Hide Forgot
Description of problem: Trying to shutdown with a TIME argument: $ sudo shutdown -h 12:00 SELinux is preventing systemd-logind from 'rename' accesses on the file .#scheduledhAaMOb. ***** Plugin catchall (100. confidence) suggests ************************** If você acredita que o systemd-logind deva ser permitido acesso de rename em .#scheduledhAaMOb file por default. Then você precisa reportar este como um erro. Você pode gerar um módulo de política local para permitir este acesso. Do permitir este acesso agora executando: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:init_var_run_t:s0 Target Objects .#scheduledhAaMOb [ file ] Source systemd-logind Source Path systemd-logind Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-152.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.2.3-300.fc23.x86_64 #1 SMP Mon Oct 5 15:42:54 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-11-04 11:35:40 BRST Last Seen 2015-11-04 11:35:40 BRST Local ID 5da228d9-44cc-4bbf-9045-1ddab94d799a Raw Audit Messages type=AVC msg=audit(1446644140.979:1086): avc: denied { rename } for pid=742 comm="systemd-logind" name=".#scheduledhAaMOb" dev="tmpfs" ino=1487023 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 Hash: systemd-logind,systemd_logind_t,init_var_run_t,file,rename Version-Release number of selected component: selinux-policy-3.13.1-152.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.3-300.fc23.x86_64 type: libreport Potential duplicate: bug 804236
Description of problem: I was trying to schedule a shutdown: $ sudo shutdown -h 4:30 It was possible to do that because SELinux is in permissive mode. Otherwise, scheduled shutdown fails and turn off the system immediately. Version-Release number of selected component: selinux-policy-3.13.1-152.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.5-300.fc23.x86_64 type: libreport
The latest selinux-policy package on F22, where you can schedule a shutdown, is selinux-policy-3.13.1-128.19, so the bug was introduced somewhere between that and 3.13.1-152. Within that range, grep'ing for systemctl yields releases 142 and 148 (commits 1ba0a986f6f7a8c6960a1643878498c68659573b and ec0c1bc01ebca0b2927b75b53836fd2ed0e40be9 respectively). I don't know the first thing about the internals of SELinux, but those two might be worth investigating.
Good point. Systemd has a known bug (introduced in newer releases, but already fixed on upstream I guess) that prevents shutdown to work properly with a TIME parameter (https://github.com/systemd/systemd/issues/1120). Perhaps this bug in systemd is triggering some unexpected behavior that is blocked or affected by SELinux. But it's just a guess, unfortunately I know nothing about SELinux and Systemd internals.
*** Bug 1278659 has been marked as a duplicate of this bug. ***
https://github.com/fedora-selinux/selinux-policy/commit/278db282fc299d63fc65dd5ceb2755ae35772019 https://github.com/fedora-selinux/selinux-policy/commit/e8b47663ab68ae38a80da83965fd8f901dd8d4f1 https://github.com/fedora-selinux/selinux-policy/commit/04bb898e69498c9c51746e12081e0c6fcd2ef342 https://github.com/fedora-selinux/selinux-policy/commit/02f981d4a2d0d483e0c91dcc1fe7f4af4d3f79f4
selinux-policy-3.13.1-155.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
It's working fine while SELinux is in permissive mode, no more warnings are shown and at the scheduled time, the system shuts down itself. But when I set SELinux to enforcing mode (and do a reboot to changes take effect), the warnings are shown again if I try to shutdown with a TIME argument, but even with the warning, the system shuts down itself on the correct scheduled time. Please, see here: https://bugzilla.redhat.com/show_bug.cgi?id=1285019
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.