Description of problem: ---- time->Thu Mar 27 10:51:35 2014 type=SYSCALL msg=audit(1395913895.114:450): arch=c000003e syscall=2 success=yes exit=7 a0=7f11ea247f26 a1=80100 a2=0 a3=7f11e95817b8 items=0 ppid=1 pid=2200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1395913895.114:450): avc: denied { open } for pid=2200 comm="systemd-hostnam" path="/dev/urandom" dev="tmpfs" ino=34911 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file type=AVC msg=audit(1395913895.114:450): avc: denied { read } for pid=2200 comm="systemd-hostnam" name="urandom" dev="tmpfs" ino=34911 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file It's probably due to the recently announced systemd feature using PrivateDevices=yes in systemd services Version-Release number of selected component (if applicable): selinux-policy-3.13.1-39.fc21.noarch systemd-212-1.fc21.x86_64
*** Bug 1081412 has been marked as a duplicate of this bug. ***
*** Bug 1081411 has been marked as a duplicate of this bug. ***
Working on a fix.
Could you point me to the fix please?
commit: 84e36153698719af9b355a673f352f0716a9df95 url: git://git.fedorahosted.org/selinux-policy.git
This is a systemd issue. systemd needs to make sure the newly created devices are labeled correctly. Either using udev or running restorecon on them before handing them to the containerized process.
Description of problem: Launching nautilus Additional info: reporter: libreport-2.2.0 hashmarkername: setroubleshoot kernel: 3.14.0-0.rc8.git0.1.fc21.x86_64 type: libreport
Description of problem: Happened on boot of current Rawhide. Additional info: reporter: libreport-2.2.0 hashmarkername: setroubleshoot kernel: 3.14.0-0.rc8.git0.1.fc21.x86_64 type: libreport
*** Bug 1081963 has been marked as a duplicate of this bug. ***
*** Bug 1082067 has been marked as a duplicate of this bug. ***
Description of problem: I did nothing special, just installed the latest rawhide updates and rebooted + logged into gnome3 again. Additional info: reporter: libreport-2.2.0 hashmarkername: setroubleshoot kernel: 3.14.0-1.fc21.x86_64 type: libreport
Description of problem: AVC after reboot. Version-Release number of selected component: selinux-policy-3.13.1-45.fc21.noarch Additional info: reporter: libreport-2.2.1 hashmarkername: setroubleshoot kernel: 3.15.0-0.rc0.git12.2.fc21.i686 type: libreport
Description of problem: Using my system normall, and saw this denial pop up. Additional info: reporter: libreport-2.2.1 hashmarkername: setroubleshoot kernel: 3.15.0-0.rc0.git9.1.fc21.x86_64 type: libreport
Description of problem: Shows up on boot of current Rawhide. Version-Release number of selected component: selinux-policy-3.13.1-48.fc21.noarch Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.15.0-0.rc2.git3.2.fc21.x86_64 type: libreport
Description of problem: Using the system normally Version-Release number of selected component: selinux-policy-3.13.1-48.fc21.noarch Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.15.0-0.rc3.git5.1.fc21.x86_64 type: libreport
*** Bug 1096543 has been marked as a duplicate of this bug. ***
Description of problem: Tried to start a docker container, and got the SELinux alert. Version-Release number of selected component: selinux-policy-3.13.1-55.fc21.noarch Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.15.0-0.rc8.git3.1.fc21.x86_64 type: libreport
Description of problem: Attempted to add a torrent to Transmission by clicking a magnet link within Firefox. Version-Release number of selected component: selinux-policy-3.13.1-55.fc21.noarch Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.15.0-0.rc8.git2.2.fc21.x86_64 type: libreport
Hmm, i thought the kernel could derive the right label from the file name nowadays when we create need nodes in the file system. can't we use that here?
If the /dev is labeled device_t then the kernel will probably label the content correctly. Currently there is a combination of udev and the kernel watching for devices being created on device_t directories.
Description of problem: Opened nautilus. Version-Release number of selected component: selinux-policy-3.13.1-59.fc21.noarch Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.15.0-1.fc21.x86_64 type: libreport
Fixed in http://cgit.freedesktop.org/systemd/systemd/commit/?id=dd078a1.
Description of problem: Started nautilus. Version-Release number of selected component: selinux-policy-3.13.1-60.fc21.noarch Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.15.1 type: libreport