Bug 683830

Summary: Selinux avc for systemd-tty-ask during boot
Product: [Fedora] Fedora Reporter: Bruno Wolff III <bruno>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, johannbg, lpoetter, metherid, mgrepl, mschmidt, notting, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.16-5.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-19 05:53:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Bruno Wolff III 2011-03-10 13:11:33 UTC 
Description of problem:
I get the following avc during boot (shows up in dmesg):
[   47.478675] type=1400 audit(1299761552.099:5): avc:  denied  { connectto } for  pid=1069 comm="systemd-tty-ask" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket

It doesn't seem to block unlocking encrypted devices (though I am seeing random failures there still) as I see it both when unlocking succeeds and when it fails.

Version-Release number of selected component (if applicable):
systemd-20-1.fc15.i686

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2011-03-10 15:58:25 UTC 
type=AVC msg=audit(03/10/2011 07:52:32.099:5) : avc:  denied  { connectto } for  pid=1069 comm=systemd-tty-ask path=/org/freedesktop/plymouthd scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket

Should we just allow this in SELinux?
Comment 2 Lennart Poettering 2011-03-11 23:50:46 UTC 
Yes, please. This is systemd trying to get a password from plymouth to use to decrypt a device.
Comment 3 Daniel Walsh 2011-03-14 19:36:30 UTC 
Fixed in selinux-policy-3.9.16-4.fc15
Comment 4 Fedora Update System 2011-03-17 15:28:19 UTC 
selinux-policy-3.9.16-5.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-5.fc15
Comment 5 Fedora Update System 2011-03-19 05:52:44 UTC 
selinux-policy-3.9.16-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.