Bug 748921 (selinux_systemctl)
| Summary: | SELinux is preventing /bin/systemctl from 'read' accesses on the file cgroup.procs. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jeremy <jeremy.shimko> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | 306power, andreinglisemail, awilliam, chrissharp09, christian.joensson, cra, daniel.distler, dario.soto, dev, dominick.grift, dwalsh, el, ezzughayyar, icj, jonathanjstevens, jsmith.fedora, luya, mgrepl, mishu, mjw, orion520a, pfrields, req1348, sandro, sgraf, social, stabone, thomas, watzkej, web582, witte2008 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:9141bf342b348e9456eaf5fccd06307daa9679132f65df646fac4ec6f866c021 RejectedBlocker RejectedNTH | ||
| Fixed In Version: | selinux-policy-3.10.0-55.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-11-10 17:30:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I've also seen this with a fresh F16 Final TC3 Live Desktop installation. After installation, I rebooted, did the firstboot stuff, logged in, clicked around a little (including the Gnome Shell's panel clock). I think this AVC came up by clicking "Date and Time Settings" below the calendar that's shown as part of the panel clock. Fixed in selinux-policy-3.10.0-52.fc16 Opened Date and Time Settings. Possible blocker under: http://fedoraproject.org/wiki/QA:Testcase_desktop_panel_basic "No crashes should occur in any item of the default panel configuration upon basic interaction" Or rather a possible blocker under this one: https://fedoraproject.org/wiki/QA:Testcase_desktop_panel_advanced "No crashes should occur in any item of the default panel configuration upon typical interaction" (In reply to comment #2) > Fixed in selinux-policy-3.10.0-52.fc16 I did a full relabel/reboot after installing this, and it does not fix the problem for me. I still see the AVC when opening Date and Time Settings, reproducible every single time. selinux-policy-3.10.0-52.fc16.noarch selinux-policy-targeted-3.10.0-52.fc16.noarch The SELinux alert happens, but this doesn't crash the applet for me. I'm still able to perform the app functions such as setting the timezone, display, and network time subscription. Fixed in selinux-policy-3.10.0-53.fc16 if it's not a crash, it's not a blocker. -1. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Discussed at 2011-10-31 QA meeting acting as blocker review meeting. Agreed that as it doesn't cause the app to crash or fail this does not meet the criterion cited, and as it doesn't happen just when you boot up, it doesn't meet the 'no AVCs on boot' criterion either. As it requires an selinux-policy update to fix and those are dangerous, we also won't take it as NTH, we think it's best just to fix with a post-release update. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers I agree, and it does not block the resetting of the clock either, so it really is a nuisance AVC. I am sure we will have the first update ready to go after F16 ships. selinux-policy-3.10.0-55.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-55.fc16 When I try the solution given: "You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep systemctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp" ... I get this very similiar bug: https://bugzilla.redhat.com/show_bug.cgi?id=752145 *** Bug 752145 has been marked as a duplicate of this bug. *** Looks like this is all fixed in selinux-policy-3.10.0-55.fc16 *** Bug 752202 has been marked as a duplicate of this bug. *** Yes, it should be definitely fixed. selinux-policy-3.10.0-55.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 753081 has been marked as a duplicate of this bug. *** *** Bug 753082 has been marked as a duplicate of this bug. *** selinux-policy-3.10.0-55.fc16 was in the updates and applied on this machine. The issue seems to be resolved. Thanks for fixing that so quickly. :) |
libreport version: 2.0.6 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-0.rc10.git0.1.fc16.x86_64 reason: SELinux is preventing /bin/systemctl from 'read' accesses on the file cgroup.procs. time: Tue Oct 25 11:09:05 2011 description: :SELinux is preventing /bin/systemctl from 'read' accesses on the file cgroup.procs. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that systemctl should be allowed read access on the cgroup.procs file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep systemctl /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 :Target Context system_u:object_r:cgroup_t:s0 :Target Objects cgroup.procs [ file ] :Source systemctl :Source Path /bin/systemctl :Port <Unknown> :Host (removed) :Source RPM Packages systemd-units-37-2.fc16 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-46.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux fed-lap 3.1.0-0.rc10.git0.1.fc16.x86_64 #1 : SMP Wed Oct 19 05:02:17 UTC 2011 x86_64 x86_64 :Alert Count 1 :First Seen Tue 25 Oct 2011 02:32:35 PM EDT :Last Seen Tue 25 Oct 2011 02:32:35 PM EDT :Local ID ed6b60b1-5d12-496b-b837-89de08ff974b : :Raw Audit Messages :type=AVC msg=audit(1319567555.312:61): avc: denied { read } for pid=2178 comm="systemctl" name="cgroup.procs" dev=cgroup ino=16437 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file : : :type=SYSCALL msg=audit(1319567555.312:61): arch=x86_64 syscall=open success=no exit=EACCES a0=7250b0 a1=80000 a2=1b6 a3=68632f6d65747379 items=0 ppid=2176 pid=2178 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemctl exe=/bin/systemctl subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) : :Hash: systemctl,gnomeclock_t,cgroup_t,file,read : :audit2allow : :#============= gnomeclock_t ============== :allow gnomeclock_t cgroup_t:file read; : :audit2allow -R : :#============= gnomeclock_t ============== :allow gnomeclock_t cgroup_t:file read; :