Bug 1076861
Summary: | SELinux is preventing /usr/lib/systemd/systemd-logind from 'read' accesses on the directory . | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Luya Tshimbalanga <luya> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | high | ||
Version: | rawhide | CC: | awilliam, dominick.grift, dwalsh, ignatenko, jones.peter.busi, joshua.ryan.escamilla, lvrabec, mgrepl, moez.roy, nicolas.mailhot |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:9691fef6c8c4ea643ce41befa620cadddf832ee84d9d5aaf442184c87637828c | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-12-11 21:12:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Luya Tshimbalanga
2014-03-15 20:48:43 UTC
Description of problem: booted system Additional info: reporter: libreport-2.2.0 hashmarkername: setroubleshoot kernel: 3.14.0-0.rc6.git3.1.fc21.x86_64 type: libreport I can't see gdm after update systemd and reboot. After allowing this things - it works again. as I know - it fixed in upstream, but not packaged in Fedora. https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?id=4b70caa31bd37c443ac42520c73a9784b1210f25 *** Bug 1076862 has been marked as a duplicate of this bug. *** Description of problem: on rawhide Additional info: reporter: libreport-2.2.0 hashmarkername: setroubleshoot kernel: 3.14.0-0.rc6.git4.1.fc21.x86_64 type: libreport http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.13.1/37.fc21/noarch/selinux-policy-3.13.1-37.fc21.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.13.1/37.fc21/noarch/selinux-policy-targeted-3.13.1-37.fc21.noarch.rpm I'm still seeing three of these, on trying to log in from GDM to GNOME, with selinux-policy 3.13.1-38. Login fails. SELinux is preventing /usr/lib/systemd/systemd-logind from read access on the directory . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed read access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects [ dir ] Source systemd-logind Source Path /usr/lib/systemd/systemd-logind Port <Unknown> Host (removed) Source RPM Packages systemd-211-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-36.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux adam.happyassassin.net 3.14.0-0.rc6.git4.1.fc21.x86_64 #1 SMP Fri Mar 14 20:07:37 UTC 2014 x86_64 x86_64 Alert Count 36 First Seen 2014-03-13 19:01:01 PDT Last Seen 2014-03-17 13:16:12 PDT Local ID 3149aabb-7733-488e-9825-02700dbe3a24 Raw Audit Messages type=AVC msg=audit(1395087372.437:605): avc: denied { read } for pid=919 comm="systemd-logind" name="/" dev="tmpfs" ino=22732 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1395087372.437:605): arch=x86_64 syscall=open success=yes exit=EISDIR a0=7fe1cc80b420 a1=f0800 a2=0 a3=fffffffffffff5b8 items=0 ppid=1 pid=919 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) Hash: systemd-logind,systemd_logind_t,tmpfs_t,dir,read SELinux is preventing /usr/lib/systemd/systemd-logind from unlink access on the sock_file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed unlink access on the sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects [ sock_file ] Source systemd-logind Source Path /usr/lib/systemd/systemd-logind Port <Unknown> Host adam.happyassassin.net Source RPM Packages systemd-211-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-36.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name adam.happyassassin.net Platform Linux adam.happyassassin.net 3.14.0-0.rc6.git4.1.fc21.x86_64 #1 SMP Fri Mar 14 20:07:37 UTC 2014 x86_64 x86_64 Alert Count 4 First Seen 2014-03-14 09:00:45 PDT Last Seen 2014-03-17 13:16:12 PDT Local ID 41816437-c178-4979-a713-c18a93cb5adc Raw Audit Messages type=AVC msg=audit(1395087372.438:607): avc: denied { unlink } for pid=919 comm="systemd-logind" name="private" dev="tmpfs" ino=23806 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file type=SYSCALL msg=audit(1395087372.438:607): arch=x86_64 syscall=unlinkat success=yes exit=0 a0=17 a1=7fe1cc81ef93 a2=0 a3=0 items=0 ppid=1 pid=919 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) Hash: systemd-logind,systemd_logind_t,tmpfs_t,sock_file,unlink SELinux is preventing /usr/lib/systemd/systemd-logind from rmdir access on the directory . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed rmdir access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects [ dir ] Source systemd-logind Source Path /usr/lib/systemd/systemd-logind Port <Unknown> Host adam.happyassassin.net Source RPM Packages systemd-211-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-36.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name adam.happyassassin.net Platform Linux adam.happyassassin.net 3.14.0-0.rc6.git4.1.fc21.x86_64 #1 SMP Fri Mar 14 20:07:37 UTC 2014 x86_64 x86_64 Alert Count 34 First Seen 2014-03-13 19:01:01 PDT Last Seen 2014-03-17 13:16:12 PDT Local ID 18874852-8601-4ec6-aa32-83ac8505d775 Raw Audit Messages type=AVC msg=audit(1395087372.438:608): avc: denied { rmdir } for pid=919 comm="systemd-logind" name="systemd" dev="tmpfs" ino=23797 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1395087372.438:608): arch=x86_64 syscall=unlinkat success=yes exit=0 a0=15 a1=7fe1cc816fb3 a2=200 a3=0 items=0 ppid=1 pid=919 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) Hash: systemd-logind,systemd_logind_t,tmpfs_t,dir,rmdir Hum, actually, those aren't from a boot with -38. Logging in from GDM to GNOME, even with -38, still definitely fails for me in enforcing mode, only works in permissive...but I can't find any AVCs that look relevant. The only AVCs I have are for tumblerd , and are the good old fifo_file one: happyassassin.net type=AVC msg=audit(1395088376.092:603): avc: denied { write } for pid=3240 comm="tumblerd" path="/run/systemd/sessions/1.ref" dev="tmpfs" ino=27575 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=fifo_file is that likely to be preventing GNOME from working? No. Did you check user_avc? What is state of this bug? |