Bug 815158
Summary: | systemd attempts to getattr with lirc file -- SELinux blocks this | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Brian Armstrong <barmstro> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 16 | CC: | barmstro, dominick.grift, dwalsh, johannbg, metherid, mgrepl, mschmidt, notting, plautrba, systemd-maint |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.10.0-86.fc16 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-05-18 10:27:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Brian Armstrong
2012-04-23 00:51:47 UTC
lirc ships /etc/tmpfiles.d/lirc.conf with the contents: d /var/run/lirc 0755 root root 10d The "10d" tells systemd-tmpfiles to periodically remove files that have not been used for 10 days. The SELinux denial occured when systemd-tmpfiles attempted to test the age of the file. Assuming this configuration makes sense for lircd, the policy should not prevent the operation. Dan, Miroslav, since any package can install a tmpfiles.d fragment to let systemd-tmpfiles handle the package's directories, which can have all kinds of SELinux contexts, it seems that systemd-tmpfiles should be granted quite broad permissions by the policy to avoid these kinds of denial reports in the future. Is it acceptable? Or would you recommend some changes in how systemd-tmpfiles works to make it work more nicely with SELinux? For example, systemd-tmpfiles could switch its domain depending on the context of the config file it is processing. (In reply to comment #1) > For example, systemd-tmpfiles could switch its domain depending on the context > of the config file it is processing. On second thought, this may not be the brightest idea. It would be difficult to explain the rules for SELinux labels of files in /etc/tmpfiles.d/ to administrators. And allowing systemd-tmpfiles to transition to various domains would annihilate the possible benefits. We should allow it to getattr on all sockets and pipes. Fixed in selinux-policy-3.10.0-118.fc17 selinux-policy-3.10.0-86.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-86.fc16 Package selinux-policy-3.10.0-86.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-86.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-6613/selinux-policy-3.10.0-86.fc16 then log in and leave karma (feedback). selinux-policy-3.10.0-86.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |