Bug 701461
Summary: | Couldn't find an alternative telinit implementation to spawn. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 15 | CC: | dwalsh, johannbg, lpoetter, metherid, mgrepl, mschmidt, notting, plautrba, rtguille, udovdh |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.9.16-23.fc15 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-06-12 08:50:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2011-05-02 22:20:34 UTC
Do you have SELinux in enforcing mode? Are there any AVC denials? Is it reproducible with permissive mode? (Running a custom kernel without CONFIG_CGROUPS would also explain that, but I'm assuming you're not doing this.) Never mind. I can reproduce it. It is the SELinux policy. systemctl (aka. telinit) run from /etc/cron.daily/prelink (prelink_cron_system_t) needs to be able to do this to successfully detect systemd: lstat("/sys/fs/cgroup", &a); lstat("/sys/fs/cgroup/systemd", &b); I had to disable dontaudit rules to see the denials: ---- time->Tue May 3 17:01:02 2011 type=PATH msg=audit(1304434862.800:267): item=0 name="/sys/fs/cgroup" inode=7178 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 type=CWD msg=audit(1304434862.800:267): cwd="/root" type=SYSCALL msg=audit(1304434862.800:267): arch=c000003e syscall=6 success=yes exit=0 a0=41f749 a1=7fff5ad21960 a2=7fff5ad21960 a3=7fff5ad216e0 items=1 ppid=13492 pid=13494 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="telinit" exe="/bin/systemctl" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1304434862.800:267): avc: denied { getattr } for pid=13494 comm="telinit" path="/sys/fs/cgroup" dev=tmpfs ino=7178 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1304434862.800:267): avc: denied { search } for pid=13494 comm="telinit" name="/" dev=sysfs ino=1 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir ---- time->Tue May 3 17:01:02 2011 type=PATH msg=audit(1304434862.808:268): item=0 name="/sys/fs/cgroup/systemd" inode=7182 dev=00:14 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 type=CWD msg=audit(1304434862.808:268): cwd="/root" type=SYSCALL msg=audit(1304434862.808:268): arch=c000003e syscall=6 success=yes exit=0 a0=42133b a1=7fff5ad219f0 a2=7fff5ad219f0 a3=7fff5ad216e0 items=1 ppid=13492 pid=13494 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="telinit" exe="/bin/systemctl" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1304434862.808:268): avc: denied { search } for pid=13494 comm="telinit" name="/" dev=tmpfs ino=7178 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir ---- selinux-policy-3.9.16-21.fc15.noarch Fixed in selinux-policy-3.9.16-22.fc15 selinux-policy-3.9.16-23.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-23.fc15 I noticed it today, but in my case SELinux is in Permissive mode. I got 'mail' regarding anacron and prelink. selinux-policy.noarch 3.9.16-21.fc15 @updates-testing selinux-policy-targeted.noarch 3.9.16-21.fc15 @updates-testing Package selinux-policy-3.9.16-23.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-23.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-23.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-23.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. Selinux not in use here. & 68 Message 68: From root Sat Jun 11 03:52:32 2011 Return-Path: <root> Date: Sat, 11 Jun 2011 03:52:32 +0200 From: Anacron <root> To: root Content-Type: text/plain; charset="ANSI_X3.4-1968" Subject: Anacron job 'cron.daily' on epia Status: R /etc/cron.daily/prelink: Couldn't find an alternative telinit implementation to spawn. & If SELinux is disabled, it cannot be the same bug. Please open a new one and report the output of: stat /sys/fs/cgroup /sys/fs/cgroup/systemd The message was the same. How would I know the cause. It also says this when doing `init 3` while running single user. Do not reopen this bug. Please read comment #9 again. Nice way of explaining why one cause one fix should still be valid in the 21st century. see https://bugzilla.redhat.com/show_bug.cgi?id=712663 and fix that with selinux. |