Description of problem: systemd-tmpfiles has denied getattr operation on /var/tmp/beakerlib-*/shadow or /var/tmp/beakerlib-*/gshadow founded AVC: time->Thu Feb 13 12:46:32 2014 type=PATH msg=audit(1392313592.158:1025): item=0 name="gshadow" inode=134635873 dev=fd:01 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=NORMAL type=CWD msg=audit(1392313592.158:1025): cwd="/" type=SYSCALL msg=audit(1392313592.158:1025): arch=c000003e syscall=262 success=no exit=-13 a0=7 a1=7faa0db67b93 a2=7fff7066b8d0 a3=100 items=1 ppid=1 pid=18499 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null) type=AVC msg=audit(1392313592.158:1025): avc: denied { getattr } for pid=18499 comm="systemd-tmpfile" path="/var/tmp/beakerlib-19155697/backup-authconfiglib/etc/gshadow" dev="dm-1" ino=134635873 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file ---- time->Thu Feb 13 12:46:32 2014 type=PATH msg=audit(1392313592.158:1026): item=0 name="shadow" inode=134884534 dev=fd:01 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=NORMAL type=CWD msg=audit(1392313592.158:1026): cwd="/" type=SYSCALL msg=audit(1392313592.158:1026): arch=c000003e syscall=262 success=no exit=-13 a0=7 a1=7faa0db67d1b a2=7fff7066b8d0 a3=100 items=1 ppid=1 pid=18499 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null) type=AVC msg=audit(1392313592.158:1026): avc: denied { getattr } for pid=18499 comm="systemd-tmpfile" path="/var/tmp/beakerlib-19155697/backup-authconfiglib/etc/shadow" dev="dm-1" ino=134884534 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-3.12.1-125.el7 I don't know beaker version, problem apperared in following job https://beaker.engineering.redhat.com/jobs/592851 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Add 'x /var/tmp/beaker*" to /etc/tmpfiles.d/beaker.conf may be a solution for this case.
I have no idea what I should fix. That file was backed up by rlFileBackup, it seems. I don't know what systemd-tmpfile is, what it is trying to do, or what is really the problem. Please elaborate on what the test does, and what it is supposed to do after the fix.
What happened? * systemd-tmpfiles process called getattr on files located in /var/tmp/beakerlib-* directory which were backed up by rlFileBackup() * these files were labeled shadow_t, which is correct, because they are copies of /etc/shadow and /etc/gshadow * SELinux prevented systemd-tmpfiles from getattr access (and most likely prevented other actions that would follow) Possible solutions: * add allow rules to selinux-policy which would allow this kind of access (disadvantage: systemd_tmpfiles_t would be very powerful, because it would be able to read almost everything on the machine) * add dontaudit rules to selinux-policy which would hide the AVCs (disadvantage: could hide other problems in the future) * make sure that systemd-tmpfiles will not run while our TCs are running * keep systemd-tmpfiles running, but instruct systemd-tmpfiles to skip /var/tmp/beaker* directories I'm not sure if beakerlib is the right place to fix this problem.
systemd-tmpfile is a thing that keeps various temporary directories in shape (removes clutter and pre-creates stuff that programs expects to exist). Sort of like tmpwatch on steroids. In our case, I guess we want it to stop touching the bakerlib stuff at all (we want to keep it forever, right?). To do that, beakerlib package should include file /usr/lib/tmpfiles.d/beakerlib.conf containing x /var/tmp/beakerlib-* That should do the trick (but I didn't test it :)) Once systemd-tmpfile is out of the way, selinux will calmd down.
I tested it on my machine and it works.
beakerlib-1.9-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/beakerlib-1.9-1.fc20
Package beakerlib-1.9-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing beakerlib-1.9-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-7442/beakerlib-1.9-1.fc20 then log in and leave karma (feedback).
beakerlib-1.9-2.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/beakerlib-1.9-2.fc20
Please consider the package fixing this bug available in Fedora stable repos once bz1116308 is closed and RHEL stable repos once bz1116317 is closed. Fixed in: beakerlib-1.9-2.fc19 beakerlib-1.9-2.fc20 beakerlib-1.9-2.fc21 beakerlib-1.9-3.el5 beakerlib-1.9-2.el6 beakerlib-1.9-2.el7
beakerlib-1.9-3.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/beakerlib-1.9-3.fc20
beakerlib-1.9-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.