Bug 732719

Summary:

avcs for systemd-logind and /etc/systemd/systemd-logind.conf

Product:

[Fedora] Fedora

Reporter:

Mads Kiilerich <mads>

Component:

selinux-policy-targeted

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED ERRATA

QA Contact:

Ben Levenson <benl>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

CC:

dwalsh, satellitgo

Target Milestone:

---

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

selinux-policy-3.10.0-21.fc16

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2011-09-07 03:19:57 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
dmesg	none

Description Mads Kiilerich 2011-08-23 11:33:28 UTC

With:
selinux-policy-targeted-3.10.0-18.fc16.noarch
systemd-33-2.fc16.x86_64
I get:
[   26.411505] type=1400 audit(1314094042.821:4): avc:  denied  { read } for  pid=1041 comm="systemd-logind" name="systemd-logind.conf" dev=dm-1 ino=156886 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file
[   26.411626] type=1400 audit(1314094042.821:5): avc:  denied  { open } for  pid=1041 comm="systemd-logind" name="systemd-logind.conf" dev=dm-1 ino=156886 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file
[   26.411808] type=1400 audit(1314094042.821:6): avc:  denied  { getattr } for  pid=1041 comm="systemd-logind" path="/etc/systemd/systemd-logind.conf" dev=dm-1 ino=156886 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file

It seems to be genuine missing support for new behaviour.

I wonder why se troubleshoot didn't catch this - did it happen too early in the boot process?

Comment 1 Mads Kiilerich 2011-08-23 11:35:17 UTC

Created attachment 519440 [details]
dmesg

Comment 2 Miroslav Grepl 2011-08-23 13:20:26 UTC

Dan, 
we have

/etc/systemd /lib/systemd

We might want to change it to 

/etc/systemd/system /lib/systemd

Comment 3 Daniel Walsh 2011-08-24 02:54:48 UTC

selinux-policy-3.10.0-20.fc16

Has

/etc/systemd/system /lib/systemd/system

Comment 4 Fedora Update System 2011-08-24 11:39:13 UTC

selinux-policy-3.10.0-21.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-21.fc16

Comment 5 Fedora Update System 2011-08-24 22:46:10 UTC

Package selinux-policy-3.10.0-21.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-21.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-21.fc16
then log in and leave karma (feedback).

Comment 6 Mads Kiilerich 2011-08-26 17:04:22 UTC

_not_ fixed by 3.10.0-21:

[   26.451472] type=1400 audit(1314377901.250:12): avc:  denied  { read } for  pid=999 comm="systemd-logind" name="systemd-logind.conf" dev=dm-1 ino=156886 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file
[   26.451597] type=1400 audit(1314377901.250:13): avc:  denied  { open } for  pid=999 comm="systemd-logind" name="systemd-logind.conf" dev=dm-1 ino=156886 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file
[   26.452104] type=1400 audit(1314377901.251:14): avc:  denied  { getattr } for  pid=999 comm="systemd-logind" path="/etc/systemd/systemd-logind.conf" dev=dm-1 ino=156886 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file

selinux-policy-targeted-3.10.0-21.fc16.noarch
systemd-33-2.fc16.x86_64

(on a installed system - no livecd issues involved)

Comment 7 Daniel Walsh 2011-08-26 17:53:00 UTC

matchpathcon /etc/systemd/systemd-logind.conf 
/etc/systemd/systemd-logind.conf	system_u:object_r:etc_t:s0


restorecon -R -v /etc/systemd

Comment 8 Mads Kiilerich 2011-08-26 17:59:38 UTC

Right:

[root@imac ~]# matchpathcon -V /etc/systemd/systemd-logind.conf
/etc/systemd/systemd-logind.conf has context system_u:object_r:init_exec_t:s0, should be system_u:object_r:etc_t:s0

[root@imac ~]# restorecon -R -v /etc/systemd
restorecon reset /etc/systemd context system_u:object_r:lib_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/systemd/systemd-logind.conf context system_u:object_r:init_exec_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/systemd/user context system_u:object_r:lib_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/systemd/user.conf context system_u:object_r:init_exec_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/systemd/system.conf context system_u:object_r:init_exec_t:s0->system_u:object_r:etc_t:s0

I relabeled the whole system yesterday, so some package updates introduced this inconsistency.

I will reboot and verify the avc has gone.

Comment 9 Daniel Walsh 2011-08-26 18:06:26 UTC

There was  a bug in the labeling of /etc/systemd before -21,  This has been fixed but the package was not smart enough to fix the labelling problem.

Comment 10 Mads Kiilerich 2011-08-26 19:04:55 UTC

Ok, confirmed ... assuming "real" updates directly from f15 without intermediate steps is handled correctly.

Comment 11 Fedora Update System 2011-09-07 03:19:22 UTC

selinux-policy-3.10.0-21.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.