| Summary: | SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the sock_file plasma-desktopGh1800.slave-socket. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | franco santini <fsantini> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:b066a46550eed136eef6b1f22dc2779953695c8bab6d6555614996728b8642eb | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-31 19:22:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Did you move this sock file from /home to /tmp directory? We should really never have a sock_file labeled as a user_home_dir_t. Any idea how this sock_file got created? (In reply to comment #1) > Did you move this sock file from /home to /tmp directory? I didn't move any file from /home to /tmp. Actualy file /tmp/systemd_tmpfiles exists with selinux context system_u:object_r:systemd_tmpfiles_exec_t:s0 find /tmp -name plasma-desktopGh1800.slave-socket or find /var/tmp -name plasma-desktopGh1800.slave-socket This seems to be something to do with kde. No such file in either directory or elsewhere in filesystem. Also yum list and google give me nothing! Ok, lets act like this never happened and reopen if it happens again. |
SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the sock_file plasma-desktopGh1800.slave-socket. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-tmpfiles should be allowed unlink access on the plasma-desktopGh1800.slave-socket sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_tmpfiles_t:s0 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects plasma-desktopGh1800.slave-socket [ sock_file ] Source systemd-tmpfile Source Path /bin/systemd-tmpfiles Port <Unknown> Host (removed) Source RPM Packages systemd-units-26-12.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-44.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.7-3.fc15.x86_64 #1 SMP Mon Oct 24 13:51:56 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sat 29 Oct 2011 08:29:46 PM CEST Last Seen Sat 29 Oct 2011 08:29:46 PM CEST Local ID 3dbf83c9-b380-4b60-be56-dd19c7415e46 Raw Audit Messages type=AVC msg=audit(1319912986.102:61): avc: denied { unlink } for pid=2373 comm="systemd-tmpfile" name="plasma-desktopGh1800.slave-socket" dev=dm-1 ino=656379 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=sock_file type=SYSCALL msg=audit(1319912986.102:61): arch=x86_64 syscall=unlinkat success=yes exit=0 a0=5 a1=237867b a2=0 a3=100 items=0 ppid=1 pid=2373 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null) Hash: systemd-tmpfile,systemd_tmpfiles_t,user_home_dir_t,sock_file,unlink audit2allow #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t user_home_dir_t:sock_file unlink; audit2allow -R #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t user_home_dir_t:sock_file unlink;