Description of problem: Triggered after update SELinux is preventing /usr/lib/systemd/systemd-logind from 'read' accesses on the directory . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed read access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects [ dir ] Source systemd-logind Source Path /usr/lib/systemd/systemd-logind Port <Unknown> Host (removed) Source RPM Packages systemd-211-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-36.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.14.0-0.rc6.git4.1.fc21.x86_64 #1 SMP Fri Mar 14 20:07:37 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-03-15 13:47:13 PDT Last Seen 2014-03-15 13:47:13 PDT Local ID 1315b861-ce6f-4191-b155-4df745adfa53 Raw Audit Messages type=AVC msg=audit(1394916433.413:379): avc: denied { read } for pid=613 comm="systemd-logind" name="/" dev="tmpfs" ino=25230 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1394916433.413:379): arch=x86_64 syscall=open success=no exit=EACCES a0=7f7e19b23fe0 a1=f0800 a2=1 a3=7f7e181a4440 items=0 ppid=1 pid=613 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) Hash: systemd-logind,systemd_logind_t,tmpfs_t,dir,read Additional info: reporter: libreport-2.2.0 hashmarkername: setroubleshoot kernel: 3.14.0-0.rc6.git4.1.fc21.x86_64 type: libreport
Description of problem: booted system Additional info: reporter: libreport-2.2.0 hashmarkername: setroubleshoot kernel: 3.14.0-0.rc6.git3.1.fc21.x86_64 type: libreport
I can't see gdm after update systemd and reboot. After allowing this things - it works again.
as I know - it fixed in upstream, but not packaged in Fedora. https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?id=4b70caa31bd37c443ac42520c73a9784b1210f25
*** Bug 1076862 has been marked as a duplicate of this bug. ***
Description of problem: on rawhide Additional info: reporter: libreport-2.2.0 hashmarkername: setroubleshoot kernel: 3.14.0-0.rc6.git4.1.fc21.x86_64 type: libreport
http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.13.1/37.fc21/noarch/selinux-policy-3.13.1-37.fc21.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.13.1/37.fc21/noarch/selinux-policy-targeted-3.13.1-37.fc21.noarch.rpm
I'm still seeing three of these, on trying to log in from GDM to GNOME, with selinux-policy 3.13.1-38. Login fails. SELinux is preventing /usr/lib/systemd/systemd-logind from read access on the directory . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed read access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects [ dir ] Source systemd-logind Source Path /usr/lib/systemd/systemd-logind Port <Unknown> Host (removed) Source RPM Packages systemd-211-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-36.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux adam.happyassassin.net 3.14.0-0.rc6.git4.1.fc21.x86_64 #1 SMP Fri Mar 14 20:07:37 UTC 2014 x86_64 x86_64 Alert Count 36 First Seen 2014-03-13 19:01:01 PDT Last Seen 2014-03-17 13:16:12 PDT Local ID 3149aabb-7733-488e-9825-02700dbe3a24 Raw Audit Messages type=AVC msg=audit(1395087372.437:605): avc: denied { read } for pid=919 comm="systemd-logind" name="/" dev="tmpfs" ino=22732 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1395087372.437:605): arch=x86_64 syscall=open success=yes exit=EISDIR a0=7fe1cc80b420 a1=f0800 a2=0 a3=fffffffffffff5b8 items=0 ppid=1 pid=919 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) Hash: systemd-logind,systemd_logind_t,tmpfs_t,dir,read SELinux is preventing /usr/lib/systemd/systemd-logind from unlink access on the sock_file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed unlink access on the sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects [ sock_file ] Source systemd-logind Source Path /usr/lib/systemd/systemd-logind Port <Unknown> Host adam.happyassassin.net Source RPM Packages systemd-211-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-36.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name adam.happyassassin.net Platform Linux adam.happyassassin.net 3.14.0-0.rc6.git4.1.fc21.x86_64 #1 SMP Fri Mar 14 20:07:37 UTC 2014 x86_64 x86_64 Alert Count 4 First Seen 2014-03-14 09:00:45 PDT Last Seen 2014-03-17 13:16:12 PDT Local ID 41816437-c178-4979-a713-c18a93cb5adc Raw Audit Messages type=AVC msg=audit(1395087372.438:607): avc: denied { unlink } for pid=919 comm="systemd-logind" name="private" dev="tmpfs" ino=23806 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file type=SYSCALL msg=audit(1395087372.438:607): arch=x86_64 syscall=unlinkat success=yes exit=0 a0=17 a1=7fe1cc81ef93 a2=0 a3=0 items=0 ppid=1 pid=919 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) Hash: systemd-logind,systemd_logind_t,tmpfs_t,sock_file,unlink SELinux is preventing /usr/lib/systemd/systemd-logind from rmdir access on the directory . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed rmdir access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects [ dir ] Source systemd-logind Source Path /usr/lib/systemd/systemd-logind Port <Unknown> Host adam.happyassassin.net Source RPM Packages systemd-211-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-36.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name adam.happyassassin.net Platform Linux adam.happyassassin.net 3.14.0-0.rc6.git4.1.fc21.x86_64 #1 SMP Fri Mar 14 20:07:37 UTC 2014 x86_64 x86_64 Alert Count 34 First Seen 2014-03-13 19:01:01 PDT Last Seen 2014-03-17 13:16:12 PDT Local ID 18874852-8601-4ec6-aa32-83ac8505d775 Raw Audit Messages type=AVC msg=audit(1395087372.438:608): avc: denied { rmdir } for pid=919 comm="systemd-logind" name="systemd" dev="tmpfs" ino=23797 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1395087372.438:608): arch=x86_64 syscall=unlinkat success=yes exit=0 a0=15 a1=7fe1cc816fb3 a2=200 a3=0 items=0 ppid=1 pid=919 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) Hash: systemd-logind,systemd_logind_t,tmpfs_t,dir,rmdir
Hum, actually, those aren't from a boot with -38. Logging in from GDM to GNOME, even with -38, still definitely fails for me in enforcing mode, only works in permissive...but I can't find any AVCs that look relevant. The only AVCs I have are for tumblerd , and are the good old fifo_file one: happyassassin.net type=AVC msg=audit(1395088376.092:603): avc: denied { write } for pid=3240 comm="tumblerd" path="/run/systemd/sessions/1.ref" dev="tmpfs" ino=27575 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=fifo_file is that likely to be preventing GNOME from working?
No. Did you check user_avc?
What is state of this bug?