1022567 – avc denied: systemd-tmpfile, systemd-readhahe, console-kit-dae, sulogin

Bug 1022567 - avc denied: systemd-tmpfile, systemd-readhahe, console-kit-dae, sulogin

Summary: avc denied: systemd-tmpfile, systemd-readhahe, console-kit-dae, sulogin

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-23 14:32 UTC by Pavel Sedlák
Modified:	2023-09-14 01:52 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-08-22 12:32:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pavel Sedlák 2013-10-23 14:32:50 UTC

Description of problem:
After upgrade from F18 to F20 I've gathered few interesting denied entries in audit.log.

I was running with SELinux disabled, then switched to permissive and relabeled (after reboot) - from that the first lines (systemd-tmpfile) probably.

Other denials appeared during few days of usage and because of permissive I'm not sure what they would/could really break.

> type=AVC msg=audit(1382389290.662:9): avc:  denied  { setattr } for  pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
> type=AVC msg=audit(1382389290.663:10): avc:  denied  { relabelfrom } for  pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
> type=AVC msg=audit(1382389290.663:11): avc:  denied  { relabelto } for  pid=592 comm="systemd-tmpfile" name="journal" dev="dm-1" ino=33554674 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
> type=AVC msg=audit(1382389290.950:17): avc:  denied  { getattr } for  pid=614 comm="sulogin" path="/dev/initctl" dev="devtmpfs" ino=11280 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
> type=AVC msg=audit(1382389290.950:18): avc:  denied  { getattr } for  pid=614 comm="sulogin" path="/proc/kcore" dev="proc" ino=4026532044 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
> type=AVC msg=audit(1382392266.078:29): avc:  denied  { read } for  pid=430 comm="systemd-readahe" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382392266.078:30): avc:  denied  { open } for  pid=430 comm="systemd-readahe" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382392288.000:720): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file
> type=AVC msg=audit(1382392292.537:726): avc:  denied  { read } for  pid=430 comm="systemd-readahe" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382392292.537:727): avc:  denied  { open } for  pid=430 comm="systemd-readahe" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=AVC msg=audit(1382468137.663:1724): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file
> type=AVC msg=audit(1382477977.881:1881): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file
> type=AVC msg=audit(1382491020.367:2134): avc:  denied  { read } for  pid=1702 comm="console-kit-dae" name="machine-id" dev="dm-1" ino=3052602 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file


Version-Release number of selected component (if applicable):

libselinux.i686                          2.1.13-19.fc20                  @System
libselinux.x86_64                        2.1.13-19.fc20                  @System
libselinux-devel.x86_64                  2.1.13-19.fc20                  @System
libselinux-python.x86_64                 2.1.13-19.fc20                  @System
libselinux-ruby.x86_64                   2.1.13-19.fc20                  @System
libselinux-utils.x86_64                  2.1.13-19.fc20                  @System
selinux-policy.noarch                    3.12.1-75.fc20                  @System
selinux-policy-targeted.noarch           3.12.1-75.fc20                  @System

systemd.x86_64                           208-2.fc20                      @System
ConsoleKit.x86_64                        0.4.5-7.fc20                    @System
util-linux.x86_64                        2.24-0.1.fc20                   @System



Sorry if it's an issue that I put it in one general bug, not sure how avc denials should be reported properly.

Comment 1 Miroslav Grepl 2013-10-24 13:25:59 UTC

Pavel,
could you try to update to the latest policy?

Comment 2 Red Hat Bugzilla 2023-09-14 01:52:32 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.