Bug 1451385
Summary: | SELinux is preventing systemd-tmpfile from using the 'dac_read_search' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Delete My Account <c.crispino8611> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | agl, alciregi, amessina, andrea.vai, awilliam, brunch875, carl, dominick.grift, dwalsh, iliketurtlesbro, jfrieben, kparal, lvrabec, mgrepl, mikhail.v.gavrilov, plautrba, pmoore, prd-fedora, rxguy, ssekidde |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | AcceptedBlocker abrt_hash:488cd3dfc396a6bc2d2885967a02d8279cdaca45e05e784378fb982a4bbc1cd7; | ||
Fixed In Version: | selinux-policy-3.13.1-273.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-24 07:38:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1396704 |
Description
Delete My Account
2017-05-16 14:27:27 UTC
Description of problem: This is a fresh rawhide installation upgraded from a fresh f25 installation using the dnf upgrade plugin I was told in IRC the issue is due to a kernel change where the order of dac_read_search and dac_override changed to fix check dac_read_search Version-Release number of selected component: selinux-policy-3.13.1-255.fc27.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.0-0.rc3.git0.2.fc27.x86_64 type: libreport Description of problem: Happens on first boot of a current Rawhide Workstation install. Version-Release number of selected component: selinux-policy-3.13.1-258.fc27.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.0-0.rc5.git2.1.fc27.x86_64 type: libreport This is clearly not fixed. Also clearly similar to #1451377, #1451379, #1459081 and #1451381, but not the same (five different things, all hitting the same denial). Proposing as an F27 Final blocker: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." Description of problem: Installing Workstation Live, circa at the end Version-Release number of selected component: selinux-policy-3.13.1-265.fc27.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.13.0-0.rc1.git3.1.fc27.x86_64 type: libreport This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. Discussed during blocker review [1]: AcceptedBlocker (Final) - clear violations of Final criterion "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-08-21/ # audit2allow -i avc #============= systemd_tmpfiles_t ============== #!!!! This avc is allowed in the current policy allow systemd_tmpfiles_t self:capability dac_read_search; # sesearch -A -s systemd_tmpfiles_t -t systemd_tmpfiles_t -c capability -p dac_read_search allow systemd_tmpfiles_t systemd_tmpfiles_t:capability { chown dac_override *dac_read_search* fowner fsetid mknod sys_admin }; # rpm -q selinux-policy selinux-policy-3.13.1-273.fc27.noarch This is fixed in the latest selinux-policy build in koji. |