Bug 1361732
| Summary: | SELinux is preventing systemd from 'create' accesses on the chr_file chr. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kohei Takahashi <flast> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:b1a5210b69cd863f05d743e2c47294e71802e10e613f3b77fc56e6fd4267572c;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.13.1-225.10.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-02-26 01:37:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
SELinux is preventing systemd from 'create' accesses on the blk_file blk.
***** Plugin catchall (100. confidence) suggests **************************
If systemd に、 blk blk_file の create アクセスがデフォルトで許可されるべきです。
Then バグとして報告してください。
ローカルのポリシーモジュールを生成すると、
このアクセスを許可することができます。
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:init_var_run_t:s0
Target Objects blk [ blk_file ]
Source systemd
Source Path systemd
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-203.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.7.0-0.rc0.git10.1.fc25.x86_64 #1
SMP Fri May 27 14:56:48 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-07-30 07:58:27 JST
Last Seen 2016-07-30 07:58:27 JST
Local ID eddd2ec5-8172-49b8-8bc5-d28483dae1d8
Raw Audit Messages
type=AVC msg=audit(1469833107.151:244): avc: denied { create } for pid=1 comm="systemd" name="blk" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=blk_file permissive=0
Hash: systemd,init_t,init_var_run_t,blk_file,create
SELinux is preventing systemd-gpt-aut from 'read' accesses on the file libsystemd-shared-231.so.
***** Plugin catchall (100. confidence) suggests **************************
If systemd-gpt-aut に、 libsystemd-shared-231.so file の read アクセスがデフォルトで許可されるべきです。
Then バグとして報告してください。
ローカルのポリシーモジュールを生成すると、
このアクセスを許可することができます。
Do
allow this access for now by executing:
# ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut
# semodule -X 300 -i my-systemdgptaut.pp
Additional Information:
Source Context system_u:system_r:systemd_gpt_generator_t:s0
Target Context system_u:object_r:init_exec_t:s0
Target Objects libsystemd-shared-231.so [ file ]
Source systemd-gpt-aut
Source Path systemd-gpt-aut
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-203.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.7.0-0.rc0.git10.1.fc25.x86_64 #1
SMP Fri May 27 14:56:48 UTC 2016 x86_64 x86_64
Alert Count 2
First Seen 2016-07-30 07:58:28 JST
Last Seen 2016-07-30 07:58:33 JST
Local ID 11b79367-ed6c-47ba-88ed-4ad076774774
Raw Audit Messages
type=AVC msg=audit(1469833113.36:255): avc: denied { read } for pid=4025 comm="systemd-gpt-aut" name="libsystemd-shared-231.so" dev="sda7" ino=28127140 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
Hash: systemd-gpt-aut,systemd_gpt_generator_t,init_exec_t,file,read
SELinux is preventing systemd-gpt-aut from 'open' accesses on the file /usr/lib/systemd/libsystemd-shared-231.so.
***** Plugin catchall (100. confidence) suggests **************************
If systemd-gpt-aut に、 libsystemd-shared-231.so file の open アクセスがデフォルトで許可されるべきです。
Then バグとして報告してください。
ローカルのポリシーモジュールを生成すると、
このアクセスを許可することができます。
Do
allow this access for now by executing:
# ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut
# semodule -X 300 -i my-systemdgptaut.pp
Additional Information:
Source Context system_u:system_r:systemd_gpt_generator_t:s0
Target Context system_u:object_r:init_exec_t:s0
Target Objects /usr/lib/systemd/libsystemd-shared-231.so [ file ]
Source systemd-gpt-aut
Source Path systemd-gpt-aut
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages systemd-231-2.fc26.x86_64
Policy RPM selinux-policy-3.13.1-203.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.7.0-0.rc0.git10.1.fc25.x86_64 #1
SMP Fri May 27 14:56:48 UTC 2016 x86_64 x86_64
Alert Count 2
First Seen 2016-07-30 07:58:28 JST
Last Seen 2016-07-30 07:58:33 JST
Local ID 0723863d-b58a-4c38-843a-bfeca72cb4e7
Raw Audit Messages
type=AVC msg=audit(1469833113.36:256): avc: denied { open } for pid=4025 comm="systemd-gpt-aut" path="/usr/lib/systemd/libsystemd-shared-231.so" dev="sda7" ino=28127140 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
Hash: systemd-gpt-aut,systemd_gpt_generator_t,init_exec_t,file,open
SELinux is preventing systemd-gpt-aut from 'getattr' accesses on the file /usr/lib/systemd/libsystemd-shared-231.so.
***** Plugin catchall (100. confidence) suggests **************************
If systemd-gpt-aut に、 libsystemd-shared-231.so file の getattr アクセスがデフォルトで許可されるべきです。
Then バグとして報告してください。
ローカルのポリシーモジュールを生成すると、
このアクセスを許可することができます。
Do
allow this access for now by executing:
# ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut
# semodule -X 300 -i my-systemdgptaut.pp
Additional Information:
Source Context system_u:system_r:systemd_gpt_generator_t:s0
Target Context system_u:object_r:init_exec_t:s0
Target Objects /usr/lib/systemd/libsystemd-shared-231.so [ file ]
Source systemd-gpt-aut
Source Path systemd-gpt-aut
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages systemd-231-2.fc26.x86_64
Policy RPM selinux-policy-3.13.1-203.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.7.0-0.rc0.git10.1.fc25.x86_64 #1
SMP Fri May 27 14:56:48 UTC 2016 x86_64 x86_64
Alert Count 2
First Seen 2016-07-30 07:58:28 JST
Last Seen 2016-07-30 07:58:33 JST
Local ID 43d05bbd-f21c-4009-8f8b-e2b514fcf575
Raw Audit Messages
type=AVC msg=audit(1469833113.36:257): avc: denied { getattr } for pid=4025 comm="systemd-gpt-aut" path="/usr/lib/systemd/libsystemd-shared-231.so" dev="sda7" ino=28127140 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
Hash: systemd-gpt-aut,systemd_gpt_generator_t,init_exec_t,file,getattr
SELinux is preventing systemd-gpt-aut from 'execute' accesses on the file /usr/lib/systemd/libsystemd-shared-231.so.
***** Plugin catchall (100. confidence) suggests **************************
If systemd-gpt-aut に、 libsystemd-shared-231.so file の execute アクセスがデフォルトで許可されるべきです。
Then バグとして報告してください。
ローカルのポリシーモジュールを生成すると、
このアクセスを許可することができます。
Do
allow this access for now by executing:
# ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut
# semodule -X 300 -i my-systemdgptaut.pp
Additional Information:
Source Context system_u:system_r:systemd_gpt_generator_t:s0
Target Context system_u:object_r:init_exec_t:s0
Target Objects /usr/lib/systemd/libsystemd-shared-231.so [ file ]
Source systemd-gpt-aut
Source Path systemd-gpt-aut
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages systemd-231-2.fc26.x86_64
Policy RPM selinux-policy-3.13.1-203.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.7.0-0.rc0.git10.1.fc25.x86_64 #1
SMP Fri May 27 14:56:48 UTC 2016 x86_64 x86_64
Alert Count 2
First Seen 2016-07-30 07:58:28 JST
Last Seen 2016-07-30 07:58:33 JST
Local ID 74c926b5-e8f9-40a8-9237-b3e73321804c
Raw Audit Messages
type=AVC msg=audit(1469833113.36:258): avc: denied { execute } for pid=4025 comm="systemd-gpt-aut" path="/usr/lib/systemd/libsystemd-shared-231.so" dev="sda7" ino=28127140 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
Hash: systemd-gpt-aut,systemd_gpt_generator_t,init_exec_t,file,execute
selinux-policy-3.13.1-205.fc26.noarch fix this issue. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. selinux-policy-3.13.1-225.10.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-31d4ea5eb1 selinux-policy-3.13.1-225.10.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: It happened when I update systemd from 230-3.gitea68351.fc25 to 231-2.fc26. SELinux is preventing systemd from 'create' accesses on the chr_file chr. ***** Plugin catchall (100. confidence) suggests ************************** If systemd に、 chr chr_file の create アクセスがデフォルトで許可されるべきです。 Then バグとして報告してください。 ローカルのポリシーモジュールを生成すると、 このアクセスを許可することができます。 Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:init_var_run_t:s0 Target Objects chr [ chr_file ] Source systemd Source Path systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-203.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.0-0.rc0.git10.1.fc25.x86_64 #1 SMP Fri May 27 14:56:48 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-07-30 07:58:27 JST Last Seen 2016-07-30 07:58:27 JST Local ID bd78a82c-5587-4505-9886-05e93c7784c3 Raw Audit Messages type=AVC msg=audit(1469833107.151:243): avc: denied { create } for pid=1 comm="systemd" name="chr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=chr_file permissive=0 Hash: systemd,init_t,init_var_run_t,chr_file,create Version-Release number of selected component: selinux-policy-3.13.1-203.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.0-0.rc0.git10.1.fc25.x86_64 type: libreport