Description of problem: While updating to rawhide from Fedora 20, SELinux produced following message Follow the steps on https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum#To_rawhide Message is produced during stage yum -y --releasever=rawhide distro-sync --nogpgcheck Version-Release number of selected component (if applicable): systemd x86_64 210-7.fc21 rawhide sysstat x86_64 10.2.1-1.fc21 rawhide libselinux x86_64 2.2.2-6.fc21 rawhide selinux-policy noarch 3.13.1-30.fc21 rawhide How reproducible: Deterministic Steps to Reproduce: 1. Follow the steps in link above. 2. 3. Actual results: type=PATH msg=audit(1394448601.666:803): item=2 name=(null) inode=940855 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL type=PATH msg=audit(1394448601.666:803): item=1 name=(null) inode=918461 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL type=PATH msg=audit(1394448601.666:803): item=0 name="/usr/lib64/sa/sa1" inode=936214 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysstat_exec_t:s0 nametype=NORMAL type=CWD msg=audit(1394448601.666:803): cwd="/root" type=EXECVE msg=audit(1394448601.666:803): argc=4 a0="/bin/sh" a1="/usr/lib64/sa/sa1" a2="1" a3="1" type=SYSCALL msg=audit(1394448601.666:803): arch=c000003e syscall=59 success=yes exit=0 a0=1a73c30 a1=1a73e50 a2=1a72d40 a3=3f0b27f items=3 ppid=24058 pid=24063 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=(none) comm="sa1" exe="/usr/bin/bash" subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1394448601.666:803): avc: denied { write } for pid=24063 comm="sa1" path="/run/systemd/sessions/2.ref" dev="tmpfs" ino=46179 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=fifo_file Expected results: No AVC denial Additional info:
I'm back here and I have got deterministic reproducer: 1) Install stable Fedora 20 2) Update to Rawhide (using yum) 3) Install sysstat Every 10 minutes I have got new AVC: type=AVC msg=audit(1397835601.713:700): avc: denied { write } for pid=6565 comm="sa1" path="/run/systemd/sessions/14.ref" dev="tmpfs" ino=224051 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1397835601.713:700): arch=x86_64 syscall=execve success=yes exit=0 a0=a74bf0 a1=a74e10 a2=a73d00 a3=8 items=0 ppid=6551 pid=6565 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=14 comm=sa1 exe=/usr/bin/bash subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null) I did some more research, but still nothing interesting.
We are going to add dontaudit rules until there is a fix.
Please don't. I have seen Jakub come up with better solution.
(In reply to Šimon Lukašík from comment #4) > Please don't. I have seen Jakub come up with better solution. Which one? We just added SELinux workaround. This bug is still opened.
(In reply to Miroslav Grepl from comment #5) > This bug is still opened. But it is not bug against selinux. Hold on. Good things sometimes take time.
*** Bug 1091196 has been marked as a duplicate of this bug. ***
To understand, what is going on here: * Cron is acquiring session from pam. It is redirected to systemd and there is returned fd to the above mentioned file (new in Rawhide, it doesn't appear in FC20). * Cron is doing exec and in this moment, AVC appears, if there is in callee program some system call or so. I can reproduce it with plain sleep call in shell script. * Cron should close this file descriptor before exec. I can go through all the file descriptors and close them. But simply setting fcntl(fd, F_SETFD, FD_CLOEXEC); works too. So there will be question on systemd colleagues if this shouldn't be there by default - I can't find any documentation about these files. * I sent patch to cronie-devel list to fix this issue in cron.
There is commit that should fix this issue in cronie: https://git.fedorahosted.org/cgit/cronie.git/commit/?id=b2c8cbcef8c97b5a175d6e71995249b288707b0f