Description of problem: We use a cron job to reboot some machines when needed. This is now failing with: type=USER_AVC msg=audit(1443089508.488:3600): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/reboot.target" cmdline="shutdown -r now" scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Version-Release number of selected component (if applicable): selinux-policy.noarch 3.13.1-128.13.fc22 I know I can create custom policy, but would rather not have to.
I'm seeing the same thing on all my up to date fc23 beta systems. Reboots from daily cron using "shutdown -r +3 "update for new software"' fail in a way that cause an immediate reboot. This causes the daily cron mail to be lost as well as any other mail (like the daily rkhunter run) that was sent in the seconds before that. That does have security and operational implications. All problem reports from that cron run are lost. type=AVC msg=audit(1444832764.426:1269): avc: denied { read } for pid=872 comm="systemd-logind" name="utmp" dev="tmpfs" ino=16172 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1444832764.426:1270): avc: denied { read } for pid=872 comm="systemd-logind" name="utmp" dev="tmpfs" ino=16172 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1444832764.426:1271): avc: denied { create } for pid=872 comm="systemd-logind" name=".#scheduled1B77sJ" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1444832764.427:1272): avc: denied { create } for pid=872 comm="systemd-logind" name=".#nologin9MA0Jf" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 selinux-policy.noarch 3.13.1-150.fc23 @updates-testing selinux-policy-devel.noarch 3.13.1-150.fc23 @updates-testing selinux-policy-targeted.noarch 3.13.1-150.fc23 @updates-testing
Fix will shortly be released to rawhide and F23 for testing. Backporting to F22 will follow (provided that the fix passes tests). Commits concerning the fix: https://github.com/fedora-selinux/selinux-policy/commit/278db282fc299d63fc65dd5ceb2755ae35772019 https://github.com/fedora-selinux/selinux-policy/commit/e8b47663ab68ae38a80da83965fd8f901dd8d4f1 https://github.com/fedora-selinux/selinux-policy/commit/04bb898e69498c9c51746e12081e0c6fcd2ef342 https://github.com/fedora-selinux/selinux-policy/commit/02f981d4a2d0d483e0c91dcc1fe7f4af4d3f79f4
I'm not the OP but I can confirm that the following fixed the issue for me. Thanks! This was driving me crazy. selinux-policy.noarch 3.13.1-155.fc23 selinux-policy-devel.noarch 3.13.1-155.fc23 selinux-policy-targeted.noarch 3.13.1-155.fc23
https://github.com/fedora-selinux/selinux-policy/pull/82
selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.