Bug 1268520
| Summary: | selinux is blocking essentially all systemctl actions | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andy Lutomirski <luto> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | dwalsh, rlpowell |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-10-04 18:04:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I think systemctl daemon-reexec Fixes this problem. This is a known issue which is being worked on. In case it helps: I hit this by updating from 3.13.1-128.6.fc22 to 3.13.1-128.13.fc22 This just happened to my laptop, and systemctl daemon-reexec fixed it for me. Oh, yes, I can confirm the workaround as well. Yes, this is known issue and we have this workaround in the policy update. It is a part of selinux-policy-3.13.1-128.16.fc22 so you would also update your system. |
My log is full of junk like this: audit[1]: <audit-1107> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/firewalld.service" cmdline="systemctl status firewalld" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:firewalld_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' This is manifestly bogus. uid 0 with type unconfined_t should *not* be denied access to systemd. This is Fedora 22, fully up-to-date. # rpm -qa \*selinux\* \*polkit\* \*Policy\* \*dbus\* python3-dbus-1.2.0-7.fc22.x86_64 libselinux-python3-2.3-10.fc22.x86_64 dbus-1.8.20-1.fc22.x86_64 selinux-policy-targeted-3.13.1-128.13.fc22.noarch polkit-0.113-4.fc22.x86_64 qt-qdbusviewer-4.8.6-30.fc22.x86_64 libselinux-devel-2.3-10.fc22.x86_64 dbusmenu-qt-0.9.3-0.10.20150604.fc22.x86_64 polkit-qt-0.112.0-3.fc22.x86_64 rpm-plugin-selinux-4.12.0.1-12.fc22.x86_64 polkit-docs-0.113-4.fc22.noarch selinux-policy-doc-3.13.1-128.13.fc22.noarch selinux-policy-devel-3.13.1-128.13.fc22.noarch libselinux-debuginfo-2.2.1-6.fc20.x86_64 polkit-qt5-1-0.112.0-3.fc22.x86_64 libselinux-2.3-10.fc22.x86_64 python3-slip-dbus-0.6.4-1.fc22.noarch abrt-dbus-2.6.1-5.fc22.x86_64 dbus-devel-1.8.20-1.fc22.x86_64 dbus-x11-1.8.20-1.fc22.x86_64 selinux-policy-3.13.1-128.13.fc22.noarch polkit-devel-0.113-4.fc22.x86_64 libselinux-python-2.3-10.fc22.x86_64 libselinux-2.3-10.fc22.i686 dbus-glib-devel-0.104-1.fc22.x86_64 libdbusmenu-12.10.2-8.fc22.x86_64 dbus-libs-1.8.20-1.fc22.i686 dbusmenu-qt5-0.9.3-0.10.20150604.fc22.x86_64 libdbusmenu-gtk3-12.10.2-8.fc22.x86_64 kf5-kdbusaddons-5.13.0-1.fc22.x86_64 dbus-glib-0.104-1.fc22.x86_64 polkit-gnome-0.105-7.fc22.x86_64 libselinux-utils-2.3-10.fc22.x86_64 dbus-python-1.2.0-7.fc22.x86_64 dleyna-connector-dbus-0.2.0-4.fc22.x86_64 python-slip-dbus-0.6.4-1.fc22.noarch dbus-libs-1.8.20-1.fc22.x86_64 polkit-pkla-compat-0.1-5.fc22.x86_64 polkit-libs-0.113-4.fc22.x86_64 selinux-policy-sandbox-3.13.1-128.13.fc22.noarch audit2why says: type=USER_AVC msg=audit(1443831631.319:2498): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/firewalld.service" cmdline="systemctl status firewalld" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:firewalld_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. which suggests that something is rather broken internally. I haven't done anything explicit to my selinux setup except to setenforce 0 briefly so I could actually use my system.