| Summary: | SELinux is preventing systemd-kmsg-sy from 'open' accesses on the file comm. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andrew Ross <anross> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 15 | CC: | dwalsh, mdoyle, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:96e23134e91c85b77acd0173214737fdee6372d1ed35a85d2e7a238468ed7124 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-07 13:56:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Andrew, are you seeing just this one AVC message? (In reply to comment #1) > Andrew, > are you seeing just this one AVC message? Looking back there are: read, open, getattr, search. SELinux is preventing systemd-kmsg-sy from read access on the file comm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-kmsg-sy should be allowed read access on the comm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-kmsg-sy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects comm [ file ] Source systemd-kmsg-sy Source Path systemd-kmsg-sy Port <Unknown> Host Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.16-6.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name Platform Linux 2.6.38.1-6.fc15.x86_64 #1 SMP Wed Mar 23 22:43:31 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Mon 28 Mar 2011 10:41:33 AM EST Last Seen Mon 28 Mar 2011 10:41:33 AM EST Local ID e6c15f20-207c-4142-b2cf-b9a9fb2a81cf Raw Audit Messages type=AVC msg=audit(1301272893.657:298): avc: denied { read } for pid=518 comm="systemd-kmsg-sy" name="comm" dev=proc ino=51525 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file Hash: systemd-kmsg-sy,syslogd_t,unconfined_t,file,read audit2allow #============= syslogd_t ============== allow syslogd_t unconfined_t:file read; audit2allow -R #============= syslogd_t ============== allow syslogd_t unconfined_t:file read; SELinux is preventing systemd-kmsg-sy from getattr access on the file /proc/<pid>/comm.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that systemd-kmsg-sy should be allowed getattr access on the comm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-kmsg-sy /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:syslogd_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects /proc/<pid>/comm [ file ]
Source systemd-kmsg-sy
Source Path systemd-kmsg-sy
Port <Unknown>
Host
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.16-6.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name
Platform Linux
2.6.38.1-6.fc15.x86_64 #1 SMP Wed Mar 23 22:43:31
UTC 2011 x86_64 x86_64
Alert Count 1
First Seen Mon 28 Mar 2011 10:41:33 AM EST
Last Seen Mon 28 Mar 2011 10:41:33 AM EST
Local ID 29dd3864-0f41-4c2f-bb6f-6bf1caa37a78
Raw Audit Messages
type=AVC msg=audit(1301272893.659:300): avc: denied { getattr } for pid=518 comm="systemd-kmsg-sy" path="/proc/3642/comm" dev=proc ino=51525 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
Hash: systemd-kmsg-sy,syslogd_t,unconfined_t,file,getattr
audit2allow
#============= syslogd_t ==============
allow syslogd_t unconfined_t:file getattr;
audit2allow -R
#============= syslogd_t ==============
allow syslogd_t unconfined_t:file getattr;
SELinux is preventing systemd-kmsg-sy from search access on the directory 6B.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that systemd-kmsg-sy should be allowed search access on the 6B directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-kmsg-sy /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:syslogd_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects 6B [ dir ]
Source systemd-kmsg-sy
Source Path systemd-kmsg-sy
Port <Unknown>
Host
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.16-6.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name
Platform Linux
2.6.38.1-6.fc15.x86_64 #1 SMP Wed Mar 23 22:43:31
UTC 2011 x86_64 x86_64
Alert Count 4
First Seen Mon 28 Mar 2011 07:02:20 AM EST
Last Seen Mon 28 Mar 2011 03:04:46 PM EST
Local ID 3a3bfb7e-b921-4382-84fd-976c02266243
Raw Audit Messages
type=AVC msg=audit(1301288686.941:729): avc: denied { search } for pid=518 comm="systemd-kmsg-sy" name="3642" dev=proc ino=51524 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
Hash: systemd-kmsg-sy,syslogd_t,unconfined_t,dir,search
audit2allow
#============= syslogd_t ==============
allow syslogd_t unconfined_t:dir search;
audit2allow -R
#============= syslogd_t ==============
allow syslogd_t unconfined_t:dir search;
This looks like it must be a test problem, Not sure how systemd-kmsg-syslog would still be running when an unconfined_t user is logged in. It looks like systemd-kmsg-syslog is reading comm out of /proc? *** Bug 694302 has been marked as a duplicate of this bug. *** |
SELinux is preventing systemd-kmsg-sy from 'open' accesses on the file comm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-kmsg-sy should be allowed open access on the comm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-kmsg-sy /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects comm [ file ] Source systemd-kmsg-sy Source Path systemd-kmsg-sy Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.16-6.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38.1-6.fc15.x86_64 #1 SMP Wed Mar 23 22:43:31 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Mon 28 Mar 2011 10:41:33 AM EST Last Seen Mon 28 Mar 2011 10:41:33 AM EST Local ID b350c495-2994-49ae-a1f6-231b82a43c1a Raw Audit Messages type=AVC msg=audit(1301272893.657:299): avc: denied { open } for pid=518 comm="systemd-kmsg-sy" name="comm" dev=proc ino=51525 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file Hash: systemd-kmsg-sy,syslogd_t,unconfined_t,file,open audit2allow #============= syslogd_t ============== allow syslogd_t unconfined_t:file open; audit2allow -R #============= syslogd_t ============== allow syslogd_t unconfined_t:file open;