Bug 702889
Summary: | SELinux is preventing /bin/systemctl from 'read' accesses on the directory system. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | cyrushmh <cyrusyzgtt> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 15 | CC: | ajaypanwarxxx, amit.shah, antlvk, anto.trande, aud10junk13, baumanmo, ch.rohr, dwalsh, ehabkost, g_harika, hedayatv, icj, jamisonm, jan, jkittsmiller2, jlbouras, jon+bugzilla.redhat.com, joostvandorp, joshua, kage52124, mgrepl, mikhail.v.gavrilov, mnowak, mr.ryansilalahi, mvadkert, new2009.net, ravanhagen, renich, rosset.filipe, simone.deponti, sotelo_123456, stephent98, varunaseneviratna |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:25a9767473d1a2b3273cec7f4821ea97e5fdb94cd4b6d4dc2180232568c6bb91 | ||
Fixed In Version: | selinux-policy-3.9.16-24.fc15 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-05-25 03:29:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
cyrushmh
2011-05-08 03:34:02 UTC
Same bug here. Exact repro steps: System Settings -> Date and time -> Enable network time During boot-up I have to hit any key continuasly for my system to boot, once the system is booted the screen will not blank on idle like it is suposed to and the clock will not keep time, shutdown and suspen also reqire hiting of keys on the keyboard to complete.. Kernel 2.6.38.5-24 gnomeclock_systemctl_t domain is permissive domain which means it should work. From the raw AVC msg success=yes These avcs are n ot being deinied since the gnomeclock_systemctl_t is a permissive domain. type=SYSCALL msg=audit(1304803689.358:222): arch=x86_64 syscall=open success=yes exit=EINTR a0=168d690 a1=90800 a2=35b8599230 a3=0 items=0 ppid=6454 pid=6473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemctl exe=/bin/systemctl subj=system_u:system_r:gnomeclock_systemctl_t:s0-s0:c0.c1023 key=(null) If you look at the AVC you will see success=yes Which means the open syscall was successful even though the AVC was denied. The machine not suspending is probably not related to this AVC. I added the policy to allow gnomeclock_sysctl to list /run directory. It should be in the next policy release. Fixed in selinux-policy-3.9.16-24.fc15 It'll suspend I just have to hit a key (any key) 3 times to get it to.. Sorry for posting this here, but I just found this and a slew of other fixes in the change log for for the 2.6.38.6 kernel at kernel.org, maybe someone could forward this information to the fedora kernel maintainers.. commit 15f0758f185241ad9c358a5bf60ff0a21eccc218 Author: Boris Ostrovsky <ostr> Date: Fri Apr 29 17:47:43 2011 -0400 x86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E processors commit e20a2d205c05cef6b5783df339a7d54adeb50962 upstream. Older AMD K8 processors (Revisions A-E) are affected by erratum 400 (APIC timer interrupts don't occur in C states greater than C1). This, for example, means that X86_FEATURE_ARAT flag should not be set for these parts. This addresses regression introduced by commit b87cf80af3ba4b4c008b4face3c68d604e1715c6 ("x86, AMD: Set ARAT feature on AMD processors") where the system may become unresponsive until external interrupt (such as keyboard input) occurs. This results, for example, in time not being reported correctly, lack of progress on the system and other lockups. Reported-by: Joerg-Volker Peetz <jvpeetz> Tested-by: Joerg-Volker Peetz <jvpeetz> Acked-by: Borislav Petkov <borislav.petkov> Signed-off-by: Boris Ostrovsky <Boris.Ostrovsky> Link: http://lkml.kernel.org/r/1304113663-6586-1-git-send-email-ostr@amd64.org Signed-off-by: Ingo Molnar <mingo> Signed-off-by: Greg Kroah-Hartman <gregkh> It was a regression after all... selinux-policy-3.9.16-24.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-24.fc15 Package selinux-policy-3.9.16-24.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-24.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-24.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-24.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |