Bug 1362273
| Summary: | SELinux prevents ModemManager from sending a D-bus message to systemd-logind and vice versa | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | John Sefler <jsefler> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-93.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 02:35:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1364485 | ||
| Bug Blocks: | |||
The D-bus messages are blocked in both directions:
----
time->Fri Jul 29 13:55:53 2016
type=USER_AVC msg=audit(1469814953.722:649): pid=778 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { 0x2 } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=:1.0 spid=11142 tpid=777 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=(null) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: While testing rhel73 composes, I see two USER_AVC denied message written to /var/log/audit/audit.log every two minutes which coincides with two systemd messages written to /var/log/messages every two minutes. Version-Release number of selected component (if applicable): [root@jsefler-rhel7 ~]# rpm -qa | egrep "selinux|dbus|systemd" dbus-x11-1.6.12-14.el7.x86_64 systemd-219-24.el7.x86_64 python-slip-dbus-0.4.0-2.el7.noarch systemd-python-219-24.el7.x86_64 libselinux-python-2.5-4.el7.x86_64 systemd-libs-219-24.el7.x86_64 libselinux-utils-2.5-4.el7.x86_64 selinux-policy-3.13.1-92.el7.noarch dbus-1.6.12-14.el7.x86_64 selinux-policy-targeted-3.13.1-92.el7.noarch dbus-python-1.1.1-9.el7.x86_64 oci-systemd-hook-1.10.3-44.el7.x86_64 abrt-dbus-2.1.11-41.el7.x86_64 libselinux-2.5-4.el7.x86_64 docker-selinux-1.10.3-44.el7.x86_64 dbus-glib-0.100-7.el7.x86_64 dbus-libs-1.6.12-14.el7.x86_64 systemd-sysv-219-24.el7.x86_64 dleyna-connector-dbus-0.2.0-1.el7.x86_64 How reproducible: Steps to Reproduce: [root@jsefler-rhel7 ~]# service auditd restart Stopping logging: [ OK ] Redirecting start to /bin/systemctl start auditd.service [root@jsefler-rhel7 ~]# setenforce 1 [root@jsefler-rhel7 ~]# restorecon -Rv /etc /run /var restorecon reset /run/user/42/gvfs context system_u:object_r:user_tmp_t:s0->system_u:object_r:fusefs_t:s0 restorecon: Warning no default label for /run/lvmetad.pid <....cutting out a lot of restorecon Warnings....> restorecon: Warning no default label for /var/tmp/sosreport-jsefler-rhel7.usersys.redhat.com-20160720175239.tar.xz.md5 [root@jsefler-rhel7 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"` [root@jsefler-rhel7 ~]# With two terminals open, watch the tail of these two logs for about four minutes... [root@jsefler-rhel7 ~]# tail -f /var/log/messages Aug 1 14:56:01 jsefler-rhel7 systemd: Started Session 141 of user root. Aug 1 14:56:01 jsefler-rhel7 systemd: Starting Session 141 of user root. Aug 1 14:58:01 jsefler-rhel7 systemd: Started Session 142 of user root. Aug 1 14:58:01 jsefler-rhel7 systemd: Starting Session 142 of user root. [root@jsefler-rhel7 ~]# tail -f /var/log/audit/audit.log | grep AVC type=USER_AVC msg=audit(1470077761.241:21946): pid=693 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { 0x2 } for msgtype=signal interface=org.freedesktop.login1.Manager member=SessionNew dest=org.freedesktop.DBus spid=691 tpid=720 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=(null) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1470077761.449:21951): pid=693 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { 0x2 } for msgtype=signal interface=org.freedesktop.login1.Manager member=SessionRemoved dest=org.freedesktop.DBus spid=691 tpid=720 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=(null) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1470077881.463:21955): pid=693 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { 0x2 } for msgtype=signal interface=org.freedesktop.login1.Manager member=SessionNew dest=org.freedesktop.DBus spid=691 tpid=720 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=(null) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1470077881.665:21960): pid=693 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { 0x2 } for msgtype=signal interface=org.freedesktop.login1.Manager member=SessionRemoved dest=org.freedesktop.DBus spid=691 tpid=720 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=(null) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Then after four minutes run... [root@jsefler-rhel7 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME} ---- type=USER_AVC msg=audit(08/01/2016 14:56:01.241:21946) : pid=693 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { 0x2 } for msgtype=signal interface=org.freedesktop.login1.Manager member=SessionNew dest=org.freedesktop.DBus spid=691 tpid=720 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=(null) exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(08/01/2016 14:56:01.449:21951) : pid=693 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { 0x2 } for msgtype=signal interface=org.freedesktop.login1.Manager member=SessionRemoved dest=org.freedesktop.DBus spid=691 tpid=720 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=(null) exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(08/01/2016 14:58:01.463:21955) : pid=693 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { 0x2 } for msgtype=signal interface=org.freedesktop.login1.Manager member=SessionNew dest=org.freedesktop.DBus spid=691 tpid=720 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=(null) exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(08/01/2016 14:58:01.665:21960) : pid=693 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { 0x2 } for msgtype=signal interface=org.freedesktop.login1.Manager member=SessionRemoved dest=org.freedesktop.DBus spid=691 tpid=720 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=(null) exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' [root@jsefler-rhel7 ~]# Actual results: above Expected results: Additional info: When I run with permissive, I do not get the denials every two minutes.