid=430 comm="systemd-readahe" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382392292.537:727): avc:  denied  { open } for  pid=430 comm="systemd-readahe" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382468137.663:1724): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file
> type=AVC msg=audit(1382477977.881:1881): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file
> type=AVC msg=audit(1382491020.367:2134): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file


Version-Release number of selected component (if applicable):

libselinux.i686                          2.1.13-19.fc20                  @System
libselinux.x86_64                        2.1.13-19.fc20                  @System
libselinux-devel.x86_64                  2.1.13-19.fc20                  @System
libselinux-python.x86_64                 2.1.13-19.fc20                  @System
libselinux-ruby.x86_64                   2.1.13-19.fc20                  @System
libselinux-utils.x86_64                  2.1.13-19.fc20                  @System
selinux-policy.noarch                    3.12.1-75.fc20                  @System
selinux-policy-targeted.noarch           3.12.1-75.fc20                  @System

systemd.x86_64                           208-2.fc20                      @System
ConsoleKit.x86_64                        0.4.5-7.fc20                    @System
util-linux.x86_64                        2.24-0.1.fc20                   @System



Sorry if it's an issue that I put it in one general bug, not sure how avc denials should be reported properly.
Comment 1 Miroslav Grepl 2013-10-24 13:25:59 UTC 
Pavel,
could you try to update to the latest policy?