Description of problem: SELinux is preventing systemd-rfkill from 'write' accesses on the directory rfkill. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-rfkill should be allowed write access on the rfkill directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-rfkill /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_rfkill_t:s0 Target Context system_u:object_r:init_var_lib_t:s0 Target Objects rfkill [ dir ] Source systemd-rfkill Source Path systemd-rfkill Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-162.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.4.0-0.rc4.git0.1.fc24.x86_64 #1 SMP Mon Dec 7 15:45:55 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-12-10 00:03:59 CET Last Seen 2015-12-10 00:03:59 CET Local ID 9caddcab-bd22-4415-922a-2c9760332484 Raw Audit Messages type=AVC msg=audit(1449702239.54:202): avc: denied { write } for pid=1053 comm="systemd-rfkill" name="rfkill" dev="dm-2" ino=393350 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1 Hash: systemd-rfkill,systemd_rfkill_t,init_var_lib_t,dir,write Version-Release number of selected component: selinux-policy-3.13.1-162.fc24.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.4.0-0.rc4.git0.1.fc24.x86_64 type: libreport
Hi Joachim, Use restorecon to fix this issue: #restorecon -R -v /var/lib/systemd/rfkill Could you confirm if this fixed your issue? Thank you!
After a fresh install, I have not been able to reproduce this issue. In particular not after installing today's rawhide updates.
(In reply to Joachim Frieben from comment #2) > After a fresh install, I have not been able to reproduce this issue. In > particular not after installing today's rawhide updates. Thank you for testing.
Issue appears when booting from today's rawhide live image including package selinux-policy-targeted-3.13.1-165.fc24.
The directory is labeled again as init_var_lib_t?
(In reply to Lukas Vrabec from comment #5) system_u:object_r:init_var_lib_t:s0 rfkill
*** Bug 1309839 has been marked as a duplicate of this bug. ***
Probably, we need to add transition that init_t can create "rfkill" dir labeled as systemd_rfkill_var_lib_t in init_var_lib_t directory.
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
commit cbdc7b94f03f05a6825fd823a72a21b1df2d0e40 Author: Lukas Vrabec <lvrabec> Date: Thu Feb 25 19:29:06 2016 +0100 Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
This has returned in Fedora 24 Alpha 1.6. Attaching the full journal. But the gist is: Mar 20 20:49:03 localhost.localdomain systemd[1]: Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Mar 20 20:49:03 localhost.localdomain systemd[1]: Starting Load/Save RF Kill Switch Status... Mar 20 20:49:04 localhost.localdomain audit[705]: AVC avc: denied { write } for pid=705 comm="systemd-rfkill" name="systemd" dev="dm-0" ino=33763955 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0 Mar 20 20:49:04 localhost.localdomain audit[705]: SYSCALL arch=c000003e syscall=83 success=no exit=-13 a0=55ef484a7407 a1=1ed a2=0 a3=55ef484a7400 items=0 ppid=1 pid=705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-rfkill" exe="/usr/lib/systemd/systemd-rfkill" subj=system_u:system_r:systemd_rfkill_t:s0 key=(null) Mar 20 20:49:04 localhost.localdomain audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-rfkill" Mar 20 20:49:04 localhost.localdomain systemd-rfkill[705]: Failed to create rfkill directory: Permission denied systemd-229-6.fc24.x86_64 selinux-policy-3.13.1-179.fc24.noarch
Created attachment 1138396 [details] journal F24 server alpha 1.6 log
restorecon -rv / doesn't fix this, it still fails to start and I see this still in the journal Mar 20 21:02:18 localhost.localdomain kernel: audit: type=1400 audit(1458529338.022:64): avc: denied { write } for pid=702 comm="systemd-rfkill" name="systemd" dev="dm-0" ino=33763955 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0
Hi, Could you run: $ ls -Z /var/lib/systemd and attach all AVC msgs in /var/log/audit/audit.log ? Thank you.
-- enforcing=1 -- # ls -Z /var/lib/systemd system_u:object_r:init_var_lib_t:s0 backlight system_u:object_r:init_var_lib_t:s0 catalog system_u:object_r:init_var_lib_t:s0 coredump system_u:object_r:init_var_lib_t:s0 random-seed system_u:object_r:init_var_lib_t:s0 timers -- enforcing=0 -- # ls -Z /var/lib/systemd system_u:object_r:init_var_lib_t:s0 backlight system_u:object_r:init_var_lib_t:s0 catalog system_u:object_r:init_var_lib_t:s0 coredump system_u:object_r:init_var_lib_t:s0 random-seed system_u:object_r:init_var_lib_t:s0 rfkill system_u:object_r:init_var_lib_t:s0 timers
Created attachment 1138608 [details] AVC denials from /var/log/audit/audit.log with enforcing=0
commit 925b6fc2e41c720ed5124289f934748df0294b45 Author: Lukas Vrabec <lvrabec> Date: Mon Mar 21 12:34:29 2016 +0100 Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499
selinux-policy-3.13.1-180.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffb5ed99b4
selinux-policy-3.13.1-180.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffb5ed99b4
selinux-policy-3.13.1-180.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.