Bug 1081429 - PrivateDevices= should selinux relabel the namespace's device nodes
Summary: PrivateDevices= should selinux relabel the namespace's device nodes
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1081411 1081412 1081963 1082067 1096543 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-27 09:58 UTC by Petr Lautrbach
Modified: 2014-06-23 05:22 UTC (History)
34 users (show)

Fixed In Version: systemd-214-2.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-23 05:22:20 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Petr Lautrbach 2014-03-27 09:58:41 UTC 
Description of problem:
----
time->Thu Mar 27 10:51:35 2014
type=SYSCALL msg=audit(1395913895.114:450): arch=c000003e syscall=2 success=yes exit=7 a0=7f11ea247f26 a1=80100 a2=0 a3=7f11e95817b8 items=0 ppid=1 pid=2200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1395913895.114:450): avc:  denied  { open } for  pid=2200 comm="systemd-hostnam" path="/dev/urandom" dev="tmpfs" ino=34911 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
type=AVC msg=audit(1395913895.114:450): avc:  denied  { read } for  pid=2200 comm="systemd-hostnam" name="urandom" dev="tmpfs" ino=34911 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file

It's probably due to the recently announced systemd feature using PrivateDevices=yes in systemd services

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-39.fc21.noarch
systemd-212-1.fc21.x86_64
Comment 1 Miroslav Grepl 2014-03-27 10:20:41 UTC 
*** Bug 1081412 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2014-03-27 10:20:54 UTC 
*** Bug 1081411 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2014-03-27 12:38:47 UTC 
Working on a fix.
Comment 4 Petr Lautrbach 2014-03-27 12:59:27 UTC 
Could you point me to the fix please?
Comment 5 Miroslav Grepl 2014-03-27 13:01:22 UTC 
commit: 84e36153698719af9b355a673f352f0716a9df95
url: git://git.fedorahosted.org/selinux-policy.git
Comment 6 Daniel Walsh 2014-03-27 13:29:56 UTC 
This is a systemd issue.

systemd needs to make sure the newly created devices are labeled correctly.  Either using udev or running restorecon on them before handing them to the containerized process.
Comment 7 sangu 2014-03-28 00:18:13 UTC 
Description of problem:
Launching nautilus

Additional info:
reporter:       libreport-2.2.0
hashmarkername: setroubleshoot
kernel:         3.14.0-0.rc8.git0.1.fc21.x86_64
type:           libreport
Comment 8 Adam Williamson 2014-03-28 00:29:39 UTC 
Description of problem:
Happened on boot of current Rawhide.

Additional info:
reporter:       libreport-2.2.0
hashmarkername: setroubleshoot
kernel:         3.14.0-0.rc8.git0.1.fc21.x86_64
type:           libreport
Comment 9 Miroslav Grepl 2014-03-28 10:38:32 UTC 
*** Bug 1081963 has been marked as a duplicate of this bug. ***
Comment 10 Miroslav Grepl 2014-03-28 19:04:02 UTC 
*** Bug 1082067 has been marked as a duplicate of this bug. ***
Comment 11 Hans de Goede 2014-04-02 12:29:51 UTC 
Description of problem:
I did nothing special, just installed the latest rawhide updates and rebooted + logged into gnome3 again.

Additional info:
reporter:       libreport-2.2.0
hashmarkername: setroubleshoot
kernel:         3.14.0-1.fc21.x86_64
type:           libreport
Comment 12 Fidel Leon 2014-04-14 10:41:36 UTC 
Description of problem:
AVC after reboot.

Version-Release number of selected component:
selinux-policy-3.13.1-45.fc21.noarch

Additional info:
reporter:       libreport-2.2.1
hashmarkername: setroubleshoot
kernel:         3.15.0-0.rc0.git12.2.fc21.i686
type:           libreport
Comment 13 Jared Smith 2014-04-14 13:09:22 UTC 
Description of problem:
Using my system normall, and saw this denial pop up.

Additional info:
reporter:       libreport-2.2.1
hashmarkername: setroubleshoot
kernel:         3.15.0-0.rc0.git9.1.fc21.x86_64
type:           libreport
Comment 14 Adam Williamson 2014-05-01 18:23:42 UTC 
Description of problem:
Shows up on boot of current Rawhide.

Version-Release number of selected component:
selinux-policy-3.13.1-48.fc21.noarch

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.15.0-0.rc2.git3.2.fc21.x86_64
type:           libreport
Comment 15 Jared Smith 2014-05-05 22:41:46 UTC 
Description of problem:
Using the system normally

Version-Release number of selected component:
selinux-policy-3.13.1-48.fc21.noarch

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.15.0-0.rc3.git5.1.fc21.x86_64
type:           libreport
Comment 16 Miroslav Grepl 2014-05-20 10:58:15 UTC 
*** Bug 1096543 has been marked as a duplicate of this bug. ***
Comment 17 Jared Smith 2014-06-06 20:20:42 UTC 
Description of problem:
Tried to start a docker container, and got the SELinux alert.

Version-Release number of selected component:
selinux-policy-3.13.1-55.fc21.noarch

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.15.0-0.rc8.git3.1.fc21.x86_64
type:           libreport
Comment 18 Matt Armes 2014-06-11 19:07:21 UTC 
Description of problem:
Attempted to add a torrent to Transmission by clicking a magnet link within Firefox.

Version-Release number of selected component:
selinux-policy-3.13.1-55.fc21.noarch

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.15.0-0.rc8.git2.2.fc21.x86_64
type:           libreport
Comment 19 Lennart Poettering 2014-06-17 11:58:24 UTC 
Hmm, i thought the kernel could derive the right label from the file name nowadays when we create need nodes in the file system. can't we use that here?
Comment 20 Daniel Walsh 2014-06-17 20:15:28 UTC 
If the /dev is labeled device_t then the kernel will probably label the content correctly.  Currently there is a combination of udev and the kernel watching for devices being created on device_t directories.
Comment 21 Fabio Valentini 2014-06-18 18:38:33 UTC 
Description of problem:
Opened nautilus.

Version-Release number of selected component:
selinux-policy-3.13.1-59.fc21.noarch

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.15.0-1.fc21.x86_64
type:           libreport
Comment 22 Zbigniew Jędrzejewski-Szmek 2014-06-18 18:41:08 UTC 
Fixed in http://cgit.freedesktop.org/systemd/systemd/commit/?id=dd078a1.
Comment 23 Fabio Valentini 2014-06-20 13:40:29 UTC 
Description of problem:
Started nautilus.

Version-Release number of selected component:
selinux-policy-3.13.1-60.fc21.noarch

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.15.1
type:           libreport
Note You need to log in before you can comment on or make changes to this bug.