Bug 1361242

Summary: SELinux is preventing systemd from 'getattr' accesses on the blk_file /run/systemd/inaccessible/blk.
Product: [Fedora] Fedora Reporter: Joachim Frieben <jfrieben>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: dominick.grift, dwalsh, jsmith.fedora, lvrabec, mgrepl, momcilo, nicolas.mailhot, plautrba, wgianopoulos
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:fb0c1d2df4e48e8ccb7c5d72222070d28c0abc2fe44c5abb0c7dce886b6e0ca7;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.13.1-208.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-17 03:05:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joachim Frieben 2016-07-28 15:19:07 UTC 
Description of problem:
SELinux is preventing systemd from 'getattr' accesses on the blk_file /run/systemd/inaccessible/blk.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed getattr access on the blk blk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:init_var_run_t:s0
Target Objects                /run/systemd/inaccessible/blk [ blk_file ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-204.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.7.0-2.fc25.x86_64 #1 SMP Tue Jul
                              26 14:26:55 UTC 2016 x86_64 x86_64
Alert Count                   5
First Seen                    2016-07-28 17:13:53 CEST
Last Seen                     2016-07-28 17:17:32 CEST
Local ID                      0a145d7b-5714-4af1-b9a1-257c69d8fc7e

Raw Audit Messages
type=AVC msg=audit(1469719052.197:238): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=8902 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=blk_file permissive=1


Hash: systemd,init_t,init_var_run_t,blk_file,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-204.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.0-2.fc25.x86_64
type:           libreport
Comment 1 Medic Momcilo 2016-08-10 09:52:50 UTC 
Description of problem:
Occasionally on different tasks.
Opening files.
Runing dnf --refresh upgrade.
...

Version-Release number of selected component:
selinux-policy-3.13.1-207.fc26.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc0.git5.1.fc26.x86_64
type:           libreport
Comment 2 Lukas Vrabec 2016-08-11 11:22:17 UTC 
commit f5612370266f80563a6ce7550c5f526bef1188bd
Author: Dan Walsh <dwalsh>
Date:   Tue Aug 9 07:54:00 2016 -0400

    systemd is doing a gettattr on blk and chr devices in /run
    
    Looks like devices created during boot are in /run/systemd/inaccessible/blk
    /run/systemd/inaccessible/chr
    
    ls -l /run/systemd/inaccessible/
    total 0
    b---------. 1 root root 0, 0 Aug  7 06:07 blk
    c---------. 1 root root 0, 0 Aug  7 06:07 chr
    d---------. 2 root root   40 Aug  7 06:07 dir
    p---------. 1 root root    0 Aug  7 06:07 fifo
    ----------. 1 root root    0 Aug  7 06:07 reg
    s---------. 1 root root    0 Aug  7 06:07 sock
    
    Maybe could dontaudit these, but getattr access is probably ok.
Comment 3 Fedora Update System 2016-08-12 15:58:15 UTC 
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1
Comment 4 Joachim Frieben 2016-08-13 12:17:03 UTC 
This issue is still present. The system journal reports

  ".. systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied"

when booted in enforcing mode, and the alert continues to be reported by the SELinux Troubleshooter utility. The file attributes of file /run/systemd/inaccessible/blk differ between enforcing mode and permissive mode, respectively.

File attributes 'ls -lZ /run/systemd/inaccessible/blk' in enforcing mode:
b---------. 1 root root system_u:object_r:tmpfs_t:s0        0, 0 Aug 13 13:01 blk

File attributes 'ls -lZ /run/systemd/inaccessible/blk' in permissive mode:
b---------. 1 root root system_u:object_r:init_var_run_t:s0 0, 0 Aug 13 13:09 blk
Comment 5 Fedora Update System 2016-08-17 03:03:24 UTC 
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.