| Summary: | SELinux is preventing (t-daemon) from 'read' accesses on the file Unknown. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Henning Norén <henning.noren> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 22 | CC: | cra, dominick.grift, dwalsh, lvrabec, mgrepl, oliver.henshaw, plautrba | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | abrt_hash:bc3becee31f2e9a3eedc33a869adf452557101573790c63ba479798ebd070684;VARIANT_ID=workstation; | ||||||
| Fixed In Version: | selinux-policy-3.13.1-128.28.fc22 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-07-19 18:44:00 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
commit a165d481fc386050594f64c20f126e302dbf418d
Author: Lukas Vrabec <lvrabec>
Date: Mon Jan 18 15:36:48 2016 +0100
Allow systemd services to use PrivateNetwork feature
systemd creates a new network namespace for services which are using
PrivateNetwork=yes.
In the implementation, systemd uses a socketpair as a storage
buffer for the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock"
access to self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.
While at it, add filesystem_type attribute to nsfs_t.
Author: Nicolas Iooss <nicolas.iooss>
Note that "t-daemon" is rtkit-daemon. On kde the machine boots to the sddm login screen but then has problems logging in - it logs in eventually but without sound or the mixer applet. I guess gdm fails earlier becuase it tries to start pulseaudio which requires rtkit. Hi Oliver, Can you boot up with permissive mode and collect AVC msgs? Thank you. I tested selinux-policy-3.13.1-128.28.fc22 and it fixes my problem, as expected. Do you still need AVC logs? From a conversation on #selinux I'm reasonably sure that you don't. Note that I filed bug #1309748 against systemd over the "rtkit-daemon" -> "(t-daemon)" naming issue, since it throws extra spanners into the process of understanding a bug. Created attachment 1128576 [details]
audit.log while in permissive mode and restarting gdm
selinux-policy-3.13.1-128.28.fc22 fixes the problem for me. It isn't pushed to updates-testing yet, so I had to get it from koji directly. Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: Upgraded selinux-policy and selinux-policy-targeted to 3.13.1-128.27.fc22 and rebooted. During boot I noticed the machine was stuck and did not react to keyboard or mouse and did not complete the boot sequence (it stalled with the fedora-logo showing). However, I could ssh into it remotely and there downgrade to 3.13.1-128.21.fc22 again and once rebooted it came up again without any issues. SELinux is preventing (t-daemon) from 'read' accesses on the file Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (t-daemon) should be allowed read access on the Unknown file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep (t-daemon) /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:nsfs_t:s0 Target Objects Unknown [ file ] Source (t-daemon) Source Path (t-daemon) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.27.fc22.noarch selinux- policy-3.13.1-128.21.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.3.5-200.fc22.x86_64 #1 SMP Mon Feb 1 03:19:00 UTC 2016 x86_64 x86_64 Alert Count 28 First Seen 2016-02-17 22:10:26 CET Last Seen 2016-02-17 22:21:24 CET Local ID fedc66c8-f8e9-4f6c-87ff-b49a03c469d4 Raw Audit Messages type=AVC msg=audit(1455744084.311:875): avc: denied { read } for pid=2520 comm="(ostnamed)" dev="nsfs" ino=4026532323 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 Hash: (t-daemon),init_t,nsfs_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-128.27.fc22.noarch selinux-policy-3.13.1-128.21.fc22.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.3.5-200.fc22.x86_64 type: libreport