Bug 820491

Summary: SELinux is preventing /usr/bin/ls from getattr access on the blk_file /dev/sda.
Product: [Fedora] Fedora Reporter: Sebastian Krämer <skr>
Component: tunedAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dwalsh, gregor, jkaluza, jskarvad, jvcelak, mgrepl, pknirsch, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tuned-2.1.0-1.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-14 09:24:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SELinux alert after starting tuned in daemon mode (via systemd) none

Description Sebastian Krämer 2012-05-10 07:27:04 UTC 
Created attachment 583460 [details]
SELinux alert after starting tuned in daemon mode (via systemd)

Description of problem:
Installed tuned. Running as non-daemon yesterday worked fine. Today I did a 'service tuned start' and got an se-alert (see attachment). Systemd says the service started just fine and is running.

I'm using F17 Beta with latest 'yum upgrade'. selinux-policy{-targeted} have version 3.10.0-121.fc17.
Comment 1 Daniel Walsh 2012-05-12 11:12:11 UTC 
Is tuned executing an ls of /dev?
Comment 2 Miroslav Grepl 2012-05-14 05:53:35 UTC 
tuned do a lot of things now


https://bugzilla.redhat.com/show_bug.cgi?id=809832#c15

Mainly

"Remounts no boot and no root partitions with parameters 'barrier', 'nobarrier',
'commit=*', 'noatime'"

which means there is a script executing the mount command. But it looks like the tuned policy is going to be pretty powerful.
Comment 3 Jaroslav Škarvada 2012-05-14 07:02:43 UTC 
(In reply to comment #2)
> Mainly
> 
> "Remounts no boot and no root partitions with parameters 'barrier',
> 'nobarrier',
> 'commit=*', 'noatime'"
> 
This is not new feature, it was there in previous tuned versions (e.g. in RHEL-6), but the commands were initiated from /etc/ktune.d/tunedadm.sh (if virtual-host profile was selected and tuned started). Now they are by default (can be changed) initiated from /etc/tuned/*/script.sh or /usr/lib/tuned/*/script.sh.

> which means there is a script executing the mount command. But it looks like
> the tuned policy is going to be pretty powerful.
>
We are working hard to move the functionality into main tuned daemon. We are going to release new f17 version of tuned soon, which will execute all tunings directly from the main daemon and not from the script. The script functionality will be still there for 'user specific tunings', but by default will not be used.
Comment 4 Daniel Walsh 2012-05-18 18:58:36 UTC 
Well tuned currently has

optional_policy(`
	mount_domtrans(tuned_t)
')

Fixed in selinux-policy-3.10.0-126.fc17
Comment 5 Jan Vcelak 2012-12-03 11:10:35 UTC 
Resolved in:
tuned-2.1.0-1.fc18
tuned-2.1.0-1.fc19
Comment 6 Fedora Admin XMLRPC Client 2013-02-04 21:44:59 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 7 Jaroslav Škarvada 2013-02-14 09:24:21 UTC 
I cannot see the AVC in the log. The current selinux policy is:
selinux-policy-3.10.0-166.fc17

Thus I think the problem is already fixed - I am closing this bug. Feel free to reopen if the problem persists.