Bug 955758

Summary:	systemd-readahead: failed to create shared memory segment
Product:	[Fedora] Fedora	Reporter:	Zbigniew Jędrzejewski-Szmek <zbyszek>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	19	CC:	bugzilla, dominick.grift, dwalsh, mgrepl, systemd-maint
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.12.1-47.fc19	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-05-30 03:32:51 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Zbigniew Jędrzejewski-Szmek 2013-04-23 18:08:40 UTC

Description of problem:
readhead does not gather data because of a selinux denial.

Apr 23 21:13:48 fedora kernel: type=1404 audit(1366766027.362:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
Apr 23 21:13:48 fedora kernel: SELinux: 2048 avtab hash slots, 96919 rules.
Apr 23 21:13:48 fedora kernel: SELinux: 2048 avtab hash slots, 96919 rules.
Apr 23 21:13:48 fedora kernel: SELinux:  8 users, 82 roles, 4428 types, 249 bools, 1 sens, 1024 cats
Apr 23 21:13:48 fedora kernel: SELinux:  83 classes, 96919 rules
Apr 23 21:13:48 fedora kernel: SELinux:  Completing initialization.
Apr 23 21:13:48 fedora kernel: SELinux:  Setting up existing superblocks.
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev proc, type proc), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev devpts, type devpts), uses transition SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev pstore, type pstore), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev dm-1, type ext4), uses xattr
Apr 23 21:13:48 fedora kernel: type=1403 audit(1366766027.814:3): policy loaded auid=4294967295 ses=4294967295
Apr 23 21:13:48 fedora systemd[1]: Successfully loaded SELinux policy in 463.374ms.
Apr 23 21:13:48 fedora systemd[1]: Relabelled /dev and /run in 28.184ms.
Apr 23 21:13:48 fedora LVM: Logical Volume autoactivation enabled.
Apr 23 21:13:48 fedora LVM: Activation generator successfully completed.
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
Apr 23 21:13:48 fedora systemd-readahead[392]: Failed to create /run/systemd: Permission denied
Apr 23 21:13:48 fedora systemd-readahead[392]: Failed to create shared memory segment: No such file or directory
Apr 23 21:13:48 fedora systemd-readahead[391]: Failed to create /run/systemd: Permission denied
Apr 23 21:13:48 fedora systemd-readahead[391]: Failed to create shared memory segment: No such file or directory
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev configfs, type configfs), uses genfs_contexts

(Messages about permission denied are from a line I added myself to see what's going on.
I'll push the patch to systemd later on.)


Version-Release number of selected component (if applicable):
In general this is an up-to-date Fedora 19.

systemd is compiled from git.

Apr 23 21:13:41 fedora systemd[1]: systemd 202 running in system mode. (+PAM -LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT -LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Apr 23 21:13:47 fedora systemd[1]: systemd 202 running in system mode. (+PAM -LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT -LIBCRYPTSETUP +GCRYPT +ACL +XZ)

selinux-policy-targeted-3.12.1-34.fc19.noarch
selinux-policy-3.12.1-34.fc19.noarch

How reproducible:
100%

Additional info:
% ls -lZd /run /run/systemd /run/systemd/readahead
drwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/
drwxr-xr-x. root root system_u:object_r:init_var_run_t:s0 /run/systemd/
drwxr-xr-x. root root system_u:object_r:readahead_var_run_t:s0 /run/systemd/readahead/

Comment 1 Daniel Walsh 2013-04-23 21:11:40 UTC

Avc messages?

Comment 2 Zbigniew Jędrzejewski-Szmek 2013-04-23 21:15:16 UTC

I don't see any AVC messages. Is it possible that they are not generated or logged because auditd is not yet running? auditd is initialized a while later, along with other services, while readahead is started already in the boot.

Comment 3 Zbigniew Jędrzejewski-Szmek 2013-04-23 21:20:12 UTC

Hm, after looking at it again, systemd probably might create /run/systemd by itself. It is convenient to create it in systemd-readahead, but I see that it might be inconvenient for selinux.

Comment 4 Miroslav Grepl 2013-04-24 12:08:26 UTC

# dmesg |grep avc

Comment 5 Zbigniew Jędrzejewski-Szmek 2013-04-24 12:41:30 UTC

# dmesg |grep avc
nada

Hm, I'll reboot with selinux=0 when I have acccess to the machine and see what happens.

Comment 6 Heiko Adams 2013-05-11 04:55:40 UTC

Any progress on this issue?

Comment 7 Heiko Adams 2013-05-11 09:11:39 UTC

Same problem here:
[    9.887300] systemd-readahead[267]: Failed to create /run/systemd: Permission denied
[    9.887311] systemd-readahead[267]: Failed to create shared memory segment: No such file or directory
[    9.887495] systemd-readahead[266]: Failed to create /run/systemd: Permission denied
[    9.887506] systemd-readahead[266]: Failed to create shared memory segment: No such file or directory

Comment 8 Daniel Walsh 2013-05-11 10:21:34 UTC

a1cf4f67ed46cabfb111b287577be0c9b71e0672 fixes this in git.

Comment 9 Fedora Update System 2013-05-29 14:18:48 UTC

selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19

Comment 10 Fedora Update System 2013-05-29 17:45:37 UTC

Package selinux-policy-3.12.1-47.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2013-05-30 03:32:51 UTC

selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.