Bug 809678

Summary: SELinux is preventing /usr/bin/systemctl from 'getattr' accesses on the file /run/log/journal/57f7afd2e1764d6796dc9f746850af63/system.journal.
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl, mschmidt, systemd-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:db42c0fe57ef2307f8261e09aceab543d9532af0b1f7038f9e4d069432abff26
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-15 19:30:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Williamson 2012-04-04 03:13:00 UTC 
libreport version: 2.0.10
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-1.fc17.x86_64
time:           Tue 03 Apr 2012 08:12:22 PM PDT

description:
:SELinux is preventing /usr/bin/systemctl from 'getattr' accesses on the file /run/log/journal/57f7afd2e1764d6796dc9f746850af63/system.journal.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that systemctl should be allowed getattr access on the system.journal file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep systemctl /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:dhcpc_t:s0
:Target Context                system_u:object_r:syslogd_var_run_t:s0
:Target Objects                /run/log/journal/57f7afd2e1764d6796dc9f746850af63/
:                              system.journal [ file ]
:Source                        systemctl
:Source Path                   /usr/bin/systemctl
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           systemd-44-4.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-109.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux localhost 3.3.0-1.fc17.x86_64 #1 SMP Mon Mar
:                              19 03:03:39 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Tue 03 Apr 2012 08:11:17 PM PDT
:Last Seen                     Tue 03 Apr 2012 08:11:17 PM PDT
:Local ID                      8ff37372-d97f-4b6b-a104-ed3e66d1a143
:
:Raw Audit Messages
:type=AVC msg=audit(1333509077.626:255): avc:  denied  { getattr } for  pid=1731 comm="systemctl" path="/run/log/journal/57f7afd2e1764d6796dc9f746850af63/system.journal" dev="tmpfs" ino=8608 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1333509077.626:255): arch=x86_64 syscall=fstat success=yes exit=0 a0=7 a1=1445180 a2=1445180 a3=7fff30581e40 items=0 ppid=1730 pid=1731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:dhcpc_t:s0 key=(null)
:
:Hash: systemctl,dhcpc_t,syslogd_var_run_t,file,getattr
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Adam Williamson 2012-04-04 03:16:05 UTC 
I seem to hit four of these, consistently (as well as this 'getattr', there's a 'read' on 'system.journal', a 'read' on 'journal', and a 'search' on 'log') if I do a default live install of F17 Beta RC3-ish (a test live image I built with GNOME 3.4 and the new selinux-policy), do 'systemctl disable NetworkManager.service' then 'systemctl stop NetworkManager.service' to stop NM, edit /etc/sysconfig/network-scripts/ifcfg-eth0 to set NM_CONTROLLED=no and ONBOOT=yes , and do 'systemctl start network.service'. 

The systemctl start operation never completes. If I boot with enforcing=0, it completes quickly.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 2 Miroslav Grepl 2012-04-04 06:37:24 UTC 
Well not sure why it should fail because of this. CC-ing systemd folks. I need to test it too.
Comment 3 Michal Schmidt 2012-04-04 07:10:52 UTC 
The denial seems to be just another case of bug 794771. But it does not explain Adam's observed hang of 'systemctl start network.service'.

Adam, what does 'systemctl status network.service' show while the start operation is hung?
Comment 4 Adam Williamson 2012-05-03 14:53:48 UTC 

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers