Bug 1022567 - avc denied: systemd-tmpfile, systemd-readhahe, console-kit-dae, sulogin [NEEDINFO]
avc denied: systemd-tmpfile, systemd-readhahe, console-kit-dae, sulogin
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-23 10:32 EDT by Pavel Sedlák
Modified: 2014-08-22 08:32 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-22 08:32:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mgrepl: needinfo? (psedlak)


Attachments (Terms of Use)

  None (edit)
Description Pavel Sedlák 2013-10-23 10:32:50 EDT
Description of problem:
After upgrade from F18 to F20 I've gathered few interesting denied entries in audit.log.

I was running with SELinux disabled, then switched to permissive and relabeled (after reboot) - from that the first lines (systemd-tmpfile) probably.

Other denials appeared during few days of usage and because of permissive I'm not sure what they would/could really break.

> type=AVC msg=audit(1382389290.662:9): avc:  denied  { setattr } for  pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
> type=AVC msg=audit(1382389290.663:10): avc:  denied  { relabelfrom } for  pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
> type=AVC msg=audit(1382389290.663:11): avc:  denied  { relabelto } for  pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
> type=AVC msg=audit(1382389290.950:17): avc:  denied  { getattr } for  pid=614 comm="sulogin" path="/dev/initctl" dev="devtmpfs" ino=11280 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
> type=AVC msg=audit(1382389290.950:18): avc:  denied  { getattr } for  pid=614 comm="sulogin" path="/proc/kcore" dev="proc" ino=4026532044 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
> type=AVC msg=audit(1382392266.078:29): avc:  denied  { read } for  pid=430 comm="systemd-readahe" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382392266.078:30): avc:  denied  { open } for  pid=430 comm="systemd-readahe" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382392288.000:720): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file
> type=AVC msg=audit(1382392292.537:726): avc:  denied  { read } for  pid=430 comm="systemd-readahe" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382392292.537:727): avc:  denied  { open } for  pid=430 comm="systemd-readahe" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382468137.663:1724): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file
> type=AVC msg=audit(1382477977.881:1881): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file
> type=AVC msg=audit(1382491020.367:2134): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file


Version-Release number of selected component (if applicable):

libselinux.i686                          2.1.13-19.fc20                  @System
libselinux.x86_64                        2.1.13-19.fc20                  @System
libselinux-devel.x86_64                  2.1.13-19.fc20                  @System
libselinux-python.x86_64                 2.1.13-19.fc20                  @System
libselinux-ruby.x86_64                   2.1.13-19.fc20                  @System
libselinux-utils.x86_64                  2.1.13-19.fc20                  @System
selinux-policy.noarch                    3.12.1-75.fc20                  @System
selinux-policy-targeted.noarch           3.12.1-75.fc20                  @System

systemd.x86_64                           208-2.fc20                      @System
ConsoleKit.x86_64                        0.4.5-7.fc20                    @System
util-linux.x86_64                        2.24-0.1.fc20                   @System



Sorry if it's an issue that I put it in one general bug, not sure how avc denials should be reported properly.
Comment 1 Miroslav Grepl 2013-10-24 09:25:59 EDT
Pavel,
could you try to update to the latest policy?

Note You need to log in before you can comment on or make changes to this bug.