Bug 1184712 - SELinux is preventing /usr/bin/systemctl from using the 'sys_resource' capabilities.
Summary: SELinux is preventing /usr/bin/systemctl from using the 'sys_resource' capabi...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:cdc2682adf9b9727142d459fe53...
: 1185621 1192164 1192233 1196815 1197328 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-22 05:32 UTC by Maxim Galamay
Modified: 2015-12-02 17:09 UTC (History)
108 users (show)

Fixed In Version: systemd-216-24.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1196815 (view as bug list)
Environment:
Last Closed: 2015-12-02 07:46:16 UTC
Type: ---


Attachments (Terms of Use)
SETroubleshooter AVC output (2.19 KB, text/plain)
2015-04-12 16:26 UTC, Dan Mossor [danofsatx]
no flags Details
setroubleshoot details (1.80 KB, text/plain)
2015-04-14 17:20 UTC, Dave Allan
no flags Details
audit.log excerpt (3.60 KB, text/plain)
2015-04-14 19:24 UTC, Dave Allan
no flags Details
grep 'type=.*AVC' /var/log/audit/audit.log (2.75 KB, text/plain)
2015-04-14 19:48 UTC, Leszek Matok
no flags Details

Description Maxim Galamay 2015-01-22 05:32:33 UTC
Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.8-300.fc21.x86_64
type:           libreport

Comment 1 Doug Huffman 2015-01-22 12:22:40 UTC
Description of problem:
Browsing, I suspect shortly after today's update.

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.8-300.fc21.i686+PAE
type:           libreport

Comment 2 long 2015-01-22 16:20:53 UTC
Description of problem:
no idea.

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.8-300.fc21.x86_64
type:           libreport

Comment 3 Berend De Schouwer 2015-01-23 07:37:07 UTC
Description of problem:
Just popped up after waking up the laptop from suspend.

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.8-300.fc21.x86_64
type:           libreport

Comment 4 Andrew Stitcher 2015-01-23 14:50:58 UTC
Description of problem:
This happened overnight, Probably as the result of a chron job.

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.8-300.fc21.x86_64
type:           libreport

Comment 5 Bill Crawford 2015-01-23 20:04:18 UTC
Description of problem:
I came home from work and found a desktop notification of a "SELinux AVC denial".

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.8-300.fc21.x86_64
type:           libreport

Comment 6 Richard Z. 2015-01-24 12:39:33 UTC
Description of problem:
trying to do "telinit 3" as far as I can remember.

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.8-300.fc21.i686+PAE
type:           libreport

Comment 7 Raman Gupta 2015-01-25 15:32:14 UTC
Description of problem:
Overnight this message was issued. I don't see anything in the logs that is obviously related to the system resources listed by the sys_resource plugin.

Journalctl shows that when the access occurred, cron.daily was executing prelink or perhaps rpm, and a systemd "Reexecuting" for some unknown reason is mixed in as well:

Jan 25 03:34:03 edison run-parts[11456]: (/etc/cron.daily) starting prelink
Jan 25 03:35:00 edison dbus[1262]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jan 25 03:35:00 edison systemd[1]: Reexecuting.
[various systemd messages about auditd.service being world-inaccessible, and "Could not find init script for xxx"]
Jan 25 03:35:00 edison run-parts[13674]: (/etc/cron.daily) finished prelink
Jan 25 03:35:00 edison run-parts[13676]: (/etc/cron.daily) starting rpm
Jan 25 03:35:00 edison dbus[1262]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jan 25 03:35:01 edison setroubleshoot[13655]: Plugin Exception restorecon_source
Jan 25 03:35:01 edison setroubleshoot[13655]: SELinux is preventing /usr/bin/systemctl from using the sys_resource capability. For complete SELinux messages. run sealert -l e0f3cdca-1ef0
[plugin sys_resource details]
Jan 25 03:35:02 edison run-parts[13733]: (/etc/cron.daily) finished rpm
Jan 25 03:35:02 edison anacron[7432]: Job `cron.daily' terminated (mailing output)
Jan 25 03:35:03 edison sSMTP[13734]: Sent mail for root@rocketraman.com (221 2.0.0 Bye) uid=0 username=root outbytes=449
Jan 25 03:35:03 edison anacron[7432]: Normal exit (1 job run)
Jan 25 03:35:12 edison org.fedoraproject.Setroubleshootd[1262]: 'list' object has no attribute 'split'

Then the log continues, seemingly normally (and the system appears to be working normally as well), except that every 5 minutes (along with a cron job) SELinux appears to initialize, and systemd appears to start and stop a bunch of stuff (this did not happen before, and I don't know if its related to this sys_resource issue or to the new systemd version systemd-216-16.fc21.x86_64):

Jan 25 10:30:01 edison kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Jan 25 10:30:01 edison systemd[21415]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jan 25 10:30:01 edison CROND[21427]: (root) CMD (/usr/local/bin/sshreport)
Jan 25 10:30:01 edison systemd[21415]: Starting Paths.
Jan 25 10:30:01 edison systemd[21415]: Reached target Paths.
Jan 25 10:30:01 edison systemd[21415]: Starting Timers.
Jan 25 10:30:01 edison systemd[21415]: Reached target Timers.
Jan 25 10:30:01 edison systemd[21415]: Starting Sockets.
Jan 25 10:30:01 edison systemd[21415]: Reached target Sockets.
Jan 25 10:30:01 edison systemd[21415]: Starting Basic System.
Jan 25 10:30:01 edison systemd[21415]: Reached target Basic System.
Jan 25 10:30:01 edison systemd[21415]: Starting Default.
Jan 25 10:30:01 edison systemd[21415]: Reached target Default.
Jan 25 10:30:01 edison systemd[21415]: Startup finished in 12ms.
Jan 25 10:30:01 edison systemd[21415]: Stopping Default.
Jan 25 10:30:01 edison systemd[21415]: Stopped target Default.
Jan 25 10:30:01 edison systemd[21415]: Stopping Basic System.
Jan 25 10:30:01 edison systemd[21415]: Stopped target Basic System.
Jan 25 10:30:01 edison systemd[21415]: Stopping Paths.
Jan 25 10:30:01 edison systemd[21415]: Stopped target Paths.
Jan 25 10:30:01 edison systemd[21415]: Stopping Timers.
Jan 25 10:30:01 edison systemd[21415]: Stopped target Timers.
Jan 25 10:30:01 edison systemd[21415]: Stopping Sockets.
Jan 25 10:30:01 edison systemd[21415]: Stopped target Sockets.
Jan 25 10:30:01 edison systemd[21415]: Starting Shutdown.
Jan 25 10:30:01 edison systemd[21415]: Reached target Shutdown.
Jan 25 10:30:01 edison systemd[21415]: Starting Exit the Session...
Jan 25 10:30:01 edison systemd[21415]: Received SIGRTMIN+24 from PID 21462 (kill).
Jan 25 10:30:01 edison systemd[21421]: pam_unix(systemd-user:session): session closed for user root

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.2-200.fc21.x86_64
type:           libreport

Comment 8 bztdlinux 2015-01-28 09:35:52 UTC
Description of problem:
This report pops up every day at 3:30 AM.

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.3-201.fc21.x86_64
type:           libreport

Comment 9 Daniel Demus 2015-01-28 09:53:18 UTC
Description of problem:
Some background process

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.3-201.fc21.x86_64
type:           libreport

Comment 10 Matthew Cline 2015-02-04 01:12:54 UTC
At least for me, the problem seems to be some combination of prelink and systemd, at least according to what I grepped out of audit.log:

type=AVC msg=audit(1422921802.039:23571): avc:  denied  { sys_resource } for  pid=28892 comm="telinit" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=SYSCALL msg=audit(1422921802.039:23571): arch=c000003e syscall=160 success=no exit=-1 a0=7 a1=7fff7ea2b090 a2=0 a3=fffffffffffffffe items=0 ppid=15196 pid=28892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=130 comm="telinit" exe="/usr/bin/systemctl" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1422963674.028:7451): avc:  denied  { sys_resource } for  pid=17242 comm="telinit" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=SYSCALL msg=audit(1422963674.028:7451): arch=c000003e syscall=160 success=no exit=-1 a0=7 a1=7fff6c747300 a2=0 a3=fffffffffffffffe items=0 ppid=16943 pid=17242 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=17 comm="telinit" exe="/usr/bin/systemctl" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)

Comment 11 Jeremy Harris 2015-02-04 10:32:53 UTC
Description of problem:
After a system upgrade from f19 via f20 to f21 I'm getting many selinux alerts.  This is just one of them.
Upgrade 19->20 was done with yum , 20->21 (immediately following) with fedup.

Version-Release number of selected component:
selinux-policy-3.13.1-105.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.3-201.fc21.x86_64
type:           libreport

Comment 12 Berend De Schouwer 2015-02-05 07:47:00 UTC
Description of problem:
Dunno how this one happened; I assume startup, might be a duplicate of # 1189382, or # 1184712, or # 1185621.  It's probably related.  They all started happening one to two weeks ago.

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.3-201.fc21.x86_64
type:           libreport

Comment 13 Daniel Walsh 2015-02-05 10:46:16 UTC
I think prelink is being removed by default in F21, which you might want to consider. It looks like you are running low on system resources.  

I think on reboot you will not have these problems any longer.

Comment 14 Daniel Walsh 2015-02-05 10:52:40 UTC
Could you show some AVC's for this?  The bug report talks about systemctl, while the only Avc's I see are for prelink.

Might have to add a dontaudit for this for all domains that execute systemctl.

Comment 15 Berend De Schouwer 2015-02-05 11:31:23 UTC
As in 'dnf erase prelink' is suggested for Fedora upgraders?

Should I run 'prelink -ua' first?

Bug was filed automatically, I got a few selinux prompts all in one go, and I filed bugs.  I can't remember which one prompted this.  What should I do to trap the "right" AVCs when/if this happens again?  There are +- 100 AVCs weekly.

Comment 16 Daniel Walsh 2015-02-05 11:46:14 UTC
Send me the avc's via email, and I will look at them.  You should not be getting many AVCs

Comment 17 Raman Gupta 2015-02-05 15:30:46 UTC
(In reply to Daniel Walsh from comment #13)
> I think prelink is being removed by default in F21

Do you have a reference for this? I don't see anything about it in the Fedora 21 release notes, and prelink packages still being built for F21 (and F22), though not successfully: http://koji.fedoraproject.org/koji/packageinfo?packageID=583

Comment 18 Kamil Páral 2015-02-05 15:59:47 UTC
(In reply to Raman Gupta from comment #17)
> (In reply to Daniel Walsh from comment #13)
> > I think prelink is being removed by default in F21
> 
> Do you have a reference for this? I don't see anything about it in the
> Fedora 21 release notes, and prelink packages still being built for F21 (and
> F22), though not successfully:
> http://koji.fedoraproject.org/koji/packageinfo?packageID=583

I've found this:
https://fedorahosted.org/fesco/ticket/1183

Comment 19 Raman Gupta 2015-02-05 17:37:47 UTC
(In reply to Kamil Páral from comment #18)
> (In reply to Raman Gupta from comment #17)
> > (In reply to Daniel Walsh from comment #13)
> > > I think prelink is being removed by default in F21
> > 
> > Do you have a reference for this? I don't see anything about it in the
> > Fedora 21 release notes, and prelink packages still being built for F21 (and
> > F22), though not successfully:
> > http://koji.fedoraproject.org/koji/packageinfo?packageID=583
> 
> I've found this:
> https://fedorahosted.org/fesco/ticket/1183

(Sorry for the possibly off-topic Bugzilla spam)

I saw that too, and its marked as Closed/Fixed, but its unclear to me what the resolution was. The prelink package is still listed as "approved" for Fedora 20 and 21: https://admin.fedoraproject.org/pkgdb/package/prelink/.

And PRELINKING=yes is still set in the latest prelink git:

http://pkgs.fedoraproject.org/cgit/prelink.git/tree/prelink.sysconfig

Comment 20 Kamil Páral 2015-02-09 09:25:47 UTC
IIUIC, the resolution was that prelink is no longer installed by default. Of course you can still install it manually.

Comment 21 Raman Gupta 2015-02-09 16:30:02 UTC
(In reply to Kamil Páral from comment #20)
> IIUIC, the resolution was that prelink is no longer installed by default. Of
> course you can still install it manually.

Thank you, I created https://bugzilla.redhat.com/show_bug.cgi?id=1190810 for updating the release notes.

Comment 22 Kristjan Stefansson 2015-02-13 05:48:37 UTC
Description of problem:
I wasn't doing anything particular, just updating my system, and then this SELinux denial was reported.

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.5-201.fc21.x86_64
type:           libreport

Comment 23 antonio montagnani 2015-02-16 07:35:21 UTC
Description of problem:
just idling, but a great work on hard disk by some system job

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.6-200.fc21.x86_64
type:           libreport

Comment 24 Jeremy Harris 2015-02-16 09:15:46 UTC
Description of problem:
Random time, within 15m of boot

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.6-200.fc21.x86_64
type:           libreport

Comment 25 Jerry James 2015-02-16 17:00:48 UTC
(In reply to Daniel Walsh from comment #16)
> Send me the avc's via email, and I will look at them.  You should not be
> getting many AVCs

Additional Information:
Source Context                system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Target Context                system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Target Objects                Unknown [ capability ]
Source                        telinit
Source Path                   /usr/bin/systemctl
Port                          <Unknown>
Host                          diannao.jamezone.org
Source RPM Packages           systemd-216-20.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.3.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     diannao.jamezone.org
Platform                      Linux diannao.jamezone.org 3.18.6-200.fc21.x86_64
                              #1 SMP Fri Feb 6 22:59:42 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-02-15 18:53:43 MST
Last Seen                     2015-02-16 09:54:50 MST
Local ID                      bf191375-c943-4847-8de8-9ac129d9bd86

Raw Audit Messages
type=AVC msg=audit(1424105690.760:875): avc:  denied  { sys_resource } for  pid=10821 comm="telinit" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability permissive=0


type=SYSCALL msg=audit(1424105690.760:875): arch=x86_64 syscall=setrlimit success=no exit=EPERM a0=7 a1=7fff0a1e8e20 a2=0 a3=fffffffffffffffe items=0 ppid=5318 pid=10821 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=telinit exe=/usr/bin/systemctl subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)

Hash: telinit,prelink_cron_system_t,prelink_cron_system_t,capability,sys_resource

Comment 26 Jonathan S 2015-02-17 19:09:32 UTC
Description of problem:
SELinux alert happens immediately at end of cron.daily prelink job. (Compare bug 1190364).

Both errors have only started after installation of selinux-policy-3.13.1-105-3

Prior to this policy, neither of these errors has occurred on either of the two Fedora21 computers I have. Now, both show the same errors (this and bug 1190364), with /usr/bin/systemctl not having sufficient rights.

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.6-200.fc21.x86_64
type:           libreport

Comment 27 Zdenek Chmelar 2015-02-18 08:31:50 UTC
Description of problem:
This error popped up without any activity (I was only reading some blogs on web)

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.6-200.fc21.x86_64
type:           libreport

Comment 28 teupoui 2015-02-18 10:18:17 UTC
Description of problem:
I did nothing in particular. Just reading a web page (twitter on Firefox). 32% of RAM in use, 0.4% of swap memory, >10GB free disk space. Most process at 1 or 2% of CPU max...

... except for kworker, using almost 100% of one of the 4 CPU cores. When my computer is on, after some time one of the kworker processus starts using a lot of CPU. Probably related (and by theway, quite annoying by its effect on temperature and fans.)

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.7-200.fc21.x86_64
type:           libreport

Comment 29 Lukas Vrabec 2015-02-18 12:47:19 UTC
commit 155f59feafd4ca26d2b20a292ed80407e21308e3
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Feb 18 13:46:21 2015 +0100

    Dontaudit sys_resource in prelink_cron)_system_t

Added dontaudit rule. 

I hope when you see this AVC nothing is broken in your system.

Comment 30 Karel Volný 2015-02-18 17:12:10 UTC
(In reply to Lukas Vrabec from comment #29)
> I hope when you see this AVC nothing is broken in your system.

isn't that easier to turn selinux off then? - we won't be getting avc reports that way too ...

Comment 31 Igor Vucenovic 2015-02-18 20:47:42 UTC
Description of problem:
After upgrade via FedUp from Fedora 20 to 21 Workstation. Warning apear imediatelly after first login (graphical session). I am not sure if systemctl should have the sys_resource capability,so I am confused if I need this allow or not.

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.7-200.fc21.x86_64
type:           libreport

Comment 32 Pavel Srb 2015-02-20 05:31:45 UTC
Description of problem:
hmm, dont know...

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.6-200.fc21.x86_64
type:           libreport

Comment 33 Lukas Vrabec 2015-02-21 12:28:50 UTC
(In reply to Karel Volný from comment #30)
> (In reply to Lukas Vrabec from comment #29)
> > I hope when you see this AVC nothing is broken in your system.
> 
> isn't that easier to turn selinux off then? - we won't be getting avc
> reports that way too ...

Of course not. When you disable selinux you lost protection for your system at all. When this rule will be dontaudited, just alert will disappear. => actually better solution, while I don't know why is this capability needed.

Comment 34 Berend De Schouwer 2015-02-21 13:28:07 UTC
I think the selinux-policy update needs a reboot/restart

I think ignoring the errors is bad.  systemd is prevented from doing something.  If that something is important, there could be side effects.  In this case, possibly run-away load.

Comment 35 Karel Volný 2015-02-23 11:10:40 UTC
(In reply to Lukas Vrabec from comment #33)
> Of course not. When you disable selinux you lost protection for your system
> at all.

ok, next time I'll remember to add the tongue-in-cheek smiley ...

> When this rule will be dontaudited, just alert will disappear. =>
> actually better solution,

I'd tend to disagree - dontaudit rules are a hell to debug (unless your crystall ball tells you this is the first thing to take a look at when something goes nuts)

> while I don't know why is this capability needed.

so what about some NEEDINFO from prelink/systemd guys to find out and fixing the culprit or allowing the action if it is okay, rather than just hiding the fact it has been disallowed?

Comment 36 Lukas Vrabec 2015-02-24 13:20:21 UTC
(In reply to Karel Volný from comment #35)
> (In reply to Lukas Vrabec from comment #33)
> > Of course not. When you disable selinux you lost protection for your system
> > at all.
> 
> ok, next time I'll remember to add the tongue-in-cheek smiley ...
:)
> 
> > When this rule will be dontaudited, just alert will disappear. =>
> > actually better solution,
> 
> I'd tend to disagree - dontaudit rules are a hell to debug (unless your
> crystall ball tells you this is the first thing to take a look at when
> something goes nuts)
yep, this is the first thing when you debbuging some SELinux issue(#semodule -DB).
http://danwalsh.livejournal.com/11673.html  
> 
> > while I don't know why is this capability needed.
> 
> so what about some NEEDINFO from prelink/systemd guys to find out and fixing
> the culprit or allowing the action if it is okay, rather than just hiding
> the fact it has been disallowed?
Agree, We could ask systemd guys.

Comment 37 Lukas Vrabec 2015-02-24 13:23:07 UTC
Systemd gyus, 

Could you resolve why "telinit" needs cap. sys_resource? 

Thank you.

Comment 38 Zbigniew Jędrzejewski-Szmek 2015-02-24 15:13:49 UTC
systemctl recently started bumping NOFILE because it sometimes needs it for reading journal files. The failure to set it is ignored and should not matter except for the audit log spam. This isn't really necessary for telinit. I now modified systemctl to not do that when running as telinit:
  http://cgit.freedesktop.org/systemd/systemd/commit/?id=95d383ee47

Comment 39 Karel Volný 2015-02-24 17:06:02 UTC
(In reply to Lukas Vrabec from comment #36)
> (In reply to Karel Volný from comment #35)
> > I'd tend to disagree - dontaudit rules are a hell to debug (unless your
> > crystall ball tells you this is the first thing to take a look at when
> > something goes nuts)
> yep, this is the first thing when you debbuging some SELinux issue(#semodule
> -DB).
> http://danwalsh.livejournal.com/11673.html

FYI (sorry for bz spam), what I've meant is that you have to realize that you are debugging selinux issue in the first place (why would you do that if the logs are clean?) ... of course, after some experience, `setenforce 0` is one of the first things to try and if that helps, you know where to look, but it is not always that straightforward (e.g. when the problem is not easy to reproduce)

...
> Agree, We could ask systemd guys.

woohoo, that was quick - thanks Zbyzsek!

Comment 40 Jaroslav Škarvada 2015-02-25 11:05:02 UTC
Description of problem:
I am not sure, maybe after some update.

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.7-200.fc21.x86_64
type:           libreport

Comment 41 Raphael Groner 2015-02-25 13:11:21 UTC
It seems a complete relabelling (touch ./autorelabel && reboot) did fix the issue for any strange reason.

Comment 42 chopin xiao 2015-02-26 02:27:57 UTC
Description of problem:
i do not know 

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.7-200.fc21.x86_64
type:           libreport

Comment 43 Lukas Vrabec 2015-02-27 11:15:33 UTC
*** Bug 1196815 has been marked as a duplicate of this bug. ***

Comment 44 Miroslav Grepl 2015-03-03 14:55:26 UTC
*** Bug 1197328 has been marked as a duplicate of this bug. ***

Comment 45 Miroslav Grepl 2015-03-03 14:55:27 UTC
*** Bug 1192164 has been marked as a duplicate of this bug. ***

Comment 46 Miroslav Grepl 2015-03-03 15:30:41 UTC
*** Bug 1185621 has been marked as a duplicate of this bug. ***

Comment 47 Fedora Update System 2015-03-04 01:55:35 UTC
systemd-219-6.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/systemd-219-6.fc22

Comment 48 Fedora Update System 2015-03-04 21:09:13 UTC
Package systemd-219-6.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-219-6.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-3138/systemd-219-6.fc22
then log in and leave karma (feedback).

Comment 49 David 2015-03-05 08:37:18 UTC
Description of problem:
I was reading an online newspaper. Nothing slowed down, stopped or did anything actually. Everything works OK. Since updating from Fedora 20 to 21, I'm getting random hardware errors that Fedora will not allow me to report. Again, nothing seems to slow down or break and the system is totally stable. I had a look in the /var/log directory but couldn't see anything to help. 

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.7-200.fc21.x86_64
type:           libreport

Comment 50 Jeremy Harris 2015-03-06 09:20:14 UTC
Description of problem:
I have no clue.  Systemd, apparently.  Totally impenetrable.

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.7-200.fc21.x86_64
type:           libreport

Comment 51 Raphael Groner 2015-03-06 13:45:59 UTC
This happened again with Fedora 21.

systemd-216-20.fc21.x86_64
kernel-3.18.7-200.fc21.x86_64
libreport-2.3.0-5.fc21.x86_64

Please provide also a fix for f21.

Comment 52 jon.metric 2015-03-08 09:14:33 UTC
Description of problem:
I do not know how it occurred, I only received a notice from the SELinux Alert Browser that it had detected a problem.

Notication of the problem included:

The source process: systemctl
Attempted this access: setrlimit

SELinux is preventing systemctl from using the setrlimit access on a process.

Plugin: catchall 
you want to allow systemctl to have setrlimit access on the Unknown processIf you believe that systemctl should be allowed setrlimit access on processes labeled logrotate_t by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep systemctl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.7-200.fc21.x86_64
type:           libreport

Comment 53 Fedora Update System 2015-03-09 08:27:45 UTC
systemd-219-6.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 54 Paul Finnigan 2015-03-15 20:28:04 UTC
Description of problem:
I have no real idea but I guess systemctl was attempting setrlimit during a logrotate for some reason.

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.8-201.fc21.x86_64
type:           libreport

Comment 55 Zbigniew Jędrzejewski-Szmek 2015-03-16 01:29:07 UTC
It seems we need to backport the same fix.

Comment 56 Daniel Demus 2015-03-18 11:00:42 UTC
Description of problem:
Returning from sleep

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.9-200.fc21.x86_64
type:           libreport

Comment 57 Seb 2015-03-19 12:45:48 UTC
Description of problem:
SELinux Alert Browser

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.9-200.fc21.x86_64
type:           libreport

Comment 58 Abel Guzman 2015-03-22 07:52:01 UTC
Description of problem:
no information, I do not know how did it happen

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.7-200.fc21.x86_64
type:           libreport

Comment 59 udo.rader 2015-03-22 09:39:16 UTC
Description of problem:
this time, I ran unzip -t in a terminal windows ...

Version-Release number of selected component:
selinux-policy-3.13.1-105.6.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.1-201.fc21.x86_64
type:           libreport

Comment 60 vikram goyal 2015-03-22 13:58:56 UTC
Description of problem:
system generated

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.1-201.fc21.x86_64
type:           libreport

Comment 61 Fedora Update System 2015-03-26 14:30:39 UTC
systemd-216-23.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/systemd-216-23.fc21

Comment 62 Fedora Update System 2015-03-30 07:04:10 UTC
Package systemd-216-24.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-216-24.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-4991/systemd-216-24.fc21
then log in and leave karma (feedback).

Comment 63 Claude Frantz 2015-03-30 09:20:54 UTC
Description of problem:
While ending an emacs session on a remote host

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.2-201.fc21.i686+PAE
type:           libreport

Comment 64 Mauricio 2015-03-30 13:53:51 UTC
Description of problem:
Al intentar acceder a una flash memory

Version-Release number of selected component:
selinux-policy-3.13.1-105.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.3-201.fc21.x86_64
type:           libreport

Comment 65 Dave Allan 2015-03-31 13:50:00 UTC
Description of problem:
Not clear if anything I did triggered it; it seems to be a background system process.

Version-Release number of selected component:
selinux-policy-3.13.1-105.6.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.2-201.fc21.x86_64
type:           libreport

Comment 66 Fedora Update System 2015-04-02 15:37:43 UTC
systemd-216-24.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 67 Francisco de la Peña 2015-04-05 16:30:16 UTC
Description of problem:
Still alerts with selinux-policy-3.13.1-105.9

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.1-libre.201.fc21.gnu.x86_64
type:           libreport

Comment 68 Dave Allan 2015-04-06 17:33:41 UTC
Description of problem:
Seems to be the result of a background task

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 69 tuxor 2015-04-07 13:54:42 UTC
Description of problem:
SELinux troubleshoot just popped up unexpectedly. At that time, I was using Firefox, Thunderbird and Skype. But I don't think it's really related to any of that tools.

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 70 Mark Knoop 2015-04-12 09:41:33 UTC
Description of problem:
I believe this is still bug #1184712

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 71 Richard Z. 2015-04-12 12:20:10 UTC
Description of problem:
happened when logs were automaticaly rotated

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.i686+PAE
type:           libreport

Comment 72 Leszek Matok 2015-04-12 15:14:21 UTC
Description of problem:
systemd-216-24.fc21 and bug #1184712 still not fixed.

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 73 Leszek Matok 2015-04-12 15:15:29 UTC
Can we get a re-open?

Comment 74 Dan Mossor [danofsatx] 2015-04-12 16:17:57 UTC
Description of problem:
Error appeared during normal operation of a server configured to receive logs.

Version-Release number of selected component:
selinux-policy-3.13.1-105.6.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.2-201.fc21.x86_64
type:           libreport

Comment 75 Dan Mossor [danofsatx] 2015-04-12 16:26:17 UTC
I see the SELinux troubleshooter decided my AVC was the same as this one, but I don't have a prelink error. Mine was that systemctl was denied setrlimit on processes labeled logrotate_t. I shall attach my AVC output, but I feel this should be a standalone bug, not a clone of this one. Can I get confirmation of that before I do?

Comment 76 Dan Mossor [danofsatx] 2015-04-12 16:26:59 UTC
Created attachment 1013679 [details]
SETroubleshooter AVC output

Comment 77 Raffaello Bertini 2015-04-12 16:28:08 UTC
Description of problem:
after update fedora from 20 to 21

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 78 Zbigniew Jędrzejewski-Szmek 2015-04-13 01:38:02 UTC
(In reply to Dan Mossor from comment #76)
> Created attachment 1013679 [details]
> SETroubleshooter AVC output

You have systemd-216-21.fc21, this was fixed in -24.fc21.

*********************************************************************
To anyone experiencing this: please check that you have at least
systemd-219-6.fc22 (when on F22) or systemd-216-24.fc21 (when on F21).
*********************************************************************

Comment 79 chopin xiao 2015-04-13 03:44:50 UTC
Description of problem:
i think  the systemctl rotate log, the message alter every day and once

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 80 Alessio 'Spinus' Moscatello 2015-04-13 20:35:21 UTC
Description of problem:
Simply using the system...

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.i686
type:           libreport

Comment 81 Lukas Vrabec 2015-04-13 22:44:44 UTC
Hi Everyone, 
Please, could you update your systems before you report this issue? 
Thank you.

Systemd guys,
Do you know the current state of this issue? Do you need any selinux-policy changes?
Thank you.

Comment 82 Zbigniew Jędrzejewski-Szmek 2015-04-14 00:33:51 UTC
I *think* that this should be fixed with systemd-216-24.fc21. I cannot reproduce this on F21 or F22 myself. But at least comment #c72 suggests that this is not fixed. Even if this is still triggered, it should be harmeless, apart from the warning, so I'd just wait a bit and see if it goes away as people update.

Comment 83 Lukas Vrabec 2015-04-14 06:58:56 UTC
Agree, I also think it's about update.

Comment 84 Ankush Menat 2015-04-14 08:09:41 UTC
Description of problem:
SELinux warning windows appeared randomly while I was browsing online in chrome.

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 85 Dave Allan 2015-04-14 16:48:37 UTC
(In reply to Lukas Vrabec from comment #81)
> Hi Everyone, 
> Please, could you update your systems before you report this issue? 
> Thank you.
> 
> Systemd guys,
> Do you know the current state of this issue? Do you need any selinux-policy
> changes?
> Thank you.

Hi Lukas, I've been experiencing this AVC both before and after updating to systemd-216-24.fc21.x86_64, which is what I'm currently running (my system is otherwise up to date as well).  Is there any additional information I can collect that would be helpful? -Dave

Comment 86 Zbigniew Jędrzejewski-Szmek 2015-04-14 16:54:56 UTC
Can you paste the avc and setroubleshoot output?

Comment 87 Dave Allan 2015-04-14 17:20:07 UTC
Created attachment 1014422 [details]
setroubleshoot details

Here is the text from setroubleshoot details; let me know if that's not what you were looking for.

Comment 88 Zbigniew Jędrzejewski-Szmek 2015-04-14 17:30:01 UTC
Can you paste/attach the log too? I'd like to see what the commandline was.

Comment 89 Dave Allan 2015-04-14 18:10:10 UTC
Sorry if I'm being dense--which log?

Comment 90 Zbigniew Jędrzejewski-Szmek 2015-04-14 18:48:09 UTC
/var/log/audit/audit.log

Comment 91 Dave Allan 2015-04-14 19:24:43 UTC
Created attachment 1014452 [details]
audit.log excerpt

Comment 92 Leszek Matok 2015-04-14 19:48:39 UTC
Created attachment 1014456 [details]
grep 'type=.*AVC' /var/log/audit/audit.log

The time of 1428802562 is apparently last Sunday, 3:36:02.

Last line I have in /var/log/cron-20150412 is:
Apr 12 03:36:01 pensja run-parts[8112]: (/etc/cron.daily) starting logrotate   
First line I have in /var/log/cron is:
Apr 12 03:36:02 pensja run-parts[8234]: (/etc/cron.daily) finished logrotate

Just in case you still think it's old systemd or whatever:
/var/log/dnf.rpm.log-20150407:Apr 03 22:22:37 INFO Upgraded: systemd-216-24.fc21.x86_64
/var/log/messages-20150412:Apr  6 20:42:41 pensja systemd-logind: System is rebooting.

Comment 93 Zbigniew Jędrzejewski-Szmek 2015-04-14 19:51:08 UTC
Should be fixed with the next update.

Comment 94 Simon Fonceca 2015-04-20 20:42:38 UTC
Description of problem:
looks like the permissions for logrotate are not correct

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 95 D. Charles Pyle 2015-05-03 01:59:36 UTC
Description of problem:
I tried to create a shared foler using Samba server configuration control panel.  It is 100% reproducible.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.x86_64
type:           libreport

Comment 96 Benjamin Ariel Nava Martinez 2015-05-03 16:58:24 UTC
Description of problem:
I can also reproduce this everytime I modify a SMB share using system-config-samba

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch
policycoreutils-2.3-7.1.fc21.x86_64
system-config-samba-1.2.100-3.fc21.noarch
samba-4.1.17-1.fc21.x86_64
samba-client-4.1.17-1.fc21.x86_64

Comment 97 Miroslav Grepl 2015-05-12 14:15:59 UTC
*** Bug 1192233 has been marked as a duplicate of this bug. ***

Comment 98 dj-max_payne 2015-06-10 19:20:34 UTC
Description of problem:
SELinux blocks samba whenever I try to create a share without a password.

How to reproduce this bug:
On the system-config-samba  gui, after selecting a smaba share, click in the preferences menu, open the server settings and then on the security tab set the Authentication Mode to "Share" and click ok.
This will triger the SELinux security alert.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.4-202.fc21.x86_64
type:           libreport

Comment 99 Fedora End Of Life 2015-11-04 15:51:02 UTC
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 100 Fedora End Of Life 2015-12-02 07:46:54 UTC
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.