Bug 1543807
| Summary: | SELinux is preventing systemd from 'write' accesses on the sock_file virtlogd-sock. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | alciregi, chmelarz, dwalsh, lruzicka, lvrabec, mgrepl, motoskov, nicolas.mailhot, plautrba, pmoore, vondruch |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:d72b82b524cd2d3b3d57c9eb275cbebe48cad8489f4de6e0adcf15755dd14607;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.14.1-14.fc28 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-03-18 00:53:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'. Nicolas, Do you know when this happened? Are you able to reproduce it? THanks, Lukas. unfortunately, no, this system only serves as client to other stuff, so apart from updating it continuously to rawhide and accessing other things in firefox/evolution/ssh nothing much happens on it I just reported the alerts that had accumulated over the past weeks Description of problem: After full update to devel relabel and reboot Version-Release number of selected component: selinux-policy-3.14.1-10.fc28.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc3.git0.1.fc28.x86_64 type: libreport Description of problem: It appeared just after an update from F27 to F28 using GNOME software on Fedora Workstation inside a KVM virtual machine. Version-Release number of selected component: selinux-policy-3.14.1-10.fc28.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc3.git0.1.fc28.x86_64 type: libreport SELinux is preventing systemd from write access on the sock_file virtlogd-sock.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd should be allowed write access on the virtlogd-sock sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:virtlogd_var_run_t:s0
Target Objects virtlogd-sock [ sock_file ]
Source systemd
Source Path systemd
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed)
4.16.0-0.rc3.git0.1.fc28.x86_64 #1 SMP Mon Feb 26
15:15:43 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2018-03-04 11:37:21 IST
Last Seen 2018-03-04 11:37:21 IST
Local ID c6e3ee65-e5f4-4ac6-bea6-cdcf00f067a5
Raw Audit Messages
type=AVC msg=audit(1520156241.170:106): avc: denied { write } for pid=1 comm="systemd" name="virtlogd-sock" dev="tmpfs" ino=24047 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:virtlogd_var_run_t:s0 tclass=sock_file permissive=0
Hash: systemd,init_t,virtlogd_var_run_t,sock_file,write
Version:
selinux-policy-3.14.1-10.fc28.noarch
selinux-policy-targeted-3.14.1-10.fc28.noarch
*** Bug 1551579 has been marked as a duplicate of this bug. *** *** Bug 1551581 has been marked as a duplicate of this bug. *** Description of problem: Error poped up without any action done. Just right after the login on the desktop Version-Release number of selected component: selinux-policy-3.14.1-10.fc28.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc3.git0.1.fc28.x86_64 type: libreport Description of problem: This appeared after a system upgrade from a fully working Fedora 27 to Fedora 28. Version-Release number of selected component: selinux-policy-3.14.1-10.fc28.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc3.git0.1.fc28.x86_64 type: libreport Not reproducible in: selinux-policy-targeted-3.14.1-11.fc28.noarch selinux-policy-3.14.1-11.fc28.noarch kernel-4.16.0-0.rc4.git0.1.fc28.x86_64 selinux-policy-3.14.1-13.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-13.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-14.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: SELinux is preventing systemd from 'write' accesses on the sock_file virtlogd-sock. ***** Plugin catchall (100. confidence) suggests ************************** Si vous pensez que systemd devrait être autorisé à accéder write sur virtlogd-sock sock_file par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # ausearch -c "systemd" --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:virtlogd_var_run_t:s0 Target Objects virtlogd-sock [ sock_file ] Source systemd Source Path systemd Port <Inconnu> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-3.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.15.0-1.fc28.x86_64 #1 SMP Mon Jan 29 10:12:16 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-01-30 16:59:09 CET Last Seen 2018-01-30 16:59:09 CET Local ID 040e1946-3f93-4fa8-b0ad-d81dc05da868 Raw Audit Messages type=AVC msg=audit(1517327949.671:131): avc: denied { write } for pid=1 comm="systemd" name="virtlogd-sock" dev="tmpfs" ino=25085 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:virtlogd_var_run_t:s0 tclass=sock_file permissive=0 Hash: systemd,init_t,virtlogd_var_run_t,sock_file,write Version-Release number of selected component: selinux-policy-3.14.1-3.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.0-1.fc28.x86_64 type: libreport