Bug 1375979
| Summary: | Could not unlink /run/tor/control: Read-only file system | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Juan Orti <jorti> |
| Component: | tor | Assignee: | Nobody's working on this, feel free to take it <nobody> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | jorti, lewk, misc, pwouters, s |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-10-02 19:16:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Juan Orti
2016-09-14 12:00:36 UTC
If I remove all the ReadOnlyDirectories and ReadWriteDirectories from the systemd service file, I don't get this error any more and the socket file is created correctly. I can't reproduce the issue, do you run with selinux to enforcing, or a specific policy (or some specific change) ? What does getenforce return, and the output of "semanage export" ? Yes, I run with SELinux enabled. # getenforce Enforcing # rpm -q selinux-policy selinux-policy-3.13.1-191.16.fc24.noarch # semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D boolean -m -1 antivirus_can_scan_system boolean -m -1 httpd_can_network_connect fcontext -a -f a -t httpd_exec_t '/usr/sbin/fcgiwrap' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/cache/export(/.*)?' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/cache/images(/.*)?' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/cache/js(/.*)?' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/cache/upload(/.*)?' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/feed-icons(/.*)?' fcontext -a -f a -t httpd_sys_rw_content_t '/var/www/ttrss/lock(/.*)?' fcontext -a -f a -t httpd_exec_t '/var/www/ttrss/update.php' fcontext -a -f a -t httpd_exec_t '/var/www/ttrss/update_daemon2.php' Can you also paste the output of "mount" ? And does placing selinux in permissive fix the issue ? It seems like setting selinux in permissive mode fix the issue and the socket is created. # mount sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=2012464k,nr_inodes=503116,mode=755) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd) pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct) cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids) cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb) cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event) cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio) cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) configfs on /sys/kernel/config type configfs (rw,relatime) /dev/mapper/fedora_argon-root on / type xfs (rw,noatime,seclabel,attr2,discard,inode64,noquota) selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime) systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=26,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=14424) mqueue on /dev/mqueue type mqueue (rw,relatime,seclabel) tmpfs on /tmp type tmpfs (rw,seclabel) hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,seclabel) debugfs on /sys/kernel/debug type debugfs (rw,relatime,seclabel) nfsd on /proc/fs/nfsd type nfsd (rw,relatime) /dev/sda1 on /boot type ext4 (rw,noatime,seclabel,discard,data=ordered) /dev/mapper/fedora_argon-bittorrent on /var/lib/transmission type xfs (rw,noatime,seclabel,attr2,discard,inode64,noquota) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=404712k,mode=700) I've seen this AVC, so the problem is probably related to the bug #1357395 SELinux is preventing (tor) from mounton access on the directory /run/tor. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (tor) should be allowed mounton access on the tor directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(tor)' --raw | audit2allow -M my-tor # semodule -X 300 -i my-tor.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:tor_var_run_t:s0 Target Objects /run/tor [ dir ] Source (tor) Source Path (tor) Port <Unknown> Host argon Source RPM Packages Target RPM Packages tor-0.2.8.7-1.fc24.x86_64 Policy RPM selinux-policy-3.13.1-191.16.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name argon Platform Linux argon 4.7.4-200.fc24.x86_64 #1 SMP Thu Sep 15 18:42:09 UTC 2016 x86_64 x86_64 Alert Count 35125 First Seen 2016-08-23 00:46:04 CEST Last Seen 2016-10-02 20:56:14 CEST Local ID 886dcb45-1e8b-410e-afeb-263bba6691ac Raw Audit Messages type=AVC msg=audit(1475434574.57:9040): avc: denied { mounton } for pid=24378 comm="(tor)" path="/run/tor" dev="tmpfs" ino=16985 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tor_var_run_t:s0 tclass=dir permissive=0 Hash: (tor),init_t,tor_var_run_t,dir,mounton Yup, so let's mark it as duplicate. *** This bug has been marked as a duplicate of bug 1357395 *** |