Bug 694739

Fixed in  selinux-policy-3.9.16-13.fc15

selinux-policy-3.9.16-14.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-14.fc15

Package selinux-policy-3.9.16-14.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-14.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-14.fc15
then log in and leave karma (feedback).

selinux-policy-3.9.16-15.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-15.fc15

selinux-policy-3.9.16-15.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

I just got this denial, but I have selinux-policy-3.9.16-15.fc15 installed already

Please show us the actual avc

ausearch -m avc -ts recent

Also if you run the AVC though audit2allow, what does it say

ausearch -m avc -ts recent | audit2allow

it returns just <no match> 

looking at man page, I've replaced 'recent' (10 minutes) with 'today'

# ausearch -m avc -ts today 
time->Wed Apr 27 03:28:52 2011
type=SYSCALL msg=audit(1303867732.377:1126): arch=c000003e syscall=4 success=yes exit=0 a0=41fd14 a1=7fffad7dd280 a2=7fffad7dd280 a3=3 items=0 ppid=1936 pid=8197 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=131 comm="telinit" exe="/bin/systemctl" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1303867732.377:1126): avc:  denied  { read } for  pid=8197 comm="telinit" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1303867732.377:1126): avc:  denied  { read } for  pid=8197 comm="telinit" name="root" dev=proc ino=17538341 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file
type=AVC msg=audit(1303867732.377:1126): avc:  denied  { search } for  pid=8197 comm="telinit" name="1" dev=proc ino=8349 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir
----
time->Wed Apr 27 13:04:26 2011
type=SYSCALL msg=audit(1303902266.590:1299): arch=c000003e syscall=137 success=yes exit=0 a0=e87640 a1=7fff570d8130 a2=3cf3716628 a3=7fff570d7eb0 items=0 ppid=18004 pid=18005 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=109 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:staff_gkeyringd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1303902266.590:1299): avc:  denied  { read } for  pid=18005 comm="gnome-keyring-d" name=".cache" dev=sdb2 ino=1831502 scontext=unconfined_u:unconfined_r:staff_gkeyringd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=lnk_file


===============================================
# ausearch -m avc -ts today | audit2allow
libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:staff_gkeyringd_t:s0-s0:c0.c1023"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:staff_gkeyringd_t:s0-s0:c0.c1023 to sid


#============= prelink_cron_system_t ==============
allow prelink_cron_system_t init_t:dir search;
allow prelink_cron_system_t init_t:file read;
allow prelink_cron_system_t init_t:lnk_file read;


=======================================================

looking at setroubleshoot report there is:

SELinux is preventing /bin/systemctl from search access on the directory 1.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemctl should be allowed search access on the 1 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep telinit /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Target Context                system_u:system_r:init_t:s0
Target Objects                1 [ dir ]
Source                        telinit
Source Path                   /bin/systemctl
Port                          <Unknown>
Host                          krles.brq.redhat.com
Source RPM Packages           systemd-units-25-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-15.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     krles.brq.redhat.com
Platform                      Linux krles.brq.redhat.com 2.6.38.2-14.fc15.x86_64
                              #1 SMP Mon Apr 11 23:50:28 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 27 Apr 2011 03:28:52 AM CEST
Last Seen                     Wed 27 Apr 2011 03:28:52 AM CEST
Local ID                      91d0da69-1896-4ec0-9616-af7dbaec682a

Raw Audit Messages
type=AVC msg=audit(1303867732.377:1126): avc:  denied  { search } for  pid=8197 comm="telinit" name="1" dev=proc ino=8349 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir


type=AVC msg=audit(1303867732.377:1126): avc:  denied  { read } for  pid=8197 comm="telinit" name="root" dev=proc ino=17538341 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file


type=AVC msg=audit(1303867732.377:1126): avc:  denied  { read } for  pid=8197 comm="telinit" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file


type=SYSCALL msg=audit(1303867732.377:1126): arch=x86_64 syscall=stat success=yes exit=0 a0=41fd14 a1=7fffad7dd280 a2=7fffad7dd280 a3=3 items=0 ppid=1936 pid=8197 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=131 comm=telinit exe=/bin/systemctl subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)

Hash: telinit,prelink_cron_system_t,init_t,dir,search

audit2allow

#============= prelink_cron_system_t ==============
allow prelink_cron_system_t init_t:dir search;
allow prelink_cron_system_t init_t:file read;
allow prelink_cron_system_t init_t:lnk_file read;

audit2allow -R

#============= prelink_cron_system_t ==============
allow prelink_cron_system_t init_t:dir search;
allow prelink_cron_system_t init_t:file read;
allow prelink_cron_system_t init_t:lnk_file read;

Miroslav it looks like we need to add


		ps_process_pattern($1, init_t)

to init_telinit

Fixed in selinux-policy-3.9.16-19.fc15

selinux-policy-3.9.16-21.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-21.fc15

Package selinux-policy-3.9.16-21.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-21.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-21.fc15
then log in and leave karma (feedback).

selinux-policy-3.9.16-21.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.