Bug 1222157 - SELinux is preventing systemd-logind from 'getattr' accesses on the file /dev/shm/lttng-ust-wait-5.
Summary: SELinux is preventing systemd-logind from 'getattr' accesses on the file /dev...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: x86_64
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:06792b7dfe1e4a2cbe2df373025...
: 1305984 1306993 1312658 1331234 1333474 1338959 1340597 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-15 22:19 UTC by Juan Orti
Modified: 2016-06-20 21:10 UTC (History)
22 users (show)

Fixed In Version: selinux-policy-3.13.1-158.7.fc23 selinux-policy-3.13.1-158.9.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-05 06:22:24 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Juan Orti 2015-05-15 22:19:52 UTC 
Description of problem:
SELinux is preventing systemd-logind from 'getattr' accesses on the file /dev/shm/lttng-ust-wait-5.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que de manera predeterminada, systemd-logind debería permitir acceso getattr sobre  lttng-ust-wait-5 file.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /dev/shm/lttng-ust-wait-5 [ file ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-126.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.3-300.fc22.x86_64 #1 SMP Wed
                              May 13 18:43:52 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-05-15 23:10:48 CEST
Last Seen                     2015-05-15 23:10:48 CEST
Local ID                      36203268-1b83-4e79-8efb-b239120ffb5e

Raw Audit Messages
type=AVC msg=audit(1431724248.950:1003): avc:  denied  { getattr } for  pid=768 comm="systemd-logind" path="/dev/shm/lttng-ust-wait-5" dev="tmpfs" ino=25832 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0


Hash: systemd-logind,systemd_logind_t,tmpfs_t,file,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-126.fc22.noarch

Additional info:
reporter:       libreport-2.5.1
hashmarkername: setroubleshoot
kernel:         4.0.3-300.fc22.x86_64
type:           libreport

Potential duplicate: bug 1190461
Comment 1 Miroslav Grepl 2015-05-18 09:39:47 UTC 
Did you setup lttng?
Comment 2 Juan Orti 2015-05-18 09:43:41 UTC 
I don't know what that thing is.

It's probably related to #1221945, which I'm also experiencing while using virtual machines.
Comment 3 Miroslav Grepl 2015-05-18 09:46:02 UTC 
Yes I see it now what's going on here. 

We need to add SELinux support for lttng-sessiond which creates 

-rw-rw-r--. 1 root   root   system_u:object_r:tmpfs_t:s0        4096 May 18 11:44 lttng-ust-wait-5
Comment 4 Kamil Páral 2015-05-19 07:42:51 UTC 
Description of problem:
F22 installation, created a new user, happened shortly after logging in.

Version-Release number of selected component:
selinux-policy-3.13.1-126.fc22.noarch

Additional info:
reporter:       libreport-2.5.1
hashmarkername: setroubleshoot
kernel:         4.0.3-300.fc22.x86_64
type:           libreport
Comment 5 misko.herko 2015-05-28 10:19:39 UTC 
Description of problem:
ssh from the virtual machine to host

Version-Release number of selected component:
selinux-policy-3.13.1-126.fc22.noarch

Additional info:
reporter:       libreport-2.5.1
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 6 Miroslav Grepl 2015-12-20 10:58:53 UTC 

*** This bug has been marked as a duplicate of bug 1278662 ***
Comment 7 Michael Catanzaro 2015-12-27 23:31:14 UTC 
Description of problem:
gnome-session breaks whenever I attempt to log out. I think it's triggered by SELinux breaking logind.

* If an application (say, gedit with any unsaved text) has an inhibitor, nothing will happen after selecting log out. About a minute later, some timeout will expire and I will then get logged out.
* If no session inhibitor exists, logout works immediately.

After that, it's no longer possible to log in, because gdm doesn't have permission to open /dev/tty2. I figure gnome-session was probably supposed to release something, but didn't get around to it, because it broke.

There's definitely a gnome-session bug here:

Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:08 victory-road gnome-session[2206]: gnome-session-binary[2206]: GLib-GObject-CRITICAL: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 27 13:06:11 victory-road gnome-session-binary[2206]: Entering running state

Unfortunately, when I turn on fatal-criticals, the backtrace is mostly useless:

Dec 27 17:14:52 victory-road systemd-coredump[2983]: Process 2219 (gnome-session-b) of user 1000 dumped core.
                                                     
                                                     Stack trace of thread 2219:
                                                     #0  0x00007fa1c6f8e81b _g_log_abort (libglib-2.0.so.0)
                                                     #1  0x00007fa1c6f8e98f g_log (libglib-2.0.so.0)
                                                     #2  0x00007fa1c6f84938 g_source_callback_unref (libglib-2.0.so.0)
                                                     #3  0x00007fa1c6f860f6 g_source_destroy_internal (libglib-2.0.so.0)
                                                     #4  0x00007fa1c6f87ed0 g_main_dispatch (libglib-2.0.so.0)
                                                     #5  0x00007fa1c6f881d0 g_main_context_iterate (libglib-2.0.so.0)
                                                     #6  0x00007fa1c6f884f2 g_main_loop_run (libglib-2.0.so.0)
                                                     #7  0x000055c797ec673b main (gnome-session-binary)
                                                     #8  0x00007fa1c6b9d580 __libc_start_main (libc.so.6)
                                                     #9  0x000055c797ec6ab9 _start (gnome-session-binary)
                                                     
But this is an SELinux bug report, so let's not worry more about gnome-session here, but rather the SELinux bug that I suspect is exposing the gnome-session bug. Here's what I see in my journal when logging out, which is clearly an SELinux-related issue:

Dec 27 17:14:50 victory-road systemd-logind[1052]: Removed session 1.
Dec 27 17:14:50 victory-road systemd[1]: Stopping User Manager for UID 1000...
Dec 27 17:14:50 victory-road audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 ho
Dec 27 17:14:50 victory-road audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 ho
Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Default.
Dec 27 17:14:50 victory-road systemd[2010]: Stopping Default.
Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Basic System.
Dec 27 17:14:50 victory-road systemd[2010]: Stopping Basic System.
Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Sockets.
Dec 27 17:14:50 victory-road systemd[2010]: Stopping Sockets.
Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Paths.
Dec 27 17:14:50 victory-road systemd[2010]: Stopping Paths.
Dec 27 17:14:50 victory-road systemd[2010]: Reached target Shutdown.
Dec 27 17:14:50 victory-road systemd[2010]: Starting Shutdown.
Dec 27 17:14:50 victory-road systemd[2010]: Starting Exit the Session...
Dec 27 17:14:50 victory-road systemd[2010]: Stopped target Timers.
Dec 27 17:14:50 victory-road systemd[2010]: Stopping Timers.
Dec 27 17:14:50 victory-road systemd[2010]: Received SIGRTMIN+24 from PID 3075 (kill).
Dec 27 17:14:50 victory-road systemd[2015]: pam_unix(systemd-user:session): session closed for user mcatanzaro
Dec 27 17:14:50 victory-road systemd[1]: Stopped User Manager for UID 1000.
Dec 27 17:14:50 victory-road audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
Dec 27 17:14:50 victory-road systemd[1]: Removed slice user-1000.slice.
Dec 27 17:14:50 victory-road audit[1052]: AVC avc:  denied  { getattr } for  pid=1052 comm="systemd-logind" path="/dev/shm/lldpad.state" dev="tmpfs" ino=15450 scontext=system_u:system_r:systemd_logind_t:s0 tcont
Dec 27 17:14:50 victory-road systemd[1]: Stopping user-1000.slice.
Dec 27 17:14:50 victory-road systemd-logind[1052]: Failed to stat() POSIX shared memory segment lldpad.state: Permission denied

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-300.fc23.x86_64
type:           libreport
Comment 8 Joran Martinière 2016-01-05 21:46:53 UTC 
Description of problem:
It happens whenever I try to log in just after logging out from my own or any other user's graphical session.

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-300.fc23.x86_64
type:           libreport
Comment 9 Raphael Groner 2016-02-06 12:36:06 UTC 
Description of problem:
tried to auto-relabel with touch /.relabel

Version-Release number of selected component:
selinux-policy-3.13.1-158.2.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.4-300.fc23.x86_64
type:           libreport
Comment 10 marco.gremo@tin.it 2016-02-09 17:48:01 UTC 
*** Bug 1305984 has been marked as a duplicate of this bug. ***
Comment 11 adalsaady 2016-02-12 12:00:54 UTC 
*** Bug 1306993 has been marked as a duplicate of this bug. ***
Comment 12 Miroslav Grepl 2016-02-16 10:03:29 UTC 
Added to rawhide.

https://github.com/fedora-selinux/selinux-policy/commit/153cf86f9212cf84950b7ab502dc3738a8d25198
Comment 13 Fedora Update System 2016-02-27 13:49:52 UTC 
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 14 Fedora Update System 2016-02-28 13:53:49 UTC 
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 15 Yamin 2016-02-28 14:24:07 UTC 
*** Bug 1312658 has been marked as a duplicate of this bug. ***
Comment 16 Wolfgang Rupprecht 2016-02-29 03:50:23 UTC 
Description of problem:
this happened after a reboot with no user intervention.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.2-301.fc23.x86_64
type:           libreport
Comment 17 Fedora Update System 2016-03-05 06:21:30 UTC 
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Juan Orti 2016-04-26 15:08:04 UTC 
Description of problem:
/dev/shm/lldpad.state is bad labeled on each boot

Version-Release number of selected component:
selinux-policy-3.13.1-158.14.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.7-300.fc23.x86_64
type:           libreport
Comment 19 mawcin 2016-04-28 04:31:17 UTC 
*** Bug 1331234 has been marked as a duplicate of this bug. ***
Comment 20 Martino 2016-05-05 15:23:08 UTC 
*** Bug 1333474 has been marked as a duplicate of this bug. ***
Comment 21 amarty 2016-05-23 17:56:12 UTC 
*** Bug 1338959 has been marked as a duplicate of this bug. ***
Comment 22 Riccardo Melioli 2016-05-28 11:23:28 UTC 
*** Bug 1340597 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.