| Summary: | SELinux is preventing /bin/bash from 'read' accesses on the lnk_file stderr. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Thomas Meyer <thomas.mey> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl, thomas.mey |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:cf64160432ccc3a53898b153470390d648c53ece8ffecec8fdef1534ea47701a | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-07 14:20:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Looks like your /dev is mislabeled. # ls -dZ Is this a fresh install? Are you fully updated? # rpm -q systemd (In reply to comment #1) > Looks like your /dev is mislabeled. > > # ls -dZ $ ls -dZ /dev/ drwxr-xr-x. root root system_u:object_r:device_t:s0 /dev/ > > Is this a fresh install? This is a Fedora 14 system, that was upgraded via Fedora 15 DVD. One exception: I'm using a self-compiled kernel 2.6.39. > Are you fully updated? > > # rpm -q systemd $ rpm -q systemd systemd-26-2.fc15.x86_64 find /dev -type l -context "*:tmpfs_t:*" $ find /dev -type l -context "*:tmpfs_t:*" /dev/fb /dev/systty /dev/core /dev/stderr /dev/stdout /dev/stdin /dev/fd $ ls -dZ /dev/fb lrwxrwxrwx. root root system_u:object_r:tmpfs_t:s0 /dev/fb -> fb0 Thomas does this happen on each reboot? I just got this selinux alert once. otherwise I didn't reboot this machine for four days. Ok, could you try to reboot. The problem should go away with this systemd release. Hi, This error seems to occur every time I open the firewall configuration GUI in Fedora 15. I did open some ports. And are you getting the same AVC? |
SELinux is preventing /bin/bash from 'read' accesses on the lnk_file stderr. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed read access on the stderr lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep service /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:firewallgui_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmpfs_t:s0 Target Objects stderr [ lnk_file ] Source service Source Path /bin/bash Port <Unbekannt> Host (removed) Source RPM Packages bash-4.2.10-2.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-24.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.39 #1 SMP PREEMPT Thu May 19 18:41:05 CEST 2011 x86_64 x86_64 Alert Count 17 First Seen Mo 30 Mai 2011 21:20:16 CEST Last Seen Mo 30 Mai 2011 21:32:27 CEST Local ID 795609fa-aa88-4a6d-947a-5df764590183 Raw Audit Messages type=AVC msg=audit(1306783947.396:582): avc: denied { read } for pid=32626 comm="service" name="stderr" dev=tmpfs ino=2194 scontext=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1306783947.396:582): arch=x86_64 syscall=stat success=no exit=EACCES a0=8f6c70 a1=7fff2bf5f300 a2=7fff2bf5f300 a3=8 items=0 ppid=32625 pid=32626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=service exe=/bin/bash subj=system_u:system_r:firewallgui_t:s0-s0:c0.c1023 key=(null) Hash: service,firewallgui_t,tmpfs_t,lnk_file,read audit2allow #============= firewallgui_t ============== allow firewallgui_t tmpfs_t:lnk_file read; audit2allow -R #============= firewallgui_t ============== allow firewallgui_t tmpfs_t:lnk_file read;