Bug 1555328
| Summary: | SELinux denying remount by 'ostnamed' | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Micah Abbott <miabbott> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | awilliam, dustymabe, dwalsh, lvrabec, mgrepl, plautrba, pmoore, pwhalen |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.1-14.fc28 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-03-16 22:56:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1469205 | ||
This is also affecting f28.. going to move to f28 and propose as FE. Proposed as a Freeze Exception for 28-beta by Fedora user dustymabe using the blocker tracking app because: Would be nice to get this denial cleaned up so our CI tests can start passing again for f28 Seeing this on aarch64 as well
----
time->Fri Mar 16 18:36:43 2018
type=AVC msg=audit(1521239803.932:125): avc: denied { remount } for pid=883 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0
soft failures in openqa:
https://openqa.stg.fedoraproject.org/tests/254597#step/_console_avc_crash/8
We already had a bug for this. Transferring nomination. *** This bug has been marked as a duplicate of bug 1554776 *** |
Booting into a Fedora Rawhide Atomic Host, the following SELinux denial is observed in the journal: Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit[886]: AVC avc: denied { remount } for pid=886 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0 This doesn't seem to affect the operation of the host, but just reporting it here. $ rpm-ostree status State: idle; auto updates disabled Deployments: ● ostree://rawhide:fedora/rawhide/x86_64/atomic-host Version: Rawhide.20180311.n.1 (2018-03-11 22:20:53) Commit: b6d9fe6f817044bcaac2cbdbd52e3cdd7df02b718ceeeba1652ca1e0528db804 $ rpm -q selinux-policy systemd selinux-policy-3.14.2-4.fc29.noarch systemd-238-3.fc29.x86_64 $ sudo journalctl -b | grep -C 10 'avc: denied' Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Started Initial cloud-init job (pre-networking). Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cloud-init-local comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Reached target Network (Pre). Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Starting Network Manager... Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Starting Initial cloud-init job (metadata service crawler)... Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info> [1521034314.4439] NetworkManager (version 1.10.2-1.fc28) is starting... (for the first time) Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info> [1521034314.4453] Read config: /etc/NetworkManager/NetworkManager.conf Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info> [1521034314.4644] manager[0x555f26bc4080]: monitoring kernel firmware directory '/lib/firmware'. Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain dbus-daemon[815]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.3' (uid=0 pid=869 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0") Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Starting Hostname Service... Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit[886]: AVC avc: denied { remount } for pid=886 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0 Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit[886]: SYSCALL arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=564dd6eacf50 a2=0 a3=102f items=0 ppid=1 pid=886 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ostnamed)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit: PROCTITLE proctitle="(ostnamed)" Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain dbus-daemon[815]: [system] Successfully activated service 'org.freedesktop.hostname1' Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Started Hostname Service. Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info> [1521034314.5604] hostname: hostname: using hostnamed Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info> [1521034314.5605] hostname: hostname changed from (none) to "micah-f27ah-vm0314a.localdomain" Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info> [1521034314.5614] dns-mgr[0x555f26be3950]: init: dns=default, rc-manager=symlink Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Started Network Manager. Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain dbus-daemon[815]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.3' (uid=0 pid=869 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0")