Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.8-300.fc21.x86_64 type: libreport
Description of problem: Browsing, I suspect shortly after today's update. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.8-300.fc21.i686+PAE type: libreport
Description of problem: no idea. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.8-300.fc21.x86_64 type: libreport
Description of problem: Just popped up after waking up the laptop from suspend. Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.8-300.fc21.x86_64 type: libreport
Description of problem: This happened overnight, Probably as the result of a chron job. Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.8-300.fc21.x86_64 type: libreport
Description of problem: I came home from work and found a desktop notification of a "SELinux AVC denial". Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.8-300.fc21.x86_64 type: libreport
Description of problem: trying to do "telinit 3" as far as I can remember. Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.8-300.fc21.i686+PAE type: libreport
Description of problem: Overnight this message was issued. I don't see anything in the logs that is obviously related to the system resources listed by the sys_resource plugin. Journalctl shows that when the access occurred, cron.daily was executing prelink or perhaps rpm, and a systemd "Reexecuting" for some unknown reason is mixed in as well: Jan 25 03:34:03 edison run-parts[11456]: (/etc/cron.daily) starting prelink Jan 25 03:35:00 edison dbus[1262]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Jan 25 03:35:00 edison systemd[1]: Reexecuting. [various systemd messages about auditd.service being world-inaccessible, and "Could not find init script for xxx"] Jan 25 03:35:00 edison run-parts[13674]: (/etc/cron.daily) finished prelink Jan 25 03:35:00 edison run-parts[13676]: (/etc/cron.daily) starting rpm Jan 25 03:35:00 edison dbus[1262]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jan 25 03:35:01 edison setroubleshoot[13655]: Plugin Exception restorecon_source Jan 25 03:35:01 edison setroubleshoot[13655]: SELinux is preventing /usr/bin/systemctl from using the sys_resource capability. For complete SELinux messages. run sealert -l e0f3cdca-1ef0 [plugin sys_resource details] Jan 25 03:35:02 edison run-parts[13733]: (/etc/cron.daily) finished rpm Jan 25 03:35:02 edison anacron[7432]: Job `cron.daily' terminated (mailing output) Jan 25 03:35:03 edison sSMTP[13734]: Sent mail for root (221 2.0.0 Bye) uid=0 username=root outbytes=449 Jan 25 03:35:03 edison anacron[7432]: Normal exit (1 job run) Jan 25 03:35:12 edison org.fedoraproject.Setroubleshootd[1262]: 'list' object has no attribute 'split' Then the log continues, seemingly normally (and the system appears to be working normally as well), except that every 5 minutes (along with a cron job) SELinux appears to initialize, and systemd appears to start and stop a bunch of stuff (this did not happen before, and I don't know if its related to this sys_resource issue or to the new systemd version systemd-216-16.fc21.x86_64): Jan 25 10:30:01 edison kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Jan 25 10:30:01 edison systemd[21415]: pam_unix(systemd-user:session): session opened for user root by (uid=0) Jan 25 10:30:01 edison CROND[21427]: (root) CMD (/usr/local/bin/sshreport) Jan 25 10:30:01 edison systemd[21415]: Starting Paths. Jan 25 10:30:01 edison systemd[21415]: Reached target Paths. Jan 25 10:30:01 edison systemd[21415]: Starting Timers. Jan 25 10:30:01 edison systemd[21415]: Reached target Timers. Jan 25 10:30:01 edison systemd[21415]: Starting Sockets. Jan 25 10:30:01 edison systemd[21415]: Reached target Sockets. Jan 25 10:30:01 edison systemd[21415]: Starting Basic System. Jan 25 10:30:01 edison systemd[21415]: Reached target Basic System. Jan 25 10:30:01 edison systemd[21415]: Starting Default. Jan 25 10:30:01 edison systemd[21415]: Reached target Default. Jan 25 10:30:01 edison systemd[21415]: Startup finished in 12ms. Jan 25 10:30:01 edison systemd[21415]: Stopping Default. Jan 25 10:30:01 edison systemd[21415]: Stopped target Default. Jan 25 10:30:01 edison systemd[21415]: Stopping Basic System. Jan 25 10:30:01 edison systemd[21415]: Stopped target Basic System. Jan 25 10:30:01 edison systemd[21415]: Stopping Paths. Jan 25 10:30:01 edison systemd[21415]: Stopped target Paths. Jan 25 10:30:01 edison systemd[21415]: Stopping Timers. Jan 25 10:30:01 edison systemd[21415]: Stopped target Timers. Jan 25 10:30:01 edison systemd[21415]: Stopping Sockets. Jan 25 10:30:01 edison systemd[21415]: Stopped target Sockets. Jan 25 10:30:01 edison systemd[21415]: Starting Shutdown. Jan 25 10:30:01 edison systemd[21415]: Reached target Shutdown. Jan 25 10:30:01 edison systemd[21415]: Starting Exit the Session... Jan 25 10:30:01 edison systemd[21415]: Received SIGRTMIN+24 from PID 21462 (kill). Jan 25 10:30:01 edison systemd[21421]: pam_unix(systemd-user:session): session closed for user root Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.2-200.fc21.x86_64 type: libreport
Description of problem: This report pops up every day at 3:30 AM. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.3-201.fc21.x86_64 type: libreport
Description of problem: Some background process Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.3-201.fc21.x86_64 type: libreport
At least for me, the problem seems to be some combination of prelink and systemd, at least according to what I grepped out of audit.log: type=AVC msg=audit(1422921802.039:23571): avc: denied { sys_resource } for pid=28892 comm="telinit" capability=24 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability permissive=0 type=SYSCALL msg=audit(1422921802.039:23571): arch=c000003e syscall=160 success=no exit=-1 a0=7 a1=7fff7ea2b090 a2=0 a3=fffffffffffffffe items=0 ppid=15196 pid=28892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=130 comm="telinit" exe="/usr/bin/systemctl" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1422963674.028:7451): avc: denied { sys_resource } for pid=17242 comm="telinit" capability=24 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability permissive=0 type=SYSCALL msg=audit(1422963674.028:7451): arch=c000003e syscall=160 success=no exit=-1 a0=7 a1=7fff6c747300 a2=0 a3=fffffffffffffffe items=0 ppid=16943 pid=17242 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=17 comm="telinit" exe="/usr/bin/systemctl" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)
Description of problem: After a system upgrade from f19 via f20 to f21 I'm getting many selinux alerts. This is just one of them. Upgrade 19->20 was done with yum , 20->21 (immediately following) with fedup. Version-Release number of selected component: selinux-policy-3.13.1-105.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.3-201.fc21.x86_64 type: libreport
Description of problem: Dunno how this one happened; I assume startup, might be a duplicate of # 1189382, or # 1184712, or # 1185621. It's probably related. They all started happening one to two weeks ago. Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.3-201.fc21.x86_64 type: libreport
I think prelink is being removed by default in F21, which you might want to consider. It looks like you are running low on system resources. I think on reboot you will not have these problems any longer.
Could you show some AVC's for this? The bug report talks about systemctl, while the only Avc's I see are for prelink. Might have to add a dontaudit for this for all domains that execute systemctl.
As in 'dnf erase prelink' is suggested for Fedora upgraders? Should I run 'prelink -ua' first? Bug was filed automatically, I got a few selinux prompts all in one go, and I filed bugs. I can't remember which one prompted this. What should I do to trap the "right" AVCs when/if this happens again? There are +- 100 AVCs weekly.
Send me the avc's via email, and I will look at them. You should not be getting many AVCs
(In reply to Daniel Walsh from comment #13) > I think prelink is being removed by default in F21 Do you have a reference for this? I don't see anything about it in the Fedora 21 release notes, and prelink packages still being built for F21 (and F22), though not successfully: http://koji.fedoraproject.org/koji/packageinfo?packageID=583
(In reply to Raman Gupta from comment #17) > (In reply to Daniel Walsh from comment #13) > > I think prelink is being removed by default in F21 > > Do you have a reference for this? I don't see anything about it in the > Fedora 21 release notes, and prelink packages still being built for F21 (and > F22), though not successfully: > http://koji.fedoraproject.org/koji/packageinfo?packageID=583 I've found this: https://fedorahosted.org/fesco/ticket/1183
(In reply to Kamil Páral from comment #18) > (In reply to Raman Gupta from comment #17) > > (In reply to Daniel Walsh from comment #13) > > > I think prelink is being removed by default in F21 > > > > Do you have a reference for this? I don't see anything about it in the > > Fedora 21 release notes, and prelink packages still being built for F21 (and > > F22), though not successfully: > > http://koji.fedoraproject.org/koji/packageinfo?packageID=583 > > I've found this: > https://fedorahosted.org/fesco/ticket/1183 (Sorry for the possibly off-topic Bugzilla spam) I saw that too, and its marked as Closed/Fixed, but its unclear to me what the resolution was. The prelink package is still listed as "approved" for Fedora 20 and 21: https://admin.fedoraproject.org/pkgdb/package/prelink/. And PRELINKING=yes is still set in the latest prelink git: http://pkgs.fedoraproject.org/cgit/prelink.git/tree/prelink.sysconfig
IIUIC, the resolution was that prelink is no longer installed by default. Of course you can still install it manually.
(In reply to Kamil Páral from comment #20) > IIUIC, the resolution was that prelink is no longer installed by default. Of > course you can still install it manually. Thank you, I created https://bugzilla.redhat.com/show_bug.cgi?id=1190810 for updating the release notes.
Description of problem: I wasn't doing anything particular, just updating my system, and then this SELinux denial was reported. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.5-201.fc21.x86_64 type: libreport
Description of problem: just idling, but a great work on hard disk by some system job Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.6-200.fc21.x86_64 type: libreport
Description of problem: Random time, within 15m of boot Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.6-200.fc21.x86_64 type: libreport
(In reply to Daniel Walsh from comment #16) > Send me the avc's via email, and I will look at them. You should not be > getting many AVCs Additional Information: Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c 1023 Target Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c 1023 Target Objects Unknown [ capability ] Source telinit Source Path /usr/bin/systemctl Port <Unknown> Host diannao.jamezone.org Source RPM Packages systemd-216-20.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-105.3.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name diannao.jamezone.org Platform Linux diannao.jamezone.org 3.18.6-200.fc21.x86_64 #1 SMP Fri Feb 6 22:59:42 UTC 2015 x86_64 x86_64 Alert Count 2 First Seen 2015-02-15 18:53:43 MST Last Seen 2015-02-16 09:54:50 MST Local ID bf191375-c943-4847-8de8-9ac129d9bd86 Raw Audit Messages type=AVC msg=audit(1424105690.760:875): avc: denied { sys_resource } for pid=10821 comm="telinit" capability=24 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability permissive=0 type=SYSCALL msg=audit(1424105690.760:875): arch=x86_64 syscall=setrlimit success=no exit=EPERM a0=7 a1=7fff0a1e8e20 a2=0 a3=fffffffffffffffe items=0 ppid=5318 pid=10821 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=telinit exe=/usr/bin/systemctl subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) Hash: telinit,prelink_cron_system_t,prelink_cron_system_t,capability,sys_resource
Description of problem: SELinux alert happens immediately at end of cron.daily prelink job. (Compare bug 1190364). Both errors have only started after installation of selinux-policy-3.13.1-105-3 Prior to this policy, neither of these errors has occurred on either of the two Fedora21 computers I have. Now, both show the same errors (this and bug 1190364), with /usr/bin/systemctl not having sufficient rights. Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.6-200.fc21.x86_64 type: libreport
Description of problem: This error popped up without any activity (I was only reading some blogs on web) Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.6-200.fc21.x86_64 type: libreport
Description of problem: I did nothing in particular. Just reading a web page (twitter on Firefox). 32% of RAM in use, 0.4% of swap memory, >10GB free disk space. Most process at 1 or 2% of CPU max... ... except for kworker, using almost 100% of one of the 4 CPU cores. When my computer is on, after some time one of the kworker processus starts using a lot of CPU. Probably related (and by theway, quite annoying by its effect on temperature and fans.) Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.7-200.fc21.x86_64 type: libreport
commit 155f59feafd4ca26d2b20a292ed80407e21308e3 Author: Lukas Vrabec <lvrabec> Date: Wed Feb 18 13:46:21 2015 +0100 Dontaudit sys_resource in prelink_cron)_system_t Added dontaudit rule. I hope when you see this AVC nothing is broken in your system.
(In reply to Lukas Vrabec from comment #29) > I hope when you see this AVC nothing is broken in your system. isn't that easier to turn selinux off then? - we won't be getting avc reports that way too ...
Description of problem: After upgrade via FedUp from Fedora 20 to 21 Workstation. Warning apear imediatelly after first login (graphical session). I am not sure if systemctl should have the sys_resource capability,so I am confused if I need this allow or not. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.7-200.fc21.x86_64 type: libreport
Description of problem: hmm, dont know... Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.6-200.fc21.x86_64 type: libreport
(In reply to Karel Volný from comment #30) > (In reply to Lukas Vrabec from comment #29) > > I hope when you see this AVC nothing is broken in your system. > > isn't that easier to turn selinux off then? - we won't be getting avc > reports that way too ... Of course not. When you disable selinux you lost protection for your system at all. When this rule will be dontaudited, just alert will disappear. => actually better solution, while I don't know why is this capability needed.
I think the selinux-policy update needs a reboot/restart I think ignoring the errors is bad. systemd is prevented from doing something. If that something is important, there could be side effects. In this case, possibly run-away load.
(In reply to Lukas Vrabec from comment #33) > Of course not. When you disable selinux you lost protection for your system > at all. ok, next time I'll remember to add the tongue-in-cheek smiley ... > When this rule will be dontaudited, just alert will disappear. => > actually better solution, I'd tend to disagree - dontaudit rules are a hell to debug (unless your crystall ball tells you this is the first thing to take a look at when something goes nuts) > while I don't know why is this capability needed. so what about some NEEDINFO from prelink/systemd guys to find out and fixing the culprit or allowing the action if it is okay, rather than just hiding the fact it has been disallowed?
(In reply to Karel Volný from comment #35) > (In reply to Lukas Vrabec from comment #33) > > Of course not. When you disable selinux you lost protection for your system > > at all. > > ok, next time I'll remember to add the tongue-in-cheek smiley ... :) > > > When this rule will be dontaudited, just alert will disappear. => > > actually better solution, > > I'd tend to disagree - dontaudit rules are a hell to debug (unless your > crystall ball tells you this is the first thing to take a look at when > something goes nuts) yep, this is the first thing when you debbuging some SELinux issue(#semodule -DB). http://danwalsh.livejournal.com/11673.html > > > while I don't know why is this capability needed. > > so what about some NEEDINFO from prelink/systemd guys to find out and fixing > the culprit or allowing the action if it is okay, rather than just hiding > the fact it has been disallowed? Agree, We could ask systemd guys.
Systemd gyus, Could you resolve why "telinit" needs cap. sys_resource? Thank you.
systemctl recently started bumping NOFILE because it sometimes needs it for reading journal files. The failure to set it is ignored and should not matter except for the audit log spam. This isn't really necessary for telinit. I now modified systemctl to not do that when running as telinit: http://cgit.freedesktop.org/systemd/systemd/commit/?id=95d383ee47
(In reply to Lukas Vrabec from comment #36) > (In reply to Karel Volný from comment #35) > > I'd tend to disagree - dontaudit rules are a hell to debug (unless your > > crystall ball tells you this is the first thing to take a look at when > > something goes nuts) > yep, this is the first thing when you debbuging some SELinux issue(#semodule > -DB). > http://danwalsh.livejournal.com/11673.html FYI (sorry for bz spam), what I've meant is that you have to realize that you are debugging selinux issue in the first place (why would you do that if the logs are clean?) ... of course, after some experience, `setenforce 0` is one of the first things to try and if that helps, you know where to look, but it is not always that straightforward (e.g. when the problem is not easy to reproduce) ... > Agree, We could ask systemd guys. woohoo, that was quick - thanks Zbyzsek!
Description of problem: I am not sure, maybe after some update. Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.7-200.fc21.x86_64 type: libreport
It seems a complete relabelling (touch ./autorelabel && reboot) did fix the issue for any strange reason.
Description of problem: i do not know Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.7-200.fc21.x86_64 type: libreport
*** Bug 1196815 has been marked as a duplicate of this bug. ***
*** Bug 1197328 has been marked as a duplicate of this bug. ***
*** Bug 1192164 has been marked as a duplicate of this bug. ***
*** Bug 1185621 has been marked as a duplicate of this bug. ***
systemd-219-6.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/systemd-219-6.fc22
Package systemd-219-6.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-219-6.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-3138/systemd-219-6.fc22 then log in and leave karma (feedback).
Description of problem: I was reading an online newspaper. Nothing slowed down, stopped or did anything actually. Everything works OK. Since updating from Fedora 20 to 21, I'm getting random hardware errors that Fedora will not allow me to report. Again, nothing seems to slow down or break and the system is totally stable. I had a look in the /var/log directory but couldn't see anything to help. Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.7-200.fc21.x86_64 type: libreport
Description of problem: I have no clue. Systemd, apparently. Totally impenetrable. Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.7-200.fc21.x86_64 type: libreport
This happened again with Fedora 21. systemd-216-20.fc21.x86_64 kernel-3.18.7-200.fc21.x86_64 libreport-2.3.0-5.fc21.x86_64 Please provide also a fix for f21.
Description of problem: I do not know how it occurred, I only received a notice from the SELinux Alert Browser that it had detected a problem. Notication of the problem included: The source process: systemctl Attempted this access: setrlimit SELinux is preventing systemctl from using the setrlimit access on a process. Plugin: catchall you want to allow systemctl to have setrlimit access on the Unknown processIf you believe that systemctl should be allowed setrlimit access on processes labeled logrotate_t by default. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep systemctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.7-200.fc21.x86_64 type: libreport
systemd-219-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Description of problem: I have no real idea but I guess systemctl was attempting setrlimit during a logrotate for some reason. Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.8-201.fc21.x86_64 type: libreport
It seems we need to backport the same fix.
Description of problem: Returning from sleep Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.9-200.fc21.x86_64 type: libreport
Description of problem: SELinux Alert Browser Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.9-200.fc21.x86_64 type: libreport
Description of problem: no information, I do not know how did it happen Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.7-200.fc21.x86_64 type: libreport
Description of problem: this time, I ran unzip -t in a terminal windows ... Version-Release number of selected component: selinux-policy-3.13.1-105.6.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.1-201.fc21.x86_64 type: libreport
Description of problem: system generated Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.1-201.fc21.x86_64 type: libreport
systemd-216-23.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/systemd-216-23.fc21
Package systemd-216-24.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-216-24.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-4991/systemd-216-24.fc21 then log in and leave karma (feedback).
Description of problem: While ending an emacs session on a remote host Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.2-201.fc21.i686+PAE type: libreport
Description of problem: Al intentar acceder a una flash memory Version-Release number of selected component: selinux-policy-3.13.1-105.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.3-201.fc21.x86_64 type: libreport
Description of problem: Not clear if anything I did triggered it; it seems to be a background system process. Version-Release number of selected component: selinux-policy-3.13.1-105.6.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.2-201.fc21.x86_64 type: libreport
systemd-216-24.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Description of problem: Still alerts with selinux-policy-3.13.1-105.9 Version-Release number of selected component: selinux-policy-3.13.1-105.9.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.1-libre.201.fc21.gnu.x86_64 type: libreport
Description of problem: Seems to be the result of a background task Version-Release number of selected component: selinux-policy-3.13.1-105.9.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.3-200.fc21.x86_64 type: libreport
Description of problem: SELinux troubleshoot just popped up unexpectedly. At that time, I was using Firefox, Thunderbird and Skype. But I don't think it's really related to any of that tools. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.3-200.fc21.x86_64 type: libreport
Description of problem: I believe this is still bug #1184712 Version-Release number of selected component: selinux-policy-3.13.1-105.9.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.3-200.fc21.x86_64 type: libreport
Description of problem: happened when logs were automaticaly rotated Version-Release number of selected component: selinux-policy-3.13.1-105.9.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.3-200.fc21.i686+PAE type: libreport
Description of problem: systemd-216-24.fc21 and bug #1184712 still not fixed. Version-Release number of selected component: selinux-policy-3.13.1-105.9.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.3-200.fc21.x86_64 type: libreport
Can we get a re-open?
Description of problem: Error appeared during normal operation of a server configured to receive logs. Version-Release number of selected component: selinux-policy-3.13.1-105.6.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.2-201.fc21.x86_64 type: libreport
I see the SELinux troubleshooter decided my AVC was the same as this one, but I don't have a prelink error. Mine was that systemctl was denied setrlimit on processes labeled logrotate_t. I shall attach my AVC output, but I feel this should be a standalone bug, not a clone of this one. Can I get confirmation of that before I do?
Created attachment 1013679 [details] SETroubleshooter AVC output
Description of problem: after update fedora from 20 to 21 Version-Release number of selected component: selinux-policy-3.13.1-105.9.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.3-200.fc21.x86_64 type: libreport
(In reply to Dan Mossor from comment #76) > Created attachment 1013679 [details] > SETroubleshooter AVC output You have systemd-216-21.fc21, this was fixed in -24.fc21. ********************************************************************* To anyone experiencing this: please check that you have at least systemd-219-6.fc22 (when on F22) or systemd-216-24.fc21 (when on F21). *********************************************************************
Description of problem: i think the systemctl rotate log, the message alter every day and once Version-Release number of selected component: selinux-policy-3.13.1-105.9.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.3-200.fc21.x86_64 type: libreport
Description of problem: Simply using the system... Version-Release number of selected component: selinux-policy-3.13.1-105.9.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.3-200.fc21.i686 type: libreport
Hi Everyone, Please, could you update your systems before you report this issue? Thank you. Systemd guys, Do you know the current state of this issue? Do you need any selinux-policy changes? Thank you.
I *think* that this should be fixed with systemd-216-24.fc21. I cannot reproduce this on F21 or F22 myself. But at least comment #c72 suggests that this is not fixed. Even if this is still triggered, it should be harmeless, apart from the warning, so I'd just wait a bit and see if it goes away as people update.
Agree, I also think it's about update.
Description of problem: SELinux warning windows appeared randomly while I was browsing online in chrome. Version-Release number of selected component: selinux-policy-3.13.1-105.9.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.3-200.fc21.x86_64 type: libreport
(In reply to Lukas Vrabec from comment #81) > Hi Everyone, > Please, could you update your systems before you report this issue? > Thank you. > > Systemd guys, > Do you know the current state of this issue? Do you need any selinux-policy > changes? > Thank you. Hi Lukas, I've been experiencing this AVC both before and after updating to systemd-216-24.fc21.x86_64, which is what I'm currently running (my system is otherwise up to date as well). Is there any additional information I can collect that would be helpful? -Dave
Can you paste the avc and setroubleshoot output?
Created attachment 1014422 [details] setroubleshoot details Here is the text from setroubleshoot details; let me know if that's not what you were looking for.
Can you paste/attach the log too? I'd like to see what the commandline was.
Sorry if I'm being dense--which log?
/var/log/audit/audit.log
Created attachment 1014452 [details] audit.log excerpt
Created attachment 1014456 [details] grep 'type=.*AVC' /var/log/audit/audit.log The time of 1428802562 is apparently last Sunday, 3:36:02. Last line I have in /var/log/cron-20150412 is: Apr 12 03:36:01 pensja run-parts[8112]: (/etc/cron.daily) starting logrotate First line I have in /var/log/cron is: Apr 12 03:36:02 pensja run-parts[8234]: (/etc/cron.daily) finished logrotate Just in case you still think it's old systemd or whatever: /var/log/dnf.rpm.log-20150407:Apr 03 22:22:37 INFO Upgraded: systemd-216-24.fc21.x86_64 /var/log/messages-20150412:Apr 6 20:42:41 pensja systemd-logind: System is rebooting.
Should be fixed with the next update.
Description of problem: looks like the permissions for logrotate are not correct Version-Release number of selected component: selinux-policy-3.13.1-105.9.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.3-200.fc21.x86_64 type: libreport
Description of problem: I tried to create a shared foler using Samba server configuration control panel. It is 100% reproducible. Version-Release number of selected component: selinux-policy-3.13.1-105.13.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.5-200.fc21.x86_64 type: libreport
Description of problem: I can also reproduce this everytime I modify a SMB share using system-config-samba Version-Release number of selected component: selinux-policy-3.13.1-105.13.fc21.noarch policycoreutils-2.3-7.1.fc21.x86_64 system-config-samba-1.2.100-3.fc21.noarch samba-4.1.17-1.fc21.x86_64 samba-client-4.1.17-1.fc21.x86_64
*** Bug 1192233 has been marked as a duplicate of this bug. ***
Description of problem: SELinux blocks samba whenever I try to create a share without a password. How to reproduce this bug: On the system-config-samba gui, after selecting a smaba share, click in the preferences menu, open the server settings and then on the security tab set the Authentication Mode to "Share" and click ok. This will triger the SELinux security alert. Version-Release number of selected component: selinux-policy-3.13.1-105.13.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 4.0.4-202.fc21.x86_64 type: libreport
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.