Hide Forgot
Description of problem: Upgraded selinux-policy and selinux-policy-targeted to 3.13.1-128.27.fc22 and rebooted. During boot I noticed the machine was stuck and did not react to keyboard or mouse and did not complete the boot sequence (it stalled with the fedora-logo showing). However, I could ssh into it remotely and there downgrade to 3.13.1-128.21.fc22 again and once rebooted it came up again without any issues. SELinux is preventing (t-daemon) from 'read' accesses on the file Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (t-daemon) should be allowed read access on the Unknown file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep (t-daemon) /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:nsfs_t:s0 Target Objects Unknown [ file ] Source (t-daemon) Source Path (t-daemon) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.27.fc22.noarch selinux- policy-3.13.1-128.21.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.3.5-200.fc22.x86_64 #1 SMP Mon Feb 1 03:19:00 UTC 2016 x86_64 x86_64 Alert Count 28 First Seen 2016-02-17 22:10:26 CET Last Seen 2016-02-17 22:21:24 CET Local ID fedc66c8-f8e9-4f6c-87ff-b49a03c469d4 Raw Audit Messages type=AVC msg=audit(1455744084.311:875): avc: denied { read } for pid=2520 comm="(ostnamed)" dev="nsfs" ino=4026532323 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 Hash: (t-daemon),init_t,nsfs_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-128.27.fc22.noarch selinux-policy-3.13.1-128.21.fc22.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.3.5-200.fc22.x86_64 type: libreport
commit a165d481fc386050594f64c20f126e302dbf418d Author: Lukas Vrabec <lvrabec> Date: Mon Jan 18 15:36:48 2016 +0100 Allow systemd services to use PrivateNetwork feature systemd creates a new network namespace for services which are using PrivateNetwork=yes. In the implementation, systemd uses a socketpair as a storage buffer for the namespace reference file descriptor (c.f. https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660). One end of this socketpair is locked (hence the need of "lock" access to self:unix_dgram_socket for init_t) while systemd opens /proc/self/ns/net, which lives in nsfs. While at it, add filesystem_type attribute to nsfs_t. Author: Nicolas Iooss <nicolas.iooss>
Note that "t-daemon" is rtkit-daemon. On kde the machine boots to the sddm login screen but then has problems logging in - it logs in eventually but without sound or the mixer applet. I guess gdm fails earlier becuase it tries to start pulseaudio which requires rtkit.
Hi Oliver, Can you boot up with permissive mode and collect AVC msgs? Thank you.
I tested selinux-policy-3.13.1-128.28.fc22 and it fixes my problem, as expected. Do you still need AVC logs? From a conversation on #selinux I'm reasonably sure that you don't. Note that I filed bug #1309748 against systemd over the "rtkit-daemon" -> "(t-daemon)" naming issue, since it throws extra spanners into the process of understanding a bug.
Created attachment 1128576 [details] audit.log while in permissive mode and restarting gdm
selinux-policy-3.13.1-128.28.fc22 fixes the problem for me. It isn't pushed to updates-testing yet, so I had to get it from koji directly.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.