1170085 – SELinux is preventing /usr/bin/systemd-ask-password from 'write' accesses on the directory ask-password.

Bug 1170085 - SELinux is preventing /usr/bin/systemd-ask-password from 'write' accesses on the directory ask-password.

Summary: SELinux is preventing /usr/bin/systemd-ask-password from 'write' accesses on ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	21
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:1d7bdb2b9eac8432606a4cab08e...
Duplicates (7):	1170080 1170082 1170086 1170087 1170088 1170090 1170091 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-03 08:44 UTC by autarch princeps
Modified:	2014-12-18 06:04 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.13.1-103.fc21
Clone Of:
Environment:
Last Closed:	2014-12-18 06:04:55 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description autarch princeps 2014-12-03 08:44:21 UTC

Description of problem:
SELinux is preventing /usr/bin/systemd-ask-password from 'write' accesses on the directory ask-password.

*****  Plugin catchall (100. confidence) suggests   **************************

If sie denken, dass es systemd-ask-password standardmässig erlaubt sein sollte, write Zugriff auf ask-password directory zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep systemd-ask-pas /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:systemd_passwd_var_run_t:s0
Target Objects                ask-password [ dir ]
Source                        systemd-ask-pas
Source Path                   /usr/bin/systemd-ask-password
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-216-12.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-92.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.17.4-301.fc21.x86_64 #1 SMP Thu
                              Nov 27 19:09:10 UTC 2014 x86_64 x86_64
Alert Count                   3
First Seen                    2014-12-03 09:06:33 CET
Last Seen                     2014-12-03 09:37:09 CET
Local ID                      904d87ab-13ff-4a2d-a22d-e0e51521584e

Raw Audit Messages
type=AVC msg=audit(1417595829.552:475): avc:  denied  { write } for  pid=3631 comm="systemd-ask-pas" name="ask-password" dev="tmpfs" ino=1204 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=dir permissive=1


type=AVC msg=audit(1417595829.552:475): avc:  denied  { add_name } for  pid=3631 comm="systemd-ask-pas" name="tmp.tQ6m9B" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=dir permissive=1


type=AVC msg=audit(1417595829.552:475): avc:  denied  { create } for  pid=3631 comm="systemd-ask-pas" name="tmp.tQ6m9B" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=file permissive=1


type=AVC msg=audit(1417595829.552:475): avc:  denied  { read write open } for  pid=3631 comm="systemd-ask-pas" path="/run/systemd/ask-password/tmp.tQ6m9B" dev="tmpfs" ino=43869 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1417595829.552:475): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7fff3ea5ebe0 a1=800c2 a2=180 a3=63c0 items=0 ppid=3630 pid=3631 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-ask-pas exe=/usr/bin/systemd-ask-password subj=system_u:system_r:openvpn_t:s0 key=(null)

Hash: systemd-ask-pas,openvpn_t,systemd_passwd_var_run_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-92.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Potential duplicate: bug 1151968

Comment 1 Lukas Vrabec 2014-12-03 12:19:56 UTC

*** Bug 1170086 has been marked as a duplicate of this bug. ***

Comment 2 Lukas Vrabec 2014-12-03 12:20:11 UTC

*** Bug 1170087 has been marked as a duplicate of this bug. ***

Comment 3 Lukas Vrabec 2014-12-03 12:20:32 UTC

*** Bug 1170088 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2014-12-03 12:21:09 UTC

*** Bug 1170090 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Vrabec 2014-12-03 12:21:34 UTC

*** Bug 1170091 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Vrabec 2014-12-03 12:21:56 UTC

*** Bug 1170080 has been marked as a duplicate of this bug. ***

Comment 7 Lukas Vrabec 2014-12-03 12:22:22 UTC

*** Bug 1170082 has been marked as a duplicate of this bug. ***

Comment 8 Lukas Vrabec 2014-12-03 12:27:22 UTC

commit dc317264e402f77a3e7df1742e0af4218696e27f
Author: Lukas Vrabec <lvrabec>
Date:   Wed Dec 3 13:23:59 2014 +0100

    Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)

Comment 9 Fedora Update System 2014-12-15 13:04:50 UTC

selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21

Comment 10 Fedora Update System 2014-12-17 04:40:39 UTC

Package selinux-policy-3.13.1-103.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-103.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-17044/selinux-policy-3.13.1-103.fc21
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2014-12-18 06:04:55 UTC

selinux-policy-3.13.1-103.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.