| Summary: | avc: denied { sys_admin } comm="systemd-readahe" capability=21 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | John Reiser <jreiser> |
| Component: | systemd | Assignee: | Lennart Poettering <lpoetter> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dwalsh, lpoetter, metherid, mschmidt, notting, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-08 23:00:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Dan, I don#t really understand this AVC, what is this about? sys_admin is kind of the catchall of capabilities Looking in /usr/include/linux/capabilty.h sys_admin could mean: /* Allow configuration of the secure attention key */ /* Allow administration of the random device */ /* Allow examination and configuration of disk quotas */ /* Allow setting the domainname */ /* Allow setting the hostname */ /* Allow calling bdflush() */ /* Allow mount() and umount(), setting up new smb connection */ /* Allow some autofs root ioctls */ /* Allow nfsservctl */ /* Allow VM86_REQUEST_IRQ */ /* Allow to read/write pci config on alpha */ /* Allow irix_prctl on mips (setstacksize) */ /* Allow flushing all cache on m68k (sys_cacheflush) */ /* Allow removing semaphores */ /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory */ /* Allow locking/unlocking of shared memory segment */ /* Allow turning swap on/off */ /* Allow forged pids on socket credentials passing */ /* Allow setting readahead and flushing buffers on block devices */ /* Allow setting geometry in floppy driver */ /* Allow turning DMA on/off in xd driver */ /* Allow administration of md devices (mostly the above, but some extra ioctls) */ /* Allow tuning the ide driver */ /* Allow access to the nvram device */ /* Allow administration of apm_bios, serial and bttv (TV) device */ /* Allow manufacturer commands in isdn CAPI support driver */ /* Allow reading non-standardized portions of pci configuration space */ /* Allow DDI debug ioctl on sbpcd driver */ /* Allow setting up serial ports */ /* Allow sending raw qic-117 commands */ /* Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands */ /* Allow setting encryption key on loopback filesystem */ /* Allow setting zone reclaim policy */ Did you have a syscall record with that AVC? That could tell you what it was doing when the AVC happened. ausearch -m avc -ts recent Would return the complete messages. There was no syscall record then [or in a fresh re-creating] on the console or in the output of dmesg. I do not see "systemd-read*" in the output from "ausearch -m avc -ts recent" :
----
time->Tue Feb 8 09:18:24 2011
type=AVC msg=audit(1297185504.817:58): avc: denied { link } for pid=902 comm="plymouthd" name="boot.log" dev=sdd7 ino=656669 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Tue Feb 8 09:18:25 2011
type=SYSCALL msg=audit(1297185505.226:61): arch=c000003e syscall=6 success=no exit=-13 a0=7fe8fecbc587 a1=7fff64a8b200 a2=7fff64a8b200 a3=7fff64a8af70 items=0 ppid=1279 pid=1284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1297185505.226:61): avc: denied { getattr } for pid=1284 comm="mount" path="/etc/mtab" dev=sdd7 ino=525330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=lnk_file
----
time->Tue Feb 8 09:18:25 2011
type=SYSCALL msg=audit(1297185505.230:62): arch=c000003e syscall=2 success=no exit=-13 a0=7fe8fecbc587 a1=42 a2=1a4 a3=7fff64a8af60 items=0 ppid=1279 pid=1284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1297185505.230:62): avc: denied { read } for pid=1284 comm="mount" name="mtab" dev=sdd7 ino=525330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=lnk_file
-----
[Everything has been overwritten. Today's rawhide fails to install: bug #676032
. I re-ran the install with a DVD from Sat.Feb.5.]
More context from 'dmesg' [with stripped leading date and wall-clock time]:
-----
[ 16.638494] systemd[1]: Startup finished in 821ms 703us (kernel) + 6s 898ms 674us (initrd) + 8s 918ms 99us (userspace) = 16s 638ms 476us.
[ 125.747445] type=1400 audit(1297185499.467:22): avc: denied { create } for pid=990 comm="system-setup-ke" name="00-system-setup-keyboard.conf" scontext=system_u:system_r:keyboardd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
[ 125.767718] type=1400 audit(1297185499.487:23): avc: denied { sys_admin } for pid=991 comm="systemd-readahe" capability=21 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability
[ 125.777189] systemd-readahead-collect[991]: Failed to create fanotify object: Operation not permitted
[ 125.779187] systemd[1]: systemd-readahead-collect.service: main process exited, code=exited, status=1
[ 125.851175] type=1400 audit(1297185499.571:24): avc: denied { getattr } for pid=1005 comm="mount" path="/etc/mtab" dev=sdd7 ino=525330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=lnk_file
-----
So it looks like fanotify is causing sys_admin capabilty to be required. (I guess) Mount access should be available in tonights update. The boot.log access is an open bug on plymouthd, I have no idea why they want this as a hard link. Fixed in selinux-policy-3.9.14-1.fc15 |
Description of problem: systemd-readahead gets an avc from selinux. Version-Release number of selected component (if applicable): systemd-17-1.fc15.x86_64 selinux-policy-targeted-3.9.13-8.fc15.noarch kernel-2.6.38-0.rc3.git0.1.fc15.x86_64 How reproducible: every time Steps to Reproduce: 1. Fresh install DVD of today's rawhide (2011-02-03; Thursday). 2. boot 3. Actual results: on text console and in output of dmesg: [ 8.670771] type=1400 audit(1296752507.393:4): avc: denied { sys_admin } for pid=472 comm="systemd-readahe" capability=21 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability Expected results: no complaint Additional info: