Bug 1277987 - SELinux is preventing systemd-logind from 'rename' accesses on the file .#scheduledhAaMOb.
SELinux is preventing systemd-logind from 'rename' accesses on the file .#sch...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Vit Mojzis
Fedora Extras Quality Assurance
abrt_hash:feb858c84f5452692e828d8693f...
:
: 1278659 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-04 08:37 EST by Vinicius Reis
Modified: 2015-11-26 15:57 EST (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-155.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-26 15:57:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vinicius Reis 2015-11-04 08:37:45 EST
Description of problem:
Trying to shutdown with a TIME argument:
$ sudo shutdown -h 12:00
SELinux is preventing systemd-logind from 'rename' accesses on the file .#scheduledhAaMOb.

*****  Plugin catchall (100. confidence) suggests   **************************

If você acredita que o systemd-logind deva ser permitido acesso de rename em .#scheduledhAaMOb file  por default.
Then você precisa reportar este como um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso agora executando:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:object_r:init_var_run_t:s0
Target Objects                .#scheduledhAaMOb [ file ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-152.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.2.3-300.fc23.x86_64 #1 SMP Mon
                              Oct 5 15:42:54 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-11-04 11:35:40 BRST
Last Seen                     2015-11-04 11:35:40 BRST
Local ID                      5da228d9-44cc-4bbf-9045-1ddab94d799a

Raw Audit Messages
type=AVC msg=audit(1446644140.979:1086): avc:  denied  { rename } for  pid=742 comm="systemd-logind" name=".#scheduledhAaMOb" dev="tmpfs" ino=1487023 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1


Hash: systemd-logind,systemd_logind_t,init_var_run_t,file,rename

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.3-300.fc23.x86_64
type:           libreport

Potential duplicate: bug 804236
Comment 1 Vinicius Reis 2015-11-06 00:41:10 EST
Description of problem:
I was trying to schedule a shutdown:
$ sudo shutdown -h 4:30

It was possible to do that because SELinux is in permissive mode.  Otherwise, scheduled shutdown fails and turn off the system immediately.

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport
Comment 2 Alexander Ploumistos 2015-11-08 18:18:07 EST
The latest selinux-policy package on F22, where you can schedule a shutdown, is selinux-policy-3.13.1-128.19, so the bug was introduced somewhere between that and 3.13.1-152. Within that range, grep'ing for systemctl yields releases 142 and 148 (commits 1ba0a986f6f7a8c6960a1643878498c68659573b and ec0c1bc01ebca0b2927b75b53836fd2ed0e40be9 respectively). I don't know the first thing about the internals of SELinux, but those two might be worth investigating.
Comment 3 Vinicius Reis 2015-11-08 18:39:00 EST
Good point.
Systemd has a known bug (introduced in newer releases, but already fixed on upstream I guess) that prevents shutdown to work properly with a TIME parameter (https://github.com/systemd/systemd/issues/1120).
Perhaps this bug in systemd is triggering some unexpected behavior that is blocked or affected by SELinux. But it's just a guess, unfortunately I know nothing about SELinux and Systemd internals.
Comment 4 Miroslav Grepl 2015-11-10 07:10:08 EST
*** Bug 1278659 has been marked as a duplicate of this bug. ***
Comment 6 Fedora Update System 2015-11-20 08:15:36 EST
selinux-policy-3.13.1-155.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
Comment 7 Fedora Update System 2015-11-22 09:25:48 EST
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
Comment 8 Vinicius Reis 2015-11-24 12:05:32 EST
It's working fine while SELinux is in permissive mode, no more warnings are shown and at the scheduled time, the system shuts down itself. 


But when I set SELinux to enforcing mode (and do a reboot to changes take effect), the warnings are shown again if I try to shutdown with a TIME argument, but even with the warning, the system shuts down itself on the correct scheduled time.

Please, see here:  https://bugzilla.redhat.com/show_bug.cgi?id=1285019
Comment 9 Fedora Update System 2015-11-26 15:56:59 EST
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.