Description of problem: SELinux is preventing systemd from 'getattr' accesses on the blk_file /run/systemd/inaccessible/blk. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed getattr access on the blk blk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:init_var_run_t:s0 Target Objects /run/systemd/inaccessible/blk [ blk_file ] Source systemd Source Path systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-204.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.7.0-2.fc25.x86_64 #1 SMP Tue Jul 26 14:26:55 UTC 2016 x86_64 x86_64 Alert Count 5 First Seen 2016-07-28 17:13:53 CEST Last Seen 2016-07-28 17:17:32 CEST Local ID 0a145d7b-5714-4af1-b9a1-257c69d8fc7e Raw Audit Messages type=AVC msg=audit(1469719052.197:238): avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=8902 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=blk_file permissive=1 Hash: systemd,init_t,init_var_run_t,blk_file,getattr Version-Release number of selected component: selinux-policy-3.13.1-204.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.0-2.fc25.x86_64 type: libreport
Description of problem: Occasionally on different tasks. Opening files. Runing dnf --refresh upgrade. ... Version-Release number of selected component: selinux-policy-3.13.1-207.fc26.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc0.git5.1.fc26.x86_64 type: libreport
commit f5612370266f80563a6ce7550c5f526bef1188bd Author: Dan Walsh <dwalsh> Date: Tue Aug 9 07:54:00 2016 -0400 systemd is doing a gettattr on blk and chr devices in /run Looks like devices created during boot are in /run/systemd/inaccessible/blk /run/systemd/inaccessible/chr ls -l /run/systemd/inaccessible/ total 0 b---------. 1 root root 0, 0 Aug 7 06:07 blk c---------. 1 root root 0, 0 Aug 7 06:07 chr d---------. 2 root root 40 Aug 7 06:07 dir p---------. 1 root root 0 Aug 7 06:07 fifo ----------. 1 root root 0 Aug 7 06:07 reg s---------. 1 root root 0 Aug 7 06:07 sock Maybe could dontaudit these, but getattr access is probably ok.
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1
This issue is still present. The system journal reports ".. systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied" when booted in enforcing mode, and the alert continues to be reported by the SELinux Troubleshooter utility. The file attributes of file /run/systemd/inaccessible/blk differ between enforcing mode and permissive mode, respectively. File attributes 'ls -lZ /run/systemd/inaccessible/blk' in enforcing mode: b---------. 1 root root system_u:object_r:tmpfs_t:s0 0, 0 Aug 13 13:01 blk File attributes 'ls -lZ /run/systemd/inaccessible/blk' in permissive mode: b---------. 1 root root system_u:object_r:init_var_run_t:s0 0, 0 Aug 13 13:09 blk
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.