Bug 820491
Summary: | SELinux is preventing /usr/bin/ls from getattr access on the blk_file /dev/sda. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sebastian Krämer <skr> | ||||
Component: | tuned | Assignee: | Jaroslav Škarvada <jskarvad> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 17 | CC: | dwalsh, gregor, jkaluza, jskarvad, jvcelak, mgrepl, pknirsch, twoerner | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | tuned-2.1.0-1.fc18 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-02-14 09:24:21 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Is tuned executing an ls of /dev? tuned do a lot of things now https://bugzilla.redhat.com/show_bug.cgi?id=809832#c15 Mainly "Remounts no boot and no root partitions with parameters 'barrier', 'nobarrier', 'commit=*', 'noatime'" which means there is a script executing the mount command. But it looks like the tuned policy is going to be pretty powerful. (In reply to comment #2) > Mainly > > "Remounts no boot and no root partitions with parameters 'barrier', > 'nobarrier', > 'commit=*', 'noatime'" > This is not new feature, it was there in previous tuned versions (e.g. in RHEL-6), but the commands were initiated from /etc/ktune.d/tunedadm.sh (if virtual-host profile was selected and tuned started). Now they are by default (can be changed) initiated from /etc/tuned/*/script.sh or /usr/lib/tuned/*/script.sh. > which means there is a script executing the mount command. But it looks like > the tuned policy is going to be pretty powerful. > We are working hard to move the functionality into main tuned daemon. We are going to release new f17 version of tuned soon, which will execute all tunings directly from the main daemon and not from the script. The script functionality will be still there for 'user specific tunings', but by default will not be used. Well tuned currently has optional_policy(` mount_domtrans(tuned_t) ') Fixed in selinux-policy-3.10.0-126.fc17 Resolved in: tuned-2.1.0-1.fc18 tuned-2.1.0-1.fc19 This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. I cannot see the AVC in the log. The current selinux policy is: selinux-policy-3.10.0-166.fc17 Thus I think the problem is already fixed - I am closing this bug. Feel free to reopen if the problem persists. |
Created attachment 583460 [details] SELinux alert after starting tuned in daemon mode (via systemd) Description of problem: Installed tuned. Running as non-daemon yesterday worked fine. Today I did a 'service tuned start' and got an se-alert (see attachment). Systemd says the service started just fine and is running. I'm using F17 Beta with latest 'yum upgrade'. selinux-policy{-targeted} have version 3.10.0-121.fc17.