Description of problem: SELinux is preventing systemd from 'getattr' accesses on the chr_file /run/systemd/inaccessible/chr. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed getattr access on the chr chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:init_var_run_t:s0 Target Objects /run/systemd/inaccessible/chr [ chr_file ] Source systemd Source Path systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-204.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.7.0-2.fc25.x86_64 #1 SMP Tue Jul 26 14:26:55 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-07-28 17:13:53 CEST Last Seen 2016-07-28 17:17:32 CEST Local ID bcc55a58-8644-4b43-9ae0-82fabfc4d4b0 Raw Audit Messages type=AVC msg=audit(1469719052.197:237): avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/chr" dev="tmpfs" ino=8901 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=chr_file permissive=1 Hash: systemd,init_t,init_var_run_t,chr_file,getattr Version-Release number of selected component: selinux-policy-3.13.1-204.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.0-2.fc25.x86_64 type: libreport
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1
This issue is still present. The system journal reports ".. systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied" when booted in enforcing mode but the alert is -not- reported by the SELinux Troubleshooter utility any longer. The file attributes of file /run/systemd/inaccessible/chr differ between enforcing mode and permissive mode, respectively. File attributes 'ls -lZ /run/systemd/inaccessible/chr' in enforcing mode: b---------. 1 root root system_u:object_r:tmpfs_t:s0 0, 0 Aug 13 13:01 chr File attributes 'ls -lZ /run/systemd/inaccessible/chr' in permissive mode: b---------. 1 root root system_u:object_r:init_var_run_t:s0 0, 0 Aug 13 13:09 chr
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.