Bug 804598

Summary: SELinux is preventing systemd-logind
Product: [Fedora] Fedora Reporter: Germano Massullo <germano.massullo>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-84.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-22 03:37:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Germano Massullo 2012-03-19 11:30:52 UTC 
Description of problem:
I downloaded the rpm file of DraftSight http://www.3ds.com/it/products/draftsight/download-draftsight/
and I started installing it with yum localinstall, when I had the following SELinux alerts:




SELinux is preventing systemd-logind from search access on the folder `@.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that systemd-logind should be allowed search access on the `@ directory by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       system_u:system_r:systemd_logind_t:s0
Contesto target               unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
Oggetti target                `@ [ dir ]
Sorgente                      systemd-logind
Percorso della sorgente       systemd-logind
Porta                         <Sconosciuto>
Host                          Portatile
Sorgente Pacchetti RPM        
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Host Name                     Portatile
Piattaforma                   Linux Portatile 3.2.10-3.fc16.i686 #1 SMP Thu Mar
                              15 21:16:58 UTC 2012 i686 i686
Conteggio avvisi              3
Primo visto                   lun 19 mar 2012 12:23:21 CET
Ultimo visto                  lun 19 mar 2012 12:27:36 CET
ID locale                     

Messaggi Raw Audit
type=AVC msg=audit(1332156456.117:165): avc:  denied  { search } for  pid=977 comm="systemd-logind" name="6040" dev=proc ino=59048 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=dir


Hash: systemd-logind,systemd_logind_t,rpm_script_t,dir,search

audit2allow

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:dir search;

audit2allow -R

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:dir search;













SELinux is preventing systemd-logind from read access on the file sessionid.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that systemd-logind should be allowed read access on the sessionid file by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       system_u:system_r:systemd_logind_t:s0
Contesto target               unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
Oggetti target                sessionid [ file ]
Sorgente                      systemd-logind
Percorso della sorgente       systemd-logind
Porta                         <Sconosciuto>
Host                          Portatile
Sorgente Pacchetti RPM        
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Host Name                     Portatile
Piattaforma                   Linux Portatile 3.2.10-3.fc16.i686 #1 SMP Thu Mar
                              15 21:16:58 UTC 2012 i686 i686
Conteggio avvisi              4
Primo visto                   lun 19 mar 2012 12:23:21 CET
Ultimo visto                  lun 19 mar 2012 12:27:41 CET
ID locale                   

Messaggi Raw Audit
type=AVC msg=audit(1332156461.107:194): avc:  denied  { read } for  pid=977 comm="systemd-logind" name="sessionid" dev=proc ino=59356 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=file


Hash: systemd-logind,systemd_logind_t,rpm_script_t,file,read

audit2allow

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file read;

audit2allow -R

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file read;










SELinux is preventing systemd-logind from open access on the file sessionid.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that systemd-logind should be allowed open access on the sessionid file by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       system_u:system_r:systemd_logind_t:s0
Contesto target               unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
Oggetti target                sessionid [ file ]
Sorgente                      systemd-logind
Percorso della sorgente       systemd-logind
Porta                         <Sconosciuto>
Host                          Portatile
Sorgente Pacchetti RPM        
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Host Name                     Portatile
Piattaforma                   Linux Portatile 3.2.10-3.fc16.i686 #1 SMP Thu Mar
                              15 21:16:58 UTC 2012 i686 i686
Conteggio avvisi              4
Primo visto                   lun 19 mar 2012 12:23:21 CET
Ultimo visto                  lun 19 mar 2012 12:27:41 CET
ID locale                     

Messaggi Raw Audit
type=AVC msg=audit(1332156461.107:195): avc:  denied  { open } for  pid=977 comm="systemd-logind" name="sessionid" dev=proc ino=59356 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=file


Hash: systemd-logind,systemd_logind_t,rpm_script_t,file,open

audit2allow

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file open;

audit2allow -R

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file open;













SELinux is preventing systemd-logind from getattr access on the file /proc/<pid>/sessionid.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that systemd-logind should be allowed getattr access on the sessionid file by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       system_u:system_r:systemd_logind_t:s0
Contesto target               unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
Oggetti target                /proc/<pid>/sessionid [ file ]
Sorgente                      systemd-logind
Percorso della sorgente       systemd-logind
Porta                         <Sconosciuto>
Host                          Portatile
Sorgente Pacchetti RPM        
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Host Name                     Portatile
Piattaforma                   Linux Portatile 3.2.10-3.fc16.i686 #1 SMP Thu Mar
                              15 21:16:58 UTC 2012 i686 i686
Conteggio avvisi              4
Primo visto                   lun 19 mar 2012 12:23:21 CET
Ultimo visto                  lun 19 mar 2012 12:27:41 CET
ID locale                     

Messaggi Raw Audit
type=AVC msg=audit(1332156461.107:196): avc:  denied  { getattr } for  pid=977 comm="systemd-logind" path="/proc/6303/sessionid" dev=proc ino=59356 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=file


Hash: systemd-logind,systemd_logind_t,rpm_script_t,file,getattr

audit2allow

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file getattr;

audit2allow -R

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file getattr;
Comment 1 Daniel Walsh 2012-03-19 15:03:38 UTC 
yum -y update

This should be fixed in latest updates
Comment 2 Fedora Update System 2012-04-18 12:55:06 UTC 
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 3 Fedora Update System 2012-04-22 03:37:16 UTC 
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.