Description of problem: SELinux is preventing /usr/bin/touch from 'create' accesses on the file . ***** Plugin catchall (100. confidence) suggests ************************** If vous pensez que touch devrait être autorisé à accéder create sur file par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # grep touch /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:var_lock_t:s0 Target Objects [ file ] Source touch Source Path /usr/bin/touch Port <Unknown> Host (removed) Source RPM Packages coreutils-8.22-10.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-24.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.14.0-0.rc2.git4.1.fc21.x86_64 #1 SMP Fri Feb 14 20:03:13 UTC 2014 x86_64 x86_64 Alert Count 3 First Seen 2014-02-15 23:13:04 CET Last Seen 2014-02-15 23:15:44 CET Local ID a78f95cb-5e2b-469c-a4fb-894993e09da6 Raw Audit Messages type=AVC msg=audit(1392502544.2:126): avc: denied { create } for pid=2774 comm="touch" name="iptables" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1392502544.2:126): avc: denied { write open } for pid=2774 comm="touch" path="/run/lock/subsys/iptables" dev="tmpfs" ino=61815 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1392502544.2:126): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7fffc5aa4f63 a1=941 a2=1b6 a3=367b48a4c0 items=0 ppid=2765 pid=2774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=touch exe=/usr/bin/touch subj=system_u:system_r:init_t:s0 key=(null) Hash: touch,init_t,var_lock_t,file,create Additional info: reporter: libreport-2.1.12 hashmarkername: setroubleshoot kernel: 3.14.0-0.rc2.git4.1.fc21.x86_64 type: libreport
Nicolas, it looks you have mislabeled system? What does # ps -efZ |grep init_t
*** Bug 1065691 has been marked as a duplicate of this bug. ***
*** Bug 1065692 has been marked as a duplicate of this bug. ***
THis is caused by the removal of the transition. Isn't init_t an unconfined domain in Rawhide?
Description of problem: 1. full rawhide dnf update 2. full fixfiles restore 3. clear sealert 4. reboot 5. this avc on startup Additional info: reporter: libreport-2.1.12 hashmarkername: setroubleshoot kernel: 3.14.0-0.rc3.git0.1.fc21.x86_64 type: libreport
additionally iptable services are dead unless I activate permissive mode (not good for security at all)
# ps -efZ |grep init_t system_u:system_r:init_t:s0 root 1 0 0 22:59 ? 00:00:04 /usr/lib/systemd/systemd --switched-root --system --deserialize 23 system_u:system_r:init_t:s0 root 978 1 0 23:00 ? 00:00:00 /usr/lib/systemd/systemd --user system_u:system_r:init_t:s0 nim 979 1 0 23:00 ? 00:00:00 /usr/lib/systemd/systemd --user system_u:system_r:init_t:s0 root 989 978 0 23:00 ? 00:00:00 (sd-pam) system_u:system_r:init_t:s0 nim 990 979 0 23:00 ? 00:00:00 (sd-pam) system_u:system_r:init_t:s0 gdm 1063 1 0 23:00 ? 00:00:00 /usr/lib/systemd/systemd --user system_u:system_r:init_t:s0 gdm 1065 1063 0 23:00 ? 00:00:00 (sd-pam) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2707 2625 0 23:07 pts/0 00:00:00 grep --color=auto init_t
(In reply to Daniel Walsh from comment #4) > THis is caused by the removal of the transition. Isn't init_t an unconfined > domain in Rawhide? Yeap, just wanted to be sure. I guess Nicolas runs with disabled unconfined module.
(In reply to Miroslav Grepl from comment #8) > (In reply to Daniel Walsh from comment #4) > > THis is caused by the removal of the transition. Isn't init_t an unconfined > > domain in Rawhide? > > Yeap, just wanted to be sure. I guess Nicolas runs with disabled unconfined > module. I don't have any special selinux config, I run whatever is pushed to devel
# semodule -l |grep unconfined
# semodule -l |grep unconfined unconfined 3.5.0 unconfineduser 1.0.0
Description of problem: still broken Additional info: reporter: libreport-2.1.12 hashmarkername: setroubleshoot kernel: 3.14.0-0.rc3.git5.1.fc21.x86_64 type: libreport
Fixed in selinux-policy-3.13.1-26.fc21