Bug 1655335
| Summary: | SELinux is preventing (sd-openpt) from 'sys_chroot' accesses on the cap_userns labeled systemd_machined_t. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | GOGI <goksibg> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 29 | CC: | dwalsh, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:5616f1d7b517880e4400487c19f2c79604949a7a3f9e207c878b9ce96a671bfa;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.14.2-46.fc29 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-01-17 02:17:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
commit 879f70d91144905fff16a378c12ea7c4b0dad720 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Wed Dec 12 16:06:39 2018 +0100
Dontaudit certwatch_t domain to write to all mountpoints BZ(1655357)
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61 selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61 selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Can't login to systemd container with command "machinectl login my container", without disabling SELinux enforcement... SELinux is preventing (sd-openpt) from 'sys_chroot' accesses on the cap_userns labeled systemd_machined_t. ***** Plugin catchall (100. confidence) suggests ************************** Si vous pensez que (sd-openpt) devrait être autorisé à accéder sys_chroot sur Unknown cap_userns par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # ausearch -c "(sd-openpt)" --raw | audit2allow -M my-sdopenpt # semodule -X 300 -i my-sdopenpt.pp Additional Information: Source Context system_u:system_r:systemd_machined_t:s0 Target Context system_u:system_r:systemd_machined_t:s0 Target Objects Unknown [ cap_userns ] Source (sd-openpt) Source Path (sd-openpt) Port <Inconnu> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-42.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.5-300.fc29.x86_64 #1 SMP Tue Nov 27 19:29:23 UTC 2018 x86_64 x86_64 Alert Count 3 First Seen 2018-11-16 21:26:59 CET Last Seen 2018-12-02 23:10:28 CET Local ID 6ae125f0-91e6-466e-bf66-75397c5af294 Raw Audit Messages type=AVC msg=audit(1543788628.993:305): avc: denied { sys_chroot } for pid=5245 comm="(sd-openpt)" capability=18 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=0 Hash: (sd-openpt),systemd_machined_t,systemd_machined_t,cap_userns,sys_chroot Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.5-300.fc29.x86_64 type: libreport