Bug 1413047
Summary: | Failed at step USER spawning /usr/lib/systemd/systemd: Permission denied | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
Component: | systemd | Assignee: | systemd-maint |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | awilliam, johannbg, lnykryn, msekleta, muadda, ssahani, s, systemd-maint, zbyszek |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-17 20:57:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Slebodnik
2017-01-13 13:16:58 UTC
And few SELinux reports which I saw a second before login I am not sure which are related and which are caused by disabled dontaudit rule SELinux is preventing login from using the rlimitinh access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that login should be allowed rlimitinh access on processes labeled local_login_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'login' --raw | audit2allow -M my-login # semodule -X 300 -i my-login.pp Additional Information: Source Context system_u:system_r:getty_t:s0-s0:c0.c1023 Target Context system_u:system_r:local_login_t:s0-s0:c0.c1023 Target Objects Unknown [ process ] Source login Source Path login Port <Unknown> Host host.example.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-233.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.example.com Platform Linux host.example.com 4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-01-13 14:06:42 CET Last Seen 2017-01-13 14:06:42 CET Local ID a289469d-e0d2-47a4-84bb-55514a8ee52a Raw Audit Messages type=AVC msg=audit(1484312802.410:934): avc: denied { rlimitinh } for pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0 Hash: login,getty_t,local_login_t,process,rlimitinh SELinux is preventing login from using the siginh access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that login should be allowed siginh access on processes labeled local_login_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'login' --raw | audit2allow -M my-login # semodule -X 300 -i my-login.pp Additional Information: Source Context system_u:system_r:getty_t:s0-s0:c0.c1023 Target Context system_u:system_r:local_login_t:s0-s0:c0.c1023 Target Objects Unknown [ process ] Source login Source Path login Port <Unknown> Host host.example.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-233.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.example.com Platform Linux host.example.com 4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-01-13 14:06:42 CET Last Seen 2017-01-13 14:06:42 CET Local ID 10f45660-99a6-413c-b502-9aaf2aff560f Raw Audit Messages type=AVC msg=audit(1484312802.410:935): avc: denied { siginh } for pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0 Hash: login,getty_t,local_login_t,process,siginh SELinux is preventing login from using the noatsecure access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that login should be allowed noatsecure access on processes labeled local_login_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'login' --raw | audit2allow -M my-login # semodule -X 300 -i my-login.pp Additional Information: Source Context system_u:system_r:getty_t:s0-s0:c0.c1023 Target Context system_u:system_r:local_login_t:s0-s0:c0.c1023 Target Objects Unknown [ process ] Source login Source Path login Port <Unknown> Host host.example.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-233.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.example.com Platform Linux host.example.com 4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-01-13 14:06:42 CET Last Seen 2017-01-13 14:06:42 CET Local ID 63541f56-cff2-45d8-b609-2a15a56d3d1d Raw Audit Messages type=AVC msg=audit(1484312802.411:936): avc: denied { noatsecure } for pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0 Hash: login,getty_t,local_login_t,process,noatsecure SELinux is preventing systemd from 'read, write' accesses on the unix_stream_socket unix_stream_socket. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed read write access on the unix_stream_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:kernel_t:s0-s0:c0.c1023 Target Objects unix_stream_socket [ unix_stream_socket ] Source systemd Source Path systemd Port <Unknown> Host host.example.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-233.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.example.com Platform Linux host.example.com 4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49 UTC 2017 x86_64 x86_64 Alert Count 45 First Seen 2017-01-13 13:51:30 CET Last Seen 2017-01-13 14:17:46 CET Local ID fe48d463-6f29-45c3-8a69-f62cb5d5fbee Raw Audit Messages type=AVC msg=audit(1484313466.915:974): avc: denied { read write } for pid=1 comm="systemd" path="socket:[141825]" dev="sockfs" ino=141825 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 Hash: systemd,init_t,kernel_t,unix_stream_socket,read,write Here are AVCs which I used for fixing the issue with "systemctl status --user" type=AVC msg=audit(1484313466.915:974): avc: denied { read write } for pid=1 comm="systemd" path="socket:[141825]" dev="sockfs" ino=141825 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1484315059.928:498): avc: denied { write } for pid=1395 comm="(systemd)" path="socket:[14492]" dev="sockfs" ino=14492 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 I do not have a problem with "systemctl status --user" on older kernel 4.8.15-300.fc25.x86_64 The problem is only with 4.8.16-300.fc25.x86_64 Yes; kernel is from f25 and not from rawhide It works well with f25 systemd and f25 kernel sh$ uname -a Linux vm-115.example.com 4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux sh$ rpm -q systemd systemd-231-10.fc25.x86_64 And there is still problem with latest rawhide kernel sh$ uname -a Linux vm-118.example.com 4.10.0-0.rc3.git1.1.fc26.x86_64 #1 SMP Tue Jan 10 15:32:37 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux sh$ rpm -q systemd systemd-232-6.fc26.x86_64 Probably the same as https://bugzilla.redhat.com/show_bug.cgi?id=1412750 ? ah, apparently not, says zbyszek. See also bug after change to permissive mode https://bugzilla.redhat.com/show_bug.cgi?id=1413075 *** This bug has been marked as a duplicate of bug 1412750 *** |