Bug 1401179

Summary: SELinux is preventing systemd from 'create' accesses on the unix_stream_socket Unknown.
Product: [Fedora] Fedora Reporter: Joachim Frieben <jfrieben>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 25CC: aish9r, alexarit81, alex.vizor, a.lloyd.flanagan, angrystar170, artemio.silva, arturpolak1, arunswift, as.maps, bigkrp, bnater, bugzilla, cesargjr, c.steinseifer, cyrusyzgtt, danil.rost, david_smith411, dominick.grift, dwalsh, dxzlabs, foolha, fukidid, giuseppe.bonomelli95, herculesh.silva, jdeustice, JohnVietta, jotonx, jsamudiotech, kparal, krupalpurohit1997, kyawlinwai11696, lvrabec, manolache.constantin93, mgrepl, micsim2007, mikhail.v.gavrilov, mr.tarasow, muhamdmagdy, nate, novak.david, plautrba, pmoore, sanjay.ankur, sheepdestroyer, srw, ssekidde, stickster, tonipallitur, waterforce1205, wendling.loic
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:3105d14f21e59edb726bf898f9802a354518963c750a7e1cd2349c661e1c3dba;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-07 10:10:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Joachim Frieben 2016-12-03 11:01:23 UTC 
Description of problem:
SELinux is preventing systemd from 'create' accesses on the unix_stream_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch selinux-
                              policy-3.13.1-225.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.11-300.fc25.x86_64 #1 SMP Mon
                              Nov 28 18:24:51 UTC 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2016-12-03 07:27:20 CET
Last Seen                     2016-12-03 07:27:21 CET
Local ID                      26707918-683a-4bb7-9b06-2ae7fdc31dab

Raw Audit Messages
type=AVC msg=audit(1480746441.404:219): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.11-300.fc25.x86_64
type:           libreport

Potential duplicate: bug 1379278
Comment 1 Mikhail 2016-12-03 18:53:10 UTC 
Description of problem:
occured after last system update

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.11-300.fc25.x86_64
type:           libreport
Comment 2 Mike Simms 2016-12-05 20:16:51 UTC 
Description of problem:
running an update process with yumex with updates-testing enabled. applying updates process was nearing completion and the warning came up during the cleanup phase. not sure which specific patch the error was generated by

Version-Release number of selected component:
selinux-policy-3.13.1-225.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport
Comment 3 aish9r 2016-12-06 06:16:16 UTC 
Description of problem:
during dnf update

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport
Comment 4 Andreas Schöneck 2016-12-06 08:16:14 UTC 
Description of problem:
Ran dnf upgrade


Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport
Comment 5 Kamil Páral 2016-12-06 09:35:04 UTC 
Description of problem:
This happened during live dnf update in a completely clean freshly-installed Fedora 25 VM.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport
Comment 6 Lukas Vrabec 2016-12-06 12:25:23 UTC 
Hi, 
Could you attach output of:
# ps -efZ | grep unconfined_service 

Thanks.
Comment 7 Mikhail 2016-12-06 12:26:56 UTC 
# ps -efZ | grep unconfined_service
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 32719 32675  0 17:26 pts/18 00:00:00 grep --color=auto unconfined_service
Comment 8 Mike Simms 2016-12-06 12:35:33 UTC 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 antman 6284 6258  0 12:33 pts/0 00:00:00 grep --color=auto unconfined_service
Comment 9 Stig Roar Wangberg 2016-12-06 14:11:05 UTC 
Description of problem:
I just started to run the dnf update, and then I got this message from SELinux that it had detected a problem.
The source process: systemd
Attempted this access: create
On this unix_stream_socket

I'm a newbie so I really don't know what's going on. This is the details:

SELinux is preventing systemd from create access on the unix_stream_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux localhost.localdomain 4.8.10-300.fc25.x86_64
                              #1 SMP Mon Nov 21 18:59:16 UTC 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2016-12-06 14:17:24 CET
Last Seen                     2016-12-06 14:17:24 CET
Local ID                      570e9ca7-e3fa-49af-8389-126beb5a1440

Raw Audit Messages
type=AVC msg=audit(1481030244.381:244): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport
Comment 10 dark147123 2016-12-06 14:12:17 UTC 
Description of problem:
Happened during update around 3:10 6/12/2016. SELinux was among the updated packages.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport
Comment 11 A. Lloyd Flanagan 2016-12-06 17:47:43 UTC 
Description of problem:
Occurred a while after startup during normal operation. No idea how or why, sorry.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport
Comment 12 Michal Nowak 2016-12-06 17:56:42 UTC 
Description of problem:
Updated system via dnf.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport
Comment 13 Viktor 2016-12-06 21:49:59 UTC 
(In reply to Lukas Vrabec from comment #6)
> Hi, 
> Could you attach output of:
> # ps -efZ | grep unconfined_service 
> 
> Thanks.

After running the suggested local fix (ausearch -c 'systemd-gpt-aut' --raw | audit2allow -M my-systemdgptaut & semodule -X 300 -i my-systemdgptaut.pp)

system_u:system_r:unconfined_service_t:s0 rpc 11934 1  0 22:37 ?       00:00:00 /usr/bin/rpcbind -w -f
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 27523 3241  0 22:47 pts/1 00:00:00 grep --color=auto unconfined_service
Comment 14 jsamudiotech 2016-12-06 22:22:33 UTC 
Description of problem:
This error ocurred after an update the system.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport
Comment 15 Paul W. Frields 2016-12-07 02:05:22 UTC 
Description of problem:
Ran a dnf update, and when firewalld was cleaned up, this error displayed.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.8-300.fc25.x86_64
type:           libreport
Comment 16 Branislav Náter 2016-12-07 08:17:28 UTC 
Description of problem:
I've just run "dnf update" and then working with web browser.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport
Comment 17 krp 2016-12-07 09:41:03 UTC 
Description of problem:
After reboot in fresh fedora25 have this issue

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.11-300.fc25.x86_64
type:           libreport
Comment 18 Lukas Vrabec 2016-12-07 10:10:28 UTC 

*** This bug has been marked as a duplicate of bug 1402083 ***
Comment 19 David Smith 2016-12-09 13:25:52 UTC 
*** Bug 1403237 has been marked as a duplicate of this bug. ***
Comment 20 muhamdmagdy 2016-12-11 03:09:56 UTC 
*** Bug 1403527 has been marked as a duplicate of this bug. ***
Comment 21 Water Force 2017-01-24 03:16:26 UTC 
*** Bug 1415903 has been marked as a duplicate of this bug. ***
Comment 22 alexarit81 2017-02-05 17:57:35 UTC 
*** Bug 1419350 has been marked as a duplicate of this bug. ***
Comment 23 jdeustice 2017-02-09 23:37:39 UTC 
*** Bug 1420950 has been marked as a duplicate of this bug. ***
Comment 24 costi 2017-02-17 14:56:39 UTC 
*** Bug 1423838 has been marked as a duplicate of this bug. ***
Comment 25 Artemio 2017-03-02 22:41:48 UTC 
*** Bug 1428596 has been marked as a duplicate of this bug. ***
Comment 26 cyrushmh 2017-03-13 14:27:17 UTC 
*** Bug 1431656 has been marked as a duplicate of this bug. ***
Comment 27 arturpolak1 2017-03-14 14:58:56 UTC 
*** Bug 1432125 has been marked as a duplicate of this bug. ***
Comment 28 Rodrigo Freitas 2017-03-14 19:31:17 UTC 
*** Bug 1432217 has been marked as a duplicate of this bug. ***
Comment 29 arturpolak1 2017-03-15 14:40:25 UTC 
*** Bug 1432517 has been marked as a duplicate of this bug. ***
Comment 30 arturpolak1 2017-03-16 20:20:40 UTC 
*** Bug 1433115 has been marked as a duplicate of this bug. ***
Comment 31 John Vietta 2017-04-17 00:48:46 UTC 
*** Bug 1442652 has been marked as a duplicate of this bug. ***
Comment 32 John Vietta 2017-04-19 16:17:31 UTC 
*** Bug 1443660 has been marked as a duplicate of this bug. ***
Comment 33 Hercules 2017-04-23 15:19:56 UTC 
*** Bug 1444645 has been marked as a duplicate of this bug. ***
Comment 34 Jeong Junggyu 2017-05-23 12:49:26 UTC 
*** Bug 1454766 has been marked as a duplicate of this bug. ***
Comment 35 jotonx 2017-06-07 03:40:16 UTC 
*** Bug 1459397 has been marked as a duplicate of this bug. ***
Comment 36 Artemio 2017-06-08 21:57:09 UTC 
*** Bug 1460039 has been marked as a duplicate of this bug. ***
Comment 37 Kyaw Lin Wai 2017-06-12 15:57:23 UTC 
*** Bug 1460758 has been marked as a duplicate of this bug. ***
Comment 38 Antonio Pallicer 2017-06-27 19:48:27 UTC 
*** Bug 1465634 has been marked as a duplicate of this bug. ***
Comment 39 Artemio 2017-08-28 14:31:53 UTC 
*** Bug 1485954 has been marked as a duplicate of this bug. ***