Bug 1222157
Summary: | SELinux is preventing systemd-logind from 'getattr' accesses on the file /dev/shm/lttng-ust-wait-5. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Juan Orti <jorti> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 23 | CC: | adalsaady, albin, dominick.grift, dwalsh, error, fedoraproject, jeff.raber, jorti, kmoriwak, kparal, krzysztofbti, lvrabec, mahmudulhaque, marco.gremo, martinojones_2009, mawcin, mcatanzaro+wrong-account-do-not-cc, mgrepl, omer666ster, plautrba, richkmeli, wolfgang.rupprecht |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:06792b7dfe1e4a2cbe2df37302584160c95d92af7b2ddea1cd15995142e70f2b | ||
Fixed In Version: | selinux-policy-3.13.1-158.7.fc23 selinux-policy-3.13.1-158.9.fc23 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-03-05 06:22:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Juan Orti
2015-05-15 22:19:52 UTC
Did you setup lttng? I don't know what that thing is. It's probably related to #1221945, which I'm also experiencing while using virtual machines. Yes I see it now what's going on here. We need to add SELinux support for lttng-sessiond which creates -rw-rw-r--. 1 root root system_u:object_r:tmpfs_t:s0 4096 May 18 11:44 lttng-ust-wait-5 Description of problem: F22 installation, created a new user, happened shortly after logging in. Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.3-300.fc22.x86_64 type: libreport Description of problem: ssh from the virtual machine to host Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-301.fc22.x86_64 type: libreport *** This bug has been marked as a duplicate of bug 1278662 *** Description of problem: gnome-session breaks whenever I attempt to log out. I think it's triggered by SELinux breaking logind. * If an application (say, gedit with any unsaved text) has an inhibitor, nothing will happen after selecting log out. About a minute later, some timeout will expire and I will then get logged out. * If no session inhibitor exists, logout works immediately. After that, it's no longer possible to log in, because gdm doesn't have permission to open /dev/tty2. I figure gnome-session was probably supposed to release something, but didn't get around to it, because it broke. There's definitely a gnome-session bug here: Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Dec 27 13:06:11 victory-road gnome-session-binary[2206]: Entering running state Unfortunately, when I turn on fatal-criticals, the backtrace is mostly useless: Dec 27 17:14:52 victory-road systemd-coredump[2983]: Process 2219 (gnome-session-b) of user 1000 dumped core. Stack trace of thread 2219: #0 0x00007fa1c6f8e81b _g_log_abort (libglib-2.0.so.0) #1 0x00007fa1c6f8e98f g_log (libglib-2.0.so.0) #2 0x00007fa1c6f84938 g_source_callback_unref (libglib-2.0.so.0) #3 0x00007fa1c6f860f6 g_source_destroy_internal (libglib-2.0.so.0) #4 0x00007fa1c6f87ed0 g_main_dispatch (libglib-2.0.so.0) #5 0x00007fa1c6f881d0 g_main_context_iterate (libglib-2.0.so.0) #6 0x00007fa1c6f884f2 g_main_loop_run (libglib-2.0.so.0) #7 0x000055c797ec673b main (gnome-session-binary) #8 0x00007fa1c6b9d580 __libc_start_main (libc.so.6) #9 0x000055c797ec6ab9 _start (gnome-session-binary) But this is an SELinux bug report, so let's not worry more about gnome-session here, but rather the SELinux bug that I suspect is exposing the gnome-session bug. Here's what I see in my journal when logging out, which is clearly an SELinux-related issue: Dec 27 17:14:50 victory-road systemd-logind[1052]: Removed session 1. Dec 27 17:14:50 victory-road systemd[1]: Stopping User Manager for UID 1000... Dec 27 17:14:50 victory-road audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 ho Dec 27 17:14:50 victory-road audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 ho Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Default. Dec 27 17:14:50 victory-road systemd[2010]: Stopping Default. Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Basic System. Dec 27 17:14:50 victory-road systemd[2010]: Stopping Basic System. Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Sockets. Dec 27 17:14:50 victory-road systemd[2010]: Stopping Sockets. Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Paths. Dec 27 17:14:50 victory-road systemd[2010]: Stopping Paths. Dec 27 17:14:50 victory-road systemd[2010]: Reached target Shutdown. Dec 27 17:14:50 victory-road systemd[2010]: Starting Shutdown. Dec 27 17:14:50 victory-road systemd[2010]: Starting Exit the Session... Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Timers. Dec 27 17:14:50 victory-road systemd[2010]: Stopping Timers. Dec 27 17:14:50 victory-road systemd[2010]: Received SIGRTMIN+24 from PID 3075 (kill). Dec 27 17:14:50 victory-road systemd[2015]: pam_unix(systemd-user:session): session closed for user mcatanzaro Dec 27 17:14:50 victory-road systemd[1]: Stopped User Manager for UID 1000. Dec 27 17:14:50 victory-road audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? Dec 27 17:14:50 victory-road systemd[1]: Removed slice user-1000.slice. Dec 27 17:14:50 victory-road audit[1052]: AVC avc: denied { getattr } for pid=1052 comm="systemd-logind" path="/dev/shm/lldpad.state" dev="tmpfs" ino=15450 scontext=system_u:system_r:systemd_logind_t:s0 tcont Dec 27 17:14:50 victory-road systemd[1]: Stopping user-1000.slice. Dec 27 17:14:50 victory-road systemd-logind[1052]: Failed to stat() POSIX shared memory segment lldpad.state: Permission denied Version-Release number of selected component: selinux-policy-3.13.1-158.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.8-300.fc23.x86_64 type: libreport Description of problem: It happens whenever I try to log in just after logging out from my own or any other user's graphical session. Version-Release number of selected component: selinux-policy-3.13.1-158.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.8-300.fc23.x86_64 type: libreport Description of problem: tried to auto-relabel with touch /.relabel Version-Release number of selected component: selinux-policy-3.13.1-158.2.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.3.4-300.fc23.x86_64 type: libreport *** Bug 1305984 has been marked as a duplicate of this bug. *** *** Bug 1306993 has been marked as a duplicate of this bug. *** Added to rawhide. https://github.com/fedora-selinux/selinux-policy/commit/153cf86f9212cf84950b7ab502dc3738a8d25198 selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870 selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870 *** Bug 1312658 has been marked as a duplicate of this bug. *** Description of problem: this happened after a reboot with no user intervention. Version-Release number of selected component: selinux-policy-3.13.1-158.4.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.2-301.fc23.x86_64 type: libreport selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: /dev/shm/lldpad.state is bad labeled on each boot Version-Release number of selected component: selinux-policy-3.13.1-158.14.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.7-300.fc23.x86_64 type: libreport *** Bug 1331234 has been marked as a duplicate of this bug. *** *** Bug 1333474 has been marked as a duplicate of this bug. *** *** Bug 1338959 has been marked as a duplicate of this bug. *** *** Bug 1340597 has been marked as a duplicate of this bug. *** |