| Summary: | SELinux is preventing /bin/bash from 'getattr' accesses on the directory /. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert McBroom <mcbroomrc> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:20bd3a4201f9dc505c37bee9b133e658846c8d34eb738ac19aa2a1629de53f49 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-15 13:37:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Looks like mislabeling issue. What does # ls -lZ / *** Bug 751518 has been marked as a duplicate of this bug. *** Or it could be any filesystem mountpoint. ls -lZ / dr-xr-xr-x. root root system_u:object_r:bin_t:s0 bin dr-xr-xr-x. root root system_u:object_r:boot_t:s0 boot drwxr-xr-x. root root system_u:object_r:device_t:s0 dev drwxr-xr-x. root root system_u:object_r:etc_t:s0 etc drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home dr-xr-xr-x. root root system_u:object_r:lib_t:s0 lib dr-xr-xr-x. root root system_u:object_r:lib_t:s0 lib64 drwx------. root root system_u:object_r:lost_found_t:s0 lost+found drwxr-xr-x. root root system_u:object_r:mnt_t:s0 media drwxr-xr-x. root root system_u:object_r:mnt_t:s0 mnt drwxr-xr-x. root root system_u:object_r:default_t:s0 ntfsd2 drwxr-xr-x. root root system_u:object_r:default_t:s0 ntfsd3 drwxr-xr-x. root root system_u:object_r:usr_t:s0 opt dr-xr-xr-x. root root system_u:object_r:proc_t:s0 proc dr-xr-x---. root root system_u:object_r:admin_home_t:s0 root drwxr-xr-x. root root system_u:object_r:var_run_t:s0 run dr-xr-xr-x. root root system_u:object_r:bin_t:s0 sbin drwxr-xr-x. root root system_u:object_r:default_t:s0 sda1 drwxr-xr-x. root root system_u:object_r:default_t:s0 sda7 drwxr-xr-x. root root system_u:object_r:default_t:s0 sdb3 drwxr-xr-x. root root system_u:object_r:var_t:s0 srv drwxr-xr-x. root root system_u:object_r:sysfs_t:s0 sys drwxrwxrwt. root root system_u:object_r:tmp_t:s0 tmp drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr drwxr-xr-x. root root system_u:object_r:var_t:s0 var 260 grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol 261 semodule -i mypol.pp 262 grep gnome-session-c /var/log/audit/audit.log | audit2allow -M mypol 263 semodule -i mypol.pp 264 grep systemd-readahe /var/log/audit/audit.log | audit2allow -M mypol 265 semodule -i mypol.pp 266 grep prelink /var/log/audit/audit.log | audit2allow -M mypol 267 semodule -i mypol.pp 268 grep logrotate /var/log/audit/audit.log | audit2allow -M mypol 269 semodule -i mypol.pp 270 grep prelink /var/log/audit/audit.log | audit2allow -M mypol 271 semodule -i mypol.pp *** Bug 752296 has been marked as a duplicate of this bug. *** *** Bug 752298 has been marked as a duplicate of this bug. *** *** Bug 752297 has been marked as a duplicate of this bug. *** Robert could you run find /etc -type d -context "*:etc_runtime_t:*" [rm3@localhost /]$ find /etc -type d -context "*:etc_runtime_t:*" find: `/etc/sssd': Permission denied find: `/etc/dhcp': Permission denied find: `/etc/audit': Permission denied find: `/etc/sudoers.d': Permission denied find: `/etc/polkit-1/localauthority': Permission denied find: `/etc/pki/rsyslog': Permission denied find: `/etc/pki/CA/private': Permission denied find: `/etc/audisp': Permission denied find: `/etc/cups/ssl': Permission denied find: `/etc/selinux/targeted/modules/active': Permission denied find: `/etc/ggz.modules.d': Permission denied find: `/etc/lvm/cache': Permission denied find: `/etc/lvm/backup': Permission denied find: `/etc/lvm/archive': Permission denied find: `/etc/ntp/crypto': Permission denied /etc/blkid [rm3@localhost /]$ su - Password: [root@localhost ~]# find /etc -type d -context "*:etc_runtime_t:*" /etc/blkid [root@localhost ~]# Well has this happened in the last month? Everything on your system looks good now. Twelve different but similar items with multiple instances in the log 11/13. Tried using the commands to set a local policy as shown in comment 4 but still get the errors. Not at that system now so I can't pull up the list. find / -type d -context "*:etc_runtime_t:*" Robert when was the last time you got the report? sealert shows 33 instances of similar items. I see an update to the kernel. Will update, clear the list of alerts and relabel No. But did you run the command above. [root@localhost ~]# find / -type d -context "*:etc_runtime_t:*"
/.config
find: `/home/rm3/.gvfs': Permission denied
/sda9
/etc/blkid
SELinux is preventing /bin/systemd-tmpfiles from read access on the directory .XIM-unix.
***** Plugin catchall_labels (83.8 confidence) suggests ********************
If you want to allow systemd-tmpfiles to have read access on the .XIM-unix directory
Then you need to change the label on .XIM-unix
Do
# semanage fcontext -a -t FILE_TYPE '.XIM-unix'
where FILE_TYPE is one of the following: rpm_var_cache_t, faillog_t, var_lib_t, user_home_type, proc_net_t, textrel_shlib_t, rpm_var_lib_t, net_conf_t, home_root_t, var_run_t, selinux_config_t, user_home_dir_t, man_t, filesystem_type, device_t, locale_t, var_auth_t, tmp_t, usr_t, var_t, etc_t, file_t, cert_t, proc_t, tmpfs_t, sysctl_crypto_t, etc_t, lockfile, pidfile, tmpfile, lost_found_t, abrt_t, lib_t, device_t, root_t, security_t, sandbox_file_t, usr_t, etc_t, systemd_tmpfiles_t, var_spool_t, httpd_cache_t, nscd_var_run_t.
Then execute:
restorecon -v '.XIM-unix'
***** Plugin catchall (17.1 confidence) suggests ***************************
If you believe that systemd-tmpfiles should be allowed read access on the .XIM-unix directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:systemd_tmpfiles_t:s0
Target Context system_u:object_r:default_t:s0
Target Objects .XIM-unix [ dir ]
Source systemd-tmpfile
Source Path /bin/systemd-tmpfiles
Port <Unknown>
Host localhost.localdomain
Source RPM Packages systemd-units-37-3.fc16
Target RPM Packages
Policy RPM selinux-policy-3.10.0-55.fc16
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.1.1-1.fc16.x86_64 #1
SMP Fri Nov 11 21:47:56 UTC 2011 x86_64 x86_64
Alert Count 1
First Seen Thu 17 Nov 2011 09:21:58 PM EST
Last Seen Thu 17 Nov 2011 09:21:58 PM EST
Local ID 115befd3-430c-42ca-9453-39afae4ca12b
Raw Audit Messages
type=AVC msg=audit(1321582918.221:70): avc: denied { read } for pid=1745 comm="systemd-tmpfile" name=".XIM-unix" dev=sda8 ino=4456452 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
SELinux is preventing /usr/libexec/polkit-1/polkitd from read access on the file online.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that polkitd should be allowed read access on the online file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep polkitd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:policykit_t:s0-s0:c0.c1023
Target Context system_u:object_r:sysfs_t:s0
Target Objects online [ file ]
Source polkitd
Source Path /usr/libexec/polkit-1/polkitd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages polkit-0.102-3.fc16
Target RPM Packages
Policy RPM selinux-policy-3.10.0-55.fc16
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.1.1-1.fc16.x86_64 #1
SMP Fri Nov 11 21:47:56 UTC 2011 x86_64 x86_64
Alert Count 3
First Seen Wed 16 Nov 2011 12:01:21 AM EST
Last Seen Thu 17 Nov 2011 09:07:12 PM EST
Local ID f9d3ef8f-3e3f-4ecd-a00e-7aca30ed26fe
Raw Audit Messages
type=AVC msg=audit(1321582032.468:36): avc: denied { read } for pid=882 comm="polkitd" name="online" dev=sysfs ino=34 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1321582032.468:36): avc: denied { open } for pid=882 comm="polkitd" name="online" dev=sysfs ino=34 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1321582032.468:36): arch=x86_64 syscall=open success=yes exit=EIO a0=38f0b7a980 a1=80000 a2=2003ff a3=1 items=0 ppid=879 pid=882 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=polkitd exe=/usr/libexec/polkit-1/polkitd subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
Hash: polkitd,policykit_t,sysfs_t,file,read
audit2allow
#============= policykit_t ==============
allow policykit_t sysfs_t:file { read open };
audit2allow -R
#============= policykit_t ==============
allow policykit_t sysfs_t:file { read open };
SELinux is preventing /sbin/audispd from read access on the file online.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that audispd should be allowed read access on the online file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep audispd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:audisp_t:s0
Target Context system_u:object_r:sysfs_t:s0
Target Objects online [ file ]
Source audispd
Source Path /sbin/audispd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages audit-2.1.3-4.fc16
Target RPM Packages
Policy RPM selinux-policy-3.10.0-55.fc16
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.1.1-1.fc16.x86_64 #1
SMP Fri Nov 11 21:47:56 UTC 2011 x86_64 x86_64
Alert Count 3
First Seen Wed 16 Nov 2011 12:01:18 AM EST
Last Seen Thu 17 Nov 2011 09:07:07 PM EST
Local ID acec4396-b139-4f0c-ab3d-967f330aab39
Raw Audit Messages
type=AVC msg=audit(1321582027.584:4): avc: denied { read } for pid=779 comm="audispd" name="online" dev=sysfs ino=34 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1321582027.584:4): avc: denied { open } for pid=779 comm="audispd" name="online" dev=sysfs ino=34 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1321582027.584:4): arch=x86_64 syscall=open success=yes exit=EINTR a0=7fb0c63ff980 a1=80000 a2=2003ff a3=7fb0c6283c80 items=0 ppid=752 pid=779 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=audispd exe=/sbin/audispd subj=system_u:system_r:audisp_t:s0 key=(null)
Hash: audispd,audisp_t,sysfs_t,file,read
audit2allow
#============= audisp_t ==============
allow audisp_t sysfs_t:file { read open };
audit2allow -R
#============= audisp_t ==============
allow audisp_t sysfs_t:file { read open };
restorecon -R -v /sda9 Should change its label to default_t. What content is in this directory? The sysfs_t bugs should be fixed in the next policy update. yum update selinux-policy --enable=updates-testing /sda9 is empty It is a mount point for a CENTOS 6.0 system in case access is desired. Well change the label to default_t and it should eliminate the AVC you were seeing. systemd still having trouble on startup with accesses SELinux is preventing /bin/systemd-tmpfiles from read access on the directory .XIM-unix. Plugin: catchall_labels you want to allow systemd-tmpfiles to have read access on the .XIM-unix directoryIf you want to allow systemd-tmpfiles to have read access on the .XIM-unix directory You need to change the label on .XIM-unix # semanage fcontext -a -t FILE_TYPE '.XIM-unix' where FILE_TYPE is one of the following: lost_found_t, abrt_t, lib_t, device_t, root_t, security_t, sandbox_file_t, usr_t, etc_t, sysfs_t, systemd_tmpfiles_t, var_spool_t, httpd_cache_t, rpm_var_cache_t, faillog_t, var_lib_t, user_home_type, proc_net_t, textrel_shlib_t, rpm_var_lib_t, net_conf_t, home_root_t, var_run_t, selinux_config_t, user_home_dir_t, man_t, filesystem_type, device_t, locale_t, var_auth_t, tmp_t, usr_t, var_t, etc_t, file_t, cert_t, proc_t, tmpfs_t, sysctl_crypto_t, etc_t, lockfile, pidfile, tmpfile, nscd_var_run_t. Then execute: restorecon -v '.XIM-unix' What AVC? Entered what the troubleshoot option of sealert gives. Should be default as to install and current updates. What would inquire for the values? what does # grep XIM-unix /var/log/audit/audit.log Last six entries. The system root is /dev/sda8
type=AVC msg=audit(1321675764.767:77): avc: denied { read } for pid=1746 comm="systemd-tmpfile" name=".XIM-unix" dev=sda8 ino=4456452 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1321794859.444:80): avc: denied { read } for pid=1680 comm="systemd-tmpfile" name=".XIM-unix" dev=sda8 ino=4456452 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1321798544.671:76): avc: denied { read } for pid=1595 comm="systemd-tmpfile" name=".XIM-unix" dev=sda8 ino=4456452 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1321850999.655:68): avc: denied { read } for pid=1643 comm="systemd-tmpfile" name=".XIM-unix" dev=sda8 ino=4456452 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1322435039.432:80): avc: denied { read } for pid=13008 comm="systemd-tmpfile" name=".XIM-unix" dev=sda8 ino=4456452 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1322457733.221:73): avc: denied { read } for pid=1695 comm="systemd-tmpfile" name=".XIM-unix" dev=sda8 ino=4456452 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
new similar AVC
type=SERVICE_START msg=audit(1322531345.699:15): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="mcelog" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1322531345.702:16): avc: denied { create } for pid=838 comm="mcelog" name="mcelog.pid" scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1322531345.702:16): avc: denied { write open } for pid=838 comm="mcelog" name="mcelog.pid" dev=tmpfs ino=16482 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1322531345.702:16): arch=c000003e syscall=2 success=yes exit=5 a0=615150 a1=241 a2=1b6 a3=8 items=0 ppid=1 pid=838 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1322531345.702:17): avc: denied { getattr } for pid=838 comm="mcelog" path="/run/mcelog.pid" dev=tmpfs ino=16482 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1322531345.702:17): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7ffffaad5750 a2=7ffffaad5750 a3=7ffffaad5d00 items=0 ppid=1 pid=838 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
[
ls -lZd /.XIM-unix /tmp/.XIM-unix Also please update your policy # yum update selinux-policy-targeted --enablerepo=updates-testing [root@localhost ~]# ls -lZd /.XIM-unix /tmp/.XIM-unix ls: cannot access /.XIM-unix: No such file or directory drwxrwxrwt. root root system_u:object_r:default_t:s0 /tmp/.XIM-unix [root@localhost ~]# chcon -t tmp_t -R /tmp/.XIM-unix Any idea how this got there? It was a fresh install of the second beta release of 16 on an empty partition. An attempt to do preupgrade on a fedora 15 install went awry. VISTA is on the second partition and CENTOS 5 is on a second drive. Would a relabel action from another install with this partition active make some settings erroneous? Well relabeling does not touch /tmp, since SELinux has no idea what labels should be installed in /tmp. I always run /tmp as a tmpfs to make sure any garbage left behind gets deleted. I think you should be fine if you do the chcon on just delete the directories. Is using a tmpfs how to counter the situation that many things do not seem to cleanup on exit and /tmp grows without bounds? What are the recommendations for the fstab entries? As usual there are multiple schemes referenced by a search. This is what I have grep /tmp /etc/fstab tmpfs /tmp tmpfs defaults 0 0 |
libreport version: 2.0.6 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-1.fc16.x86_64 reason: SELinux is preventing /bin/bash from 'getattr' accesses on the directory /. time: Sat Nov 5 01:20:25 2011 description: :SELinux is preventing /bin/bash from 'getattr' accesses on the directory /. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that bash should be allowed getattr access on the directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep prelink /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c : 1023 :Target Context system_u:object_r:etc_runtime_t:s0 :Target Objects / [ dir ] :Source prelink :Source Path /bin/bash :Port <Unknown> :Host (removed) :Source RPM Packages bash-4.2.10-4.fc16 :Target RPM Packages filesystem-2.4.44-1.fc16 :Policy RPM selinux-policy-3.10.0-43.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) : 3.1.0-0.rc10.git0.1.fc16.x86_64 #1 SMP Wed Oct 19 : 05:02:17 UTC 2011 x86_64 x86_64 :Alert Count 6 :First Seen Thu 20 Oct 2011 06:15:38 PM EDT :Last Seen Mon 24 Oct 2011 03:20:13 AM EDT :Local ID 8accce97-29ec-4ba4-9370-a08c40b2a9f7 : :Raw Audit Messages :type=AVC msg=audit(1319440813.42:424): avc: denied { getattr } for pid=11549 comm="prelink" path="/" dev=sda8 ino=2 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1319440813.42:424): arch=x86_64 syscall=stat success=yes exit=0 a0=12e8070 a1=7fff860d0300 a2=7fff860d0300 a3=0 items=0 ppid=11504 pid=11549 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=47 comm=prelink exe=/bin/bash subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) : :Hash: prelink,prelink_cron_system_t,etc_runtime_t,dir,getattr : :audit2allow : :#============= prelink_cron_system_t ============== :allow prelink_cron_system_t etc_runtime_t:dir getattr; : :audit2allow -R : :#============= prelink_cron_system_t ============== :allow prelink_cron_system_t etc_runtime_t:dir getattr; :