Bug 748921 (selinux_systemctl)
Summary: | SELinux is preventing /bin/systemctl from 'read' accesses on the file cgroup.procs. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jeremy <jeremy.shimko> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 16 | CC: | 306power, andreinglisemail, awilliam, chrissharp09, christian.joensson, cra, daniel.distler, dario.soto, dev, dominick.grift, dwalsh, el, ezzughayyar, icj, jonathanjstevens, jsmith.fedora, luya, mgrepl, mishu, mjw, orion520a, pfrields, req1348, sandro, sgraf, social, stabone, thomas, watzkej, web582, witte2008 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:9141bf342b348e9456eaf5fccd06307daa9679132f65df646fac4ec6f866c021 RejectedBlocker RejectedNTH | ||
Fixed In Version: | selinux-policy-3.10.0-55.fc16 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-11-10 17:30:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jeremy
2011-10-25 15:09:21 UTC
I've also seen this with a fresh F16 Final TC3 Live Desktop installation. After installation, I rebooted, did the firstboot stuff, logged in, clicked around a little (including the Gnome Shell's panel clock). I think this AVC came up by clicking "Date and Time Settings" below the calendar that's shown as part of the panel clock. Fixed in selinux-policy-3.10.0-52.fc16 Opened Date and Time Settings. Possible blocker under: http://fedoraproject.org/wiki/QA:Testcase_desktop_panel_basic "No crashes should occur in any item of the default panel configuration upon basic interaction" Or rather a possible blocker under this one: https://fedoraproject.org/wiki/QA:Testcase_desktop_panel_advanced "No crashes should occur in any item of the default panel configuration upon typical interaction" (In reply to comment #2) > Fixed in selinux-policy-3.10.0-52.fc16 I did a full relabel/reboot after installing this, and it does not fix the problem for me. I still see the AVC when opening Date and Time Settings, reproducible every single time. selinux-policy-3.10.0-52.fc16.noarch selinux-policy-targeted-3.10.0-52.fc16.noarch The SELinux alert happens, but this doesn't crash the applet for me. I'm still able to perform the app functions such as setting the timezone, display, and network time subscription. Fixed in selinux-policy-3.10.0-53.fc16 if it's not a crash, it's not a blocker. -1. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Discussed at 2011-10-31 QA meeting acting as blocker review meeting. Agreed that as it doesn't cause the app to crash or fail this does not meet the criterion cited, and as it doesn't happen just when you boot up, it doesn't meet the 'no AVCs on boot' criterion either. As it requires an selinux-policy update to fix and those are dangerous, we also won't take it as NTH, we think it's best just to fix with a post-release update. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers I agree, and it does not block the resetting of the clock either, so it really is a nuisance AVC. I am sure we will have the first update ready to go after F16 ships. selinux-policy-3.10.0-55.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-55.fc16 When I try the solution given: "You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep systemctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp" ... I get this very similiar bug: https://bugzilla.redhat.com/show_bug.cgi?id=752145 *** Bug 752145 has been marked as a duplicate of this bug. *** Looks like this is all fixed in selinux-policy-3.10.0-55.fc16 *** Bug 752202 has been marked as a duplicate of this bug. *** Yes, it should be definitely fixed. selinux-policy-3.10.0-55.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 753081 has been marked as a duplicate of this bug. *** *** Bug 753082 has been marked as a duplicate of this bug. *** selinux-policy-3.10.0-55.fc16 was in the updates and applied on this machine. The issue seems to be resolved. Thanks for fixing that so quickly. :) |