Bug 1543807
Summary: | SELinux is preventing systemd from 'write' accesses on the sock_file virtlogd-sock. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | alciregi, chmelarz, dwalsh, lruzicka, lvrabec, mgrepl, motoskov, nicolas.mailhot, plautrba, pmoore, vondruch |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:d72b82b524cd2d3b3d57c9eb275cbebe48cad8489f4de6e0adcf15755dd14607;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.1-14.fc28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-18 00:53:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nicolas Mailhot
2018-02-09 11:13:27 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'. Nicolas, Do you know when this happened? Are you able to reproduce it? THanks, Lukas. unfortunately, no, this system only serves as client to other stuff, so apart from updating it continuously to rawhide and accessing other things in firefox/evolution/ssh nothing much happens on it I just reported the alerts that had accumulated over the past weeks Description of problem: After full update to devel relabel and reboot Version-Release number of selected component: selinux-policy-3.14.1-10.fc28.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc3.git0.1.fc28.x86_64 type: libreport Description of problem: It appeared just after an update from F27 to F28 using GNOME software on Fedora Workstation inside a KVM virtual machine. Version-Release number of selected component: selinux-policy-3.14.1-10.fc28.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc3.git0.1.fc28.x86_64 type: libreport SELinux is preventing systemd from write access on the sock_file virtlogd-sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed write access on the virtlogd-sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:virtlogd_var_run_t:s0 Target Objects virtlogd-sock [ sock_file ] Source systemd Source Path systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.0-0.rc3.git0.1.fc28.x86_64 #1 SMP Mon Feb 26 15:15:43 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-03-04 11:37:21 IST Last Seen 2018-03-04 11:37:21 IST Local ID c6e3ee65-e5f4-4ac6-bea6-cdcf00f067a5 Raw Audit Messages type=AVC msg=audit(1520156241.170:106): avc: denied { write } for pid=1 comm="systemd" name="virtlogd-sock" dev="tmpfs" ino=24047 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:virtlogd_var_run_t:s0 tclass=sock_file permissive=0 Hash: systemd,init_t,virtlogd_var_run_t,sock_file,write Version: selinux-policy-3.14.1-10.fc28.noarch selinux-policy-targeted-3.14.1-10.fc28.noarch *** Bug 1551579 has been marked as a duplicate of this bug. *** *** Bug 1551581 has been marked as a duplicate of this bug. *** Description of problem: Error poped up without any action done. Just right after the login on the desktop Version-Release number of selected component: selinux-policy-3.14.1-10.fc28.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc3.git0.1.fc28.x86_64 type: libreport Description of problem: This appeared after a system upgrade from a fully working Fedora 27 to Fedora 28. Version-Release number of selected component: selinux-policy-3.14.1-10.fc28.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc3.git0.1.fc28.x86_64 type: libreport Not reproducible in: selinux-policy-targeted-3.14.1-11.fc28.noarch selinux-policy-3.14.1-11.fc28.noarch kernel-4.16.0-0.rc4.git0.1.fc28.x86_64 selinux-policy-3.14.1-13.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-13.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-14.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |