Bug 739599

Summary: SELinux is preventing /bin/systemctl from 'search' accesses on the directory 768.
Product: [Fedora] Fedora Reporter: Stanislav Graf <sgraf>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:b72361b8fc7f808240a13643ea17d9b75d546658d618849f920c99e8345d0014
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-26 13:57:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stanislav Graf 2011-09-19 15:41:06 UTC
abrt version: 2.0.5
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.0-0.rc6.git0.3.fc16.x86_64
reason:         SELinux is preventing /bin/systemctl from 'search' accesses on the directory 768.
time:           Mon Sep 19 17:40:41 2011

description:
:In 'System settings' click on 'Date and time' icon and following SELinux alert is generated:
:
:SELinux is preventing /bin/systemctl from 'search' accesses on the directory 768.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that systemctl should be allowed search access on the 768 directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep systemctl /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:gnomeclock_systemctl_t:s0-s0:c0.
:                              c1023
:Target Context                system_u:system_r:chronyd_t:s0
:Target Objects                768 [ dir ]
:Source                        systemctl
:Source Path                   /bin/systemctl
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           systemd-units-35-1.fc16
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-28.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.1.0-0.rc6.git0.3.fc16.x86_64 #1 SMP Fri Sep 16
:                              12:26:22 UTC 2011 x86_64 x86_64
:Alert Count                   4
:First Seen                    Mon 19 Sep 2011 05:38:14 PM CEST
:Last Seen                     Mon 19 Sep 2011 05:39:30 PM CEST
:Local ID                      a77517c8-0780-49be-a8ac-277f358b6fb3
:
:Raw Audit Messages
:type=AVC msg=audit(1316446770.35:154): avc:  denied  { search } for  pid=3259 comm="systemctl" name="768" dev=proc ino=14675 scontext=system_u:system_r:gnomeclock_systemctl_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chronyd_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1316446770.35:154): arch=x86_64 syscall=open success=no exit=EACCES a0=1e91130 a1=80000 a2=1b6 a3=0 items=0 ppid=3239 pid=3259 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemctl exe=/bin/systemctl subj=system_u:system_r:gnomeclock_systemctl_t:s0-s0:c0.c1023 key=(null)
:
:Hash: systemctl,gnomeclock_systemctl_t,chronyd_t,dir,search
:
:audit2allow
:
:#============= gnomeclock_systemctl_t ==============
:allow gnomeclock_systemctl_t chronyd_t:dir search;
:
:audit2allow -R
:
:#============= gnomeclock_systemctl_t ==============
:allow gnomeclock_systemctl_t chronyd_t:dir search;
:

Comment 1 Daniel Walsh 2011-09-19 16:06:37 UTC
Fixed in  selinux-policy-3.10.0-31.fc16

Comment 2 Stanislav Graf 2011-09-26 09:41:05 UTC
Repaired, thanks.

[root@localhost ~]$ rpm -q selinux-policy
selinux-policy-3.10.0-32.fc16.noarch
[11:38:12] ecode=0