Bug 1222157
| Summary: | SELinux is preventing systemd-logind from 'getattr' accesses on the file /dev/shm/lttng-ust-wait-5. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Juan Orti <jorti> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 23 | CC: | adalsaady, albin, dominick.grift, dwalsh, error, fedoraproject, jeff.raber, jorti, kmoriwak, kparal, krzysztofbti, lvrabec, mahmudulhaque, marco.gremo, martinojones_2009, mawcin, mcatanzaro+wrong-account-do-not-cc, mgrepl, omer666ster, plautrba, richkmeli, wolfgang.rupprecht |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:06792b7dfe1e4a2cbe2df37302584160c95d92af7b2ddea1cd15995142e70f2b | ||
| Fixed In Version: | selinux-policy-3.13.1-158.7.fc23 selinux-policy-3.13.1-158.9.fc23 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-05 06:22:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Did you setup lttng? I don't know what that thing is. It's probably related to #1221945, which I'm also experiencing while using virtual machines. Yes I see it now what's going on here. We need to add SELinux support for lttng-sessiond which creates -rw-rw-r--. 1 root root system_u:object_r:tmpfs_t:s0 4096 May 18 11:44 lttng-ust-wait-5 Description of problem: F22 installation, created a new user, happened shortly after logging in. Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.3-300.fc22.x86_64 type: libreport Description of problem: ssh from the virtual machine to host Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport *** This bug has been marked as a duplicate of bug 1278662 *** Description of problem:
gnome-session breaks whenever I attempt to log out. I think it's triggered by SELinux breaking logind.
* If an application (say, gedit with any unsaved text) has an inhibitor, nothing will happen after selecting log out. About a minute later, some timeout will expire and I will then get logged out.
* If no session inhibitor exists, logout works immediately.
After that, it's no longer possible to log in, because gdm doesn't have permission to open /dev/tty2. I figure gnome-session was probably supposed to release something, but didn't get around to it, because it broke.
There's definitely a gnome-session bug here:
Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:11 victory-road gnome-session-binary[2206]: Entering running state
Unfortunately, when I turn on fatal-criticals, the backtrace is mostly useless:
Dec 27 17:14:52 victory-road systemd-coredump[2983]: Process 2219 (gnome-session-b) of user 1000 dumped core.
Stack trace of thread 2219:
#0 0x00007fa1c6f8e81b _g_log_abort (libglib-2.0.so.0)
#1 0x00007fa1c6f8e98f g_log (libglib-2.0.so.0)
#2 0x00007fa1c6f84938 g_source_callback_unref (libglib-2.0.so.0)
#3 0x00007fa1c6f860f6 g_source_destroy_internal (libglib-2.0.so.0)
#4 0x00007fa1c6f87ed0 g_main_dispatch (libglib-2.0.so.0)
#5 0x00007fa1c6f881d0 g_main_context_iterate (libglib-2.0.so.0)
#6 0x00007fa1c6f884f2 g_main_loop_run (libglib-2.0.so.0)
#7 0x000055c797ec673b main (gnome-session-binary)
#8 0x00007fa1c6b9d580 __libc_start_main (libc.so.6)
#9 0x000055c797ec6ab9 _start (gnome-session-binary)
But this is an SELinux bug report, so let's not worry more about gnome-session here, but rather the SELinux bug that I suspect is exposing the gnome-session bug. Here's what I see in my journal when logging out, which is clearly an SELinux-related issue:
Dec 27 17:14:50 victory-road systemd-logind[1052]: Removed session 1.
Dec 27 17:14:50 victory-road systemd[1]: Stopping User Manager for UID 1000...
Dec 27 17:14:50 victory-road audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 ho
Dec 27 17:14:50 victory-road audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 ho
Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Default.
Dec 27 17:14:50 victory-road systemd[2010]: Stopping Default.
Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Basic System.
Dec 27 17:14:50 victory-road systemd[2010]: Stopping Basic System.
Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Sockets.
Dec 27 17:14:50 victory-road systemd[2010]: Stopping Sockets.
Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Paths.
Dec 27 17:14:50 victory-road systemd[2010]: Stopping Paths.
Dec 27 17:14:50 victory-road systemd[2010]: Reached target Shutdown.
Dec 27 17:14:50 victory-road systemd[2010]: Starting Shutdown.
Dec 27 17:14:50 victory-road systemd[2010]: Starting Exit the Session...
Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Timers.
Dec 27 17:14:50 victory-road systemd[2010]: Stopping Timers.
Dec 27 17:14:50 victory-road systemd[2010]: Received SIGRTMIN+24 from PID 3075 (kill).
Dec 27 17:14:50 victory-road systemd[2015]: pam_unix(systemd-user:session): session closed for user mcatanzaro
Dec 27 17:14:50 victory-road systemd[1]: Stopped User Manager for UID 1000.
Dec 27 17:14:50 victory-road audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
Dec 27 17:14:50 victory-road systemd[1]: Removed slice user-1000.slice.
Dec 27 17:14:50 victory-road audit[1052]: AVC avc: denied { getattr } for pid=1052 comm="systemd-logind" path="/dev/shm/lldpad.state" dev="tmpfs" ino=15450 scontext=system_u:system_r:systemd_logind_t:s0 tcont
Dec 27 17:14:50 victory-road systemd[1]: Stopping user-1000.slice.
Dec 27 17:14:50 victory-road systemd-logind[1052]: Failed to stat() POSIX shared memory segment lldpad.state: Permission denied
Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch
Additional info:
reporter: libreport-2.6.3
hashmarkername: setroubleshoot
kernel: 4.2.8-300.fc23.x86_64
type: libreport
Description of problem: It happens whenever I try to log in just after logging out from my own or any other user's graphical session. Version-Release number of selected component: selinux-policy-3.13.1-158.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.8-300.fc23.x86_64 type: libreport Description of problem: tried to auto-relabel with touch /.relabel Version-Release number of selected component: selinux-policy-3.13.1-158.2.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.3.4-300.fc23.x86_64 type: libreport *** Bug 1305984 has been marked as a duplicate of this bug. *** *** Bug 1306993 has been marked as a duplicate of this bug. *** Added to rawhide. https://github.com/fedora-selinux/selinux-policy/commit/153cf86f9212cf84950b7ab502dc3738a8d25198 selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870 selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870 *** Bug 1312658 has been marked as a duplicate of this bug. *** Description of problem: this happened after a reboot with no user intervention. Version-Release number of selected component: selinux-policy-3.13.1-158.4.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.2-301.fc23.x86_64 type: libreport selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: /dev/shm/lldpad.state is bad labeled on each boot Version-Release number of selected component: selinux-policy-3.13.1-158.14.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.7-300.fc23.x86_64 type: libreport *** Bug 1331234 has been marked as a duplicate of this bug. *** *** Bug 1333474 has been marked as a duplicate of this bug. *** *** Bug 1338959 has been marked as a duplicate of this bug. *** *** Bug 1340597 has been marked as a duplicate of this bug. *** |
Description of problem: SELinux is preventing systemd-logind from 'getattr' accesses on the file /dev/shm/lttng-ust-wait-5. ***** Plugin catchall (100. confidence) suggests ************************** If cree que de manera predeterminada, systemd-logind debería permitir acceso getattr sobre lttng-ust-wait-5 file. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do permita el acceso momentáneamente executando: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /dev/shm/lttng-ust-wait-5 [ file ] Source systemd-logind Source Path systemd-logind Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-126.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.0.3-300.fc22.x86_64 #1 SMP Wed May 13 18:43:52 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-05-15 23:10:48 CEST Last Seen 2015-05-15 23:10:48 CEST Local ID 36203268-1b83-4e79-8efb-b239120ffb5e Raw Audit Messages type=AVC msg=audit(1431724248.950:1003): avc: denied { getattr } for pid=768 comm="systemd-logind" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=25832 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 Hash: systemd-logind,systemd_logind_t,tmpfs_t,file,getattr Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.3-300.fc22.x86_64 type: libreport Potential duplicate: bug 1190461