Bug 1288822
Summary: | SELinux is preventing /usr/lib/systemd/systemd-logind from 'getattr' accesses on the file /dev/shm/lldpad.state. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Frank Büttner <bugzilla> |
Component: | systemd | Assignee: | systemd-maint |
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 22 | CC: | bocketb, dominick.grift, dracut-maint-list, dwalsh, fedora, gannas, ger.sultanov, harald, jax6, jlayton, johannbg, jonathan, jones.peter.busi, lnykryn, luis, lvrabec, mgrepl, msekleta, mstuff, muadda, plautrba, redhat, s, systemd-maint, wilf, zbyszek |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:06792b7dfe1e4a2cbe2df37302584160c95d92af7b2ddea1cd15995142e70f2b;VARIANT_ID=workstation; | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-19 20:24:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Frank Büttner
2015-12-06 10:01:20 UTC
Hi, Please, use: #restorecon -v /dev/shm/lldpad.state To fix this issue. I tried to reproduce this issue, and after lldpad service start it's created "/dev/shm/lldpad.state" with right label: "lldpad_tmpfs_t" on my F22. [fedora@fedora ~]$ sesearch -A -s systemd_logind_t -t lldpad_tmpfs_t Found 1 semantic av rules: allow systemd_logind_t tmpfsfile : file { getattr unlink } ; [fedora@fedora ~]$ rpm -q selinux-policy selinux-policy-3.13.1-128.21.fc22.noarch Closing for now, please re-open if you find some troubles. Thank you. This will not work. ll -Z /dev/shm/lldpad.state -rw-------. 1 root root system_u:object_r:tmpfs_t:s0 4096 8. Dez 09:09 /dev/shm/lldpad.state restorecon -v /dev/shm/lldpad.state restorecon: Warning no default label for /dev/shm/lldpad.state rpm -q selinux-policy selinux-policy-3.13.1-128.21.fc22.noarch Coudl you attach output of: # matchpathcon /dev/shm/lldpad.state # sesearch -A -s systemd_logind_t -t tmpfsfile # ps -efZ | grep lldpad Thank you. Hello, here the needed informations: matchpathcon /dev/shm/lldpad.state /dev/shm/lldpad.state <<none>> sesearch -A -s systemd_logind_t -t tmpfsfile Found 3 semantic av rules: allow daemon user_tmp_t : file { getattr append } ; allow systemd_logind_t user_tmp_t : dir { getattr mounton search open } ; allow systemd_logind_t tmpfsfile : file { getattr unlink } ; ps -efZ | grep lldpad unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16396 16245 0 17:13 pts/1 00:00:00 grep --color=auto lldpad I hope it will help. This is weird, Here is file, where I added labeling for this in August. $ git blame lldpad.fc 6232c2fb (Dominick Grift 2012-09-11 12:26:25 +0200 1) /etc/rc\.d/init\.d/lldpad -- gen_context(system_u:object_r:lldpad_initrc_exec_t,s0) 6232c2fb (Dominick Grift 2012-09-11 12:26:25 +0200 2) 6232c2fb (Dominick Grift 2012-09-11 12:26:25 +0200 3) /usr/sbin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0) 6232c2fb (Dominick Grift 2012-09-11 12:26:25 +0200 4) 6232c2fb (Dominick Grift 2012-09-11 12:26:25 +0200 5) /var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0) 6232c2fb (Dominick Grift 2012-09-11 12:26:25 +0200 6) 6232c2fb (Dominick Grift 2012-09-11 12:26:25 +0200 7) /var/run/lldpad.* gen_context(system_u:object_r:lldpad_var_run_t,s0) 732fbe7e (Lukas Vrabec 2015-08-12 17:37:31 +0200 8) 732fbe7e (Lukas Vrabec 2015-08-12 17:37:31 +0200 9) /dev/shm/lldpad.* -- gen_context(system_u:object_r:lldpad_tmpfs_t,s0) How you started this service? By hand or by systemctl? systemctl status lldpad.service ● lldpad.service - Link Layer Discovery Protocol Agent Daemon. Loaded: loaded (/usr/lib/systemd/system/lldpad.service; disabled; vendor preset: disabled) Active: inactive (dead) systemctl status lldpad.socket ● lldpad.socket Loaded: loaded (/usr/lib/systemd/system/lldpad.socket; disabled; vendor preset: disabled) Active: inactive (dead) Listen: @/com/intel/lldpad (Datagram) I don't start it by hand. Description of problem: Unsure, someone was SSH'd into my system at the time, which is unusual, and this is the first I've seen the denial, so they may be related, but that's pure speculation. Version-Release number of selected component: selinux-policy-3.13.1-128.21.fc22.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.6-201.fc22.x86_64 type: libreport Description of problem: Run bareos backup software. Version-Release number of selected component: selinux-policy-3.13.1-128.21.fc22.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.6-201.fc22.x86_64 type: libreport *** Bug 1290768 has been marked as a duplicate of this bug. *** Description of problem: logged in Version-Release number of selected component: selinux-policy-3.13.1-128.21.fc22.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.8-200.fc22.x86_64 type: libreport Description of problem: Recently switched user and back Version-Release number of selected component: selinux-policy-3.13.1-128.21.fc22.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.8-200.fc22.x86_64 type: libreport Got it in kernel-4.3.4-200.fc22.x86_64: SELinux is preventing systemd-logind from getattr access on the file /dev/shm/lldpad.state. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /dev/shm/lldpad.state default label should be lldpad_tmpfs_t. Then you can run restorecon. Do # /sbin/restorecon -v /dev/shm/lldpad.state ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that systemd-logind should be allowed getattr access on the lldpad.state file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /dev/shm/lldpad.state [ file ] Source systemd-logind Source Path systemd-logind Port <Unknown> Host localhost.localdomain Source RPM Packages systemd-219-26.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.22.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.2.8-200.fc22.x86_64 #1 SMP Tue Dec 15 16:50:23 UTC 2015 x86_64 x86_64 Alert Count 2 First Seen 2016-01-02 13:40:40 EST Last Seen 2016-01-02 19:39:38 EST Local ID e22acacc-f108-4dfb-9977-202897294d69 Raw Audit Messages type=AVC msg=audit(1451781578.283:1239): avc: denied { getattr } for pid=1208 comm="systemd-logind" path="/dev/shm/lldpad.state" dev="tmpfs" ino=9754 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1451781578.283:1239): arch=x86_64 syscall=newfstatat success=no exit=EACCES a0=21 a1=55c9bbf184a3 a2=7ffd36631570 a3=100 items=1 ppid=1 pid=1208 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=CWD msg=audit(1451781578.283:1239): cwd=/ type=PATH msg=audit(1451781578.283:1239): item=0 name=lldpad.state inode=9754 dev=00:13 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL Hash: systemd-logind,systemd_logind_t,tmpfs_t,file,getattr "" Description of problem: add a P-ATA disk via converter (PATA to USB) onto a USB 3 Serial Bus Version-Release number of selected component: selinux-policy-3.13.1-158.2.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.8-300.fc23.x86_64 type: libreport Description of problem: logging back in after switching user to another account Version-Release number of selected component: selinux-policy-3.13.1-128.21.fc22.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.3.4-200.fc22.x86_64 type: libreport Description of problem: logged out and in from another account Version-Release number of selected component: selinux-policy-3.13.1-128.21.fc22.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.3.6-201.fc22.x86_64 type: libreport Description of problem: Seems to happen with Xfce, possibly related to testing a game under Wine Version-Release number of selected component: selinux-policy-3.13.1-128.21.fc22.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-200.fc22.x86_64 type: libreport Description of problem: logged in Version-Release number of selected component: selinux-policy-3.13.1-128.21.fc22.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-201.fc22.x86_64 type: libreport Same issue is here for F23: https://bugzilla.redhat.com/show_bug.cgi?id=1284293 would be fixed by a newer systemd: https://github.com/systemd/systemd/pull/3039 Description of problem: switched user back and forth Version-Release number of selected component: selinux-policy-3.13.1-128.28.fc22.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.11-200.fc22.x86_64 type: libreport Description of problem: First I knew of bug was abrt alert. Version-Release number of selected component: selinux-policy-3.13.1-128.28.fc22.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.13-200.fc22.x86_64 type: libreport Description of problem: I'm seeing this every time the machine boots. Version-Release number of selected component: selinux-policy-3.13.1-158.15.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.5.7-200.fc23.x86_64 type: libreport Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. Description of problem: Unicamente se inició sesion con una cuenta nueva, incluso se establecio la contraseña al momento. Version-Release number of selected component: selinux-policy-3.13.1-128.28.fc22.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.14-200.fc22.x86_64 type: libreport Description of problem: Launched gparted,... Version-Release number of selected component: selinux-policy-3.13.1-158.15.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.5.7-202.fc23.x86_64 type: libreport |