Bug 864784

Summary: systemd-analyze triggers selinux denial
Product: [Fedora] Fedora Reporter: Chris Murphy <bugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, johannbg, lnykryn, metherid, mgrepl, msekleta, notting, plautrba, systemd-maint, vpavlin
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-14 19:17:19 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Chris Murphy 2012-10-10 02:26:03 EDT
Description of problem:
systemd-analyze results in SELinux denial

Version-Release number of selected component (if applicable):
systemd-analyze.x86_64 0:194-1.fc18 
selinux-policy-3.11.1-32.fc18
dbus-1.6.8-2.fc18.x86_64

How reproducible:
100%

Steps to Reproduce:
1. install systemd-analyze
2. run systemd-analyze


Actual results:
ERROR:dbus.proxies:Introspect error on :1.1:/org/freedesktop/systemd1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
Traceback (most recent call last):
  File "/usr/bin/systemd-analyze", line 307, in <module>
    time()
  File "/usr/bin/systemd-analyze", line 91, in time
    initrd_time, start_time, finish_time = acquire_start_time()
  File "/usr/bin/systemd-analyze", line 34, in acquire_start_time
    initrd_time = int(properties.Get('org.freedesktop.systemd1.Manager', 'InitRDTimestampMonotonic'))
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.


Expected results:
To report startup time stats.

Additional info:
audit.log reports

type=USER_AVC msg=audit(1349849442.134:40): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 cmdline="/usr/bin/python /usr/bin/systemd-analyze" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

This was working with alpha a week or two ago, so this may actually be dbus, not systemd-analyze triggering the denial.
Comment 1 Chris Murphy 2012-10-14 18:57:45 EDT
Not reproducible with selinux-policy-3.11.1-36.fc18.noarch; other component versions remain the same.
Comment 2 Chris Murphy 2012-10-14 19:05:18 EDT
'systemd-analyze blame' still produces an SE Linux denial; whereas with no option or time option, there is no error.

[root@f18v ~]# systemd-analyze blame
ERROR:dbus.proxies:Introspect error on :1.0:/org/freedesktop/systemd1/unit/network_2eservice: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
Traceback (most recent call last):
  File "/usr/bin/systemd-analyze", line 309, in <module>
    verb.get(args[0], unknown_verb)()
  File "/usr/bin/systemd-analyze", line 108, in blame
    data = acquire_time_data()
  File "/usr/bin/systemd-analyze", line 22, in acquire_time_data
    ixt = int(properties.Get('org.freedesktop.systemd1.Unit', 'InactiveExitTimestampMonotonic'))
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
Comment 3 Chris Murphy 2012-10-14 19:17:19 EDT

*** This bug has been marked as a duplicate of bug 859614 ***
Comment 4 Chris Murphy 2012-10-15 05:34:31 EDT
After applying:
selinux-policy-targeted-3.11.1-38.fc18.noarch
selinux-policy-3.11.1-38.fc18.noarch

And autorelabel=1, "systemd-analyze blame" is working for me without the comment 2 denial. So this bug may not be a duplicate of Bug 859614.