Bug 1367280 - SELinux is preventing systemd from 'getattr' accesses on the blk_file /run/systemd/inaccessible/blk.
Summary: SELinux is preventing systemd from 'getattr' accesses on the blk_file /run/sy...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: x86_64
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:bd359d4c7dd5dbb65b3aa1d52eb...
: 1364816 1372242 1372776 1374820 (view as bug list)
Depends On:
Blocks: F25FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2016-08-16 06:23 UTC by Kamil Páral
Modified: 2016-09-30 19:03 UTC (History)
38 users (show)

Fixed In Version: selinux-policy-3.13.1-214.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-21 00:36:42 UTC


Attachments (Terms of Use)

Description Kamil Páral 2016-08-16 06:23:51 UTC
Description of problem:
This popped up on me on first boot after a default Workstation Live install (Fedora-Workstation-Live-x86_64-25-20160815.n.2.iso). I just started terminal and ran dnf, nothing else. Not sure whether this occurred before or after.
SELinux is preventing systemd from 'getattr' accesses on the blk_file /run/systemd/inaccessible/blk.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/run/systemd/inaccessible/blk default label should be init_var_run_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /run/systemd/inaccessible/blk

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that systemd should be allowed getattr access on the blk blk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /run/systemd/inaccessible/blk [ blk_file ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-207.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.0-0.rc1.git0.1.fc25.x86_64 #1
                              SMP Mon Aug 8 16:20:07 UTC 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2016-08-16 08:09:01 CEST
Last Seen                     2016-08-16 08:09:03 CEST
Local ID                      efe86201-1e0d-47fc-9e89-60ea7470a02d

Raw Audit Messages
type=AVC msg=audit(1471327743.298:166): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=10054 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0


Hash: systemd,init_t,tmpfs_t,blk_file,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-207.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc1.git0.1.fc25.x86_64
type:           libreport

Potential duplicate: bug 1364816

Comment 1 Kamil Páral 2016-08-16 06:24:29 UTC
Proposing as a Final blocker:
"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. "
https://fedoraproject.org/wiki/Fedora_25_Final_Release_Criteria#SELinux_and_crash_notifications

Comment 2 Lukas Vrabec 2016-08-16 12:55:41 UTC
Michal, 

How is files: blk,fifo,chr files are created in /run/systemd/inaccessible/ ? 

Thank you.

Comment 3 Lukas Vrabec 2016-08-16 15:20:08 UTC
*** Bug 1364816 has been marked as a duplicate of this bug. ***

Comment 4 Zdenek Chmelar 2016-08-16 17:23:17 UTC
Description of problem:
Right after system start

Version-Release number of selected component:
selinux-policy-3.13.1-206.fc26.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc0.git5.1.fc26.x86_64
type:           libreport

Comment 5 Giulio 'juliuxpigface' 2016-08-17 18:13:58 UTC
Description of problem:
I've encountered this after logging into a Gnome session.

Version-Release number of selected component:
selinux-policy-3.13.1-207.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc0.git3.1.fc25.x86_64
type:           libreport

Comment 6 lnie 2016-08-18 07:58:42 UTC
Description of problem:
Do a default installation with workstation-live-20160817;
boot the newly installed system;
this pops up immediately after the login

Version-Release number of selected component:
selinux-policy-3.13.1-208.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc1.git0.1.fc25.x86_64
type:           libreport

Comment 7 Geoffrey Marr 2016-08-22 22:20:36 UTC
Discussed during the 2016-08-22 blocker review meeting: [1]

The decision to classify this bug as an AcceptedBlocker was made as it is a clear violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-08-22/f25-blocker-review.2016-08-22-16.00.txt

Comment 8 Joachim Frieben 2016-08-24 10:35:56 UTC
Description of problem:
Alert appears after booting from Fedora-Workstation-Live-x86_64-25_Alpha-1.1.

Version-Release number of selected component:
selinux-policy-3.13.1-208.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc2.git3.1.fc25.x86_64
type:           libreport

Comment 9 Fedora Update System 2016-08-25 18:21:00 UTC
selinux-policy-3.13.1-211.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-cbdde50ec4

Comment 10 Alex 2016-08-25 21:37:18 UTC
This is still happening with new package:
> rpm -qa|grep selinux
rpm-plugin-selinux-4.13.0-0.rc1.46.fc25.x86_64
libselinux-utils-2.5-11.fc25.x86_64
libselinux-2.5-11.fc25.i686
docker-selinux-1.12.1-6.git49151a1.fc25.x86_64
libselinux-python3-2.5-11.fc25.x86_64
libselinux-devel-2.5-11.fc25.x86_64
selinux-policy-targeted-3.13.1-211.fc25.noarch
selinux-policy-3.13.1-211.fc25.noarch
libselinux-2.5-11.fc25.x86_64

Comment 11 Emerson Santos 2016-08-26 17:23:50 UTC
Description of problem:
On firt boot

Version-Release number of selected component:
selinux-policy-3.13.1-208.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc2.git3.1.fc25.i686+PAE
type:           libreport

Comment 12 Christian Stadelmann 2016-08-28 16:32:26 UTC
Description of problem:
This alert happened when booting a 2016-08-27 workstation live iso image.

Version-Release number of selected component:
selinux-policy-3.13.1-208.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc2.git3.1.fc25.x86_64
type:           libreport

Comment 13 Mikhail 2016-08-30 16:58:36 UTC
Description of problem:
Just launch Fedora from live USB

Version-Release number of selected component:
selinux-policy-3.13.1-208.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc2.git3.1.fc25.x86_64
type:           libreport

Comment 14 José Matos 2016-08-30 18:51:58 UTC
Description of problem:
Boot into f25 after upgrade

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc2.git3.1.fc25.x86_64
type:           libreport

Comment 15 Mikhail 2016-08-30 20:20:16 UTC
Description of problem:
install Fedora 25 Alpha

Version-Release number of selected component:
selinux-policy-3.13.1-208.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc2.git3.1.fc25.x86_64
type:           libreport

Comment 16 Michal Sekletar 2016-08-31 08:16:36 UTC
(In reply to Lukas Vrabec from comment #2)
> Michal, 
> 
> How is files: blk,fifo,chr files are created in /run/systemd/inaccessible/ ? 
> 
> Thank you.

Sorry, for the long delay. I've missed this one. 

These files are created in mount_setup function [1]. If you put rd.break on kernel command line you could see that systemd will create them already while in initrd. But after switch root to the real root fs, systemd is re-executed and mount_setup function is run again, this time with loaded SELinux policy. Files already exists and they should get relabeled. systemd will attempt to create them once more but all those mknod and mkdir calls [2] should just fail with EEXIST, but we don't check for error in this case.

[1]https://github.com/systemd/systemd/blob/2056ec192742d45aa72a851dbd22ad1fe0bc91a2/src/core/mount-setup.c#L359
[2]https://github.com/systemd/systemd/blob/2056ec192742d45aa72a851dbd22ad1fe0bc91a2/src/core/mount-setup.c#L409

I see no problems here wrt. systemd as it does explicit relabel on files that were created in initrd.

Comment 17 krdondon 2016-09-02 15:40:43 UTC
*** Bug 1372776 has been marked as a duplicate of this bug. ***

Comment 18 Alexsander Maciel 2016-09-03 13:35:43 UTC
Description of problem:
foi feito as atualizações e o upgrade do fedora 24 para o 25 , começou aparecer o erro

Version-Release number of selected component:
selinux-policy-3.13.1-208.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc4.git0.1.fc25.i686+PAE
type:           libreport

Comment 19 Viorel Tabara 2016-09-05 03:05:42 UTC
The update didn't fix this.


   [root@omiday ~]# rpm -q selinux-policy
   selinux-policy-3.13.1-211.fc25.noarch
   

   [root@omiday ~]# last -n1 reboot
   reboot   system boot  4.8.0-0.rc4.git0 Sat Sep  3 23:48   still running

   wtmp begins Mon Jul 25 17:00:39 2016


   [root@omiday ~]# ausearch -m avc -ts 23:48 | grep "{ getattr }"
   type=AVC msg=audit(1472968121.957:143): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0


Related boot logs:

   Sep 03 23:48:39 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules.
   Sep 03 23:48:39 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules.
   Sep 03 23:48:39 omiday.can.local kernel: SELinux:  8 users, 14 roles, 5046 types, 305 bools, 1 sens, 1024 cats
   Sep 03 23:48:39 omiday.can.local kernel: SELinux:  94 classes, 105642 rules
   Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Permission validate_trans in class security not defined in policy.
   Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Permission module_load in class system not defined in policy.
   Sep 03 23:48:39 omiday.can.local kernel: SELinux: the above unknown classes and permissions will be allowed
   Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Completing initialization.
   Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Setting up existing superblocks.
   Sep 03 23:48:39 omiday.can.local systemd[1]: Successfully loaded SELinux policy in 76.855ms.
   Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied
   Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied
   Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied
   Sep 03 23:48:39 omiday.can.local systemd[1]: Relabelled /dev and /run in 20.613ms.
   Sep 03 23:48:39 omiday.can.local systemd-journald[1093]: Journal started
   Sep 03 23:48:39 omiday.can.local audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
   Sep 03 23:48:39 omiday.can.local audit: MAC_POLICY_LOAD policy loaded auid=4294967295 ses=4294967295
   Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { relabelto } for  pid=1 comm="systemd" name="fifo" dev="tmpfs" ino=1173 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=fifo_file permissive=0
   Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0
   Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0
   Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { relabelfrom } for  pid=1 comm="systemd" name="chr" dev="tmpfs" ino=1171 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=0

Comment 20 Jeremy Cline 2016-09-05 14:31:57 UTC
Description of problem:
After upgrading to the latest updates in F25 updates-testing I started seeing this SELinux denial.

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc4.git0.1.fc25.x86_64
type:           libreport

Comment 21 pavel raur 2016-09-07 13:04:02 UTC
Description of problem:
Happened when I was in gnome-control-center seting up privacy.

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc4.git0.1.fc25.x86_64
type:           libreport

Comment 22 Giulio 'juliuxpigface' 2016-09-09 07:35:34 UTC
Description of problem:
I've found this right after loggin' in to a Xfce session (Fedora Workstation x86_64, as qemu-guest).

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc4.git0.1.fc25.x86_64
type:           libreport

Comment 23 Dagan McGregor 2016-09-10 06:38:31 UTC
Along with Comment 19, also other messages in the boot log

[   12.894023] systemd[1]: Successfully loaded SELinux policy in 97.592ms.
[   12.920799] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied
[   12.921457] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied
[   12.922162] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied
[   12.922977] systemd[1]: Relabelled /dev and /run in 18.814ms.

Comment 24 Dagan McGregor 2016-09-10 06:40:13 UTC
[ardrigh@ardrigh ~]$ uname -a
Linux ardrigh 4.8.0-0.rc5.git1.1.fc25.x86_64 #1 SMP Tue Sep 6 15:52:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

[ardrigh@ardrigh ~]$ rpm -qa | grep selinux
rpm-plugin-selinux-4.13.0-0.rc1.46.fc25.x86_64
selinux-policy-targeted-3.13.1-211.fc25.noarch
libselinux-utils-2.5-11.fc25.x86_64
libselinux-python3-2.5-11.fc25.x86_64
libselinux-2.5-11.fc25.x86_64
selinux-policy-3.13.1-211.fc25.noarch

[ardrigh@ardrigh ~]$ rpm -qa | grep systemd
systemd-231-4.fc25.x86_64
python-systemd-doc-231-6.fc25.x86_64
systemd-libs-231-4.fc25.x86_64
rpm-plugin-systemd-inhibit-4.13.0-0.rc1.46.fc25.x86_64
systemd-pam-231-4.fc25.x86_64
systemd-container-231-4.fc25.x86_64
systemd-udev-231-4.fc25.x86_64
python3-systemd-231-6.fc25.x86_64

Comment 25 Chris Murphy 2016-09-10 17:43:45 UTC
*** Bug 1374820 has been marked as a duplicate of this bug. ***

Comment 26 Lukas Slebodnik 2016-09-10 18:20:03 UTC
[root@host ~]# ausearch -m avc -i -ts today | tail
----
type=AVC msg=audit(09/10/2016 14:58:20.785:1774) : avc:  denied  { getattr } for  pid=1 comm=systemd path=/run/systemd/inaccessible/blk dev="tmpfs" ino=11209 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 
----
type=AVC msg=audit(09/10/2016 14:58:42.825:1776) : avc:  denied  { getattr } for  pid=1 comm=systemd path=/run/systemd/inaccessible/blk dev="tmpfs" ino=11209 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 
----
type=AVC msg=audit(09/10/2016 15:37:10.051:1842) : avc:  denied  { getattr } for  pid=1 comm=systemd path=/run/systemd/inaccessible/blk dev="tmpfs" ino=11209 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 
----
type=AVC msg=audit(09/10/2016 15:38:28.221:1845) : avc:  denied  { getattr } for  pid=1 comm=systemd path=/run/systemd/inaccessible/blk dev="tmpfs" ino=11209 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 
----
type=AVC msg=audit(09/10/2016 20:07:30.499:1964) : avc:  denied  { getattr } for  pid=1 comm=systemd path=/run/systemd/inaccessible/blk dev="tmpfs" ino=11209 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0


I can reproduce it with restarting NetworkManager or wifi change.

Comment 27 Lukas Slebodnik 2016-09-10 21:37:54 UTC
Actually, I am not sure whether bug is in selinux-policy.

sh-4.3# ls -lZ /run/systemd/inaccessible/blk
b---------. 1 root root system_u:object_r:tmpfs_t:s0 0, 0 Sep 10 23:30 /run/systemd/inaccessible/blk
sh-4.3# 
sh-4.3# matchpathcon /run/systemd/inaccessible/blk
/run/systemd/inaccessible/blk   system_u:object_r:init_var_run_t:s0

AVC is gone after restoring context. However, it is on tmpfs and file has wrong SELinux context after reboot.
So workaround for annoying AVCs is: 
  restorecon -v /run/systemd/inaccessible/bl

Comment 28 Lukas Slebodnik 2016-09-10 21:38:18 UTC
Actually, I am not sure whether bug is in selinux-policy.

sh-4.3# ls -lZ /run/systemd/inaccessible/blk
b---------. 1 root root system_u:object_r:tmpfs_t:s0 0, 0 Sep 10 23:30 /run/systemd/inaccessible/blk
sh-4.3# 
sh-4.3# matchpathcon /run/systemd/inaccessible/blk
/run/systemd/inaccessible/blk   system_u:object_r:init_var_run_t:s0

AVC is gone after restoring context. However, it is on tmpfs and file has wrong SELinux context after reboot.
So workaround for annoying AVCs is: 
  restorecon -v /run/systemd/inaccessible/blk

Comment 29 Pavlo Rudyi 2016-09-12 05:58:30 UTC
Description of problem:
1. Just boot F26.

Version-Release number of selected component:
selinux-policy-3.13.1-210.fc26.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc4.git3.2.fc26.x86_64
type:           libreport

Comment 30 Fedora Update System 2016-09-13 18:11:48 UTC
selinux-policy-3.13.1-211.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 31 Chris Murphy 2016-09-14 01:09:00 UTC
*** Bug 1372242 has been marked as a duplicate of this bug. ***

Comment 32 Dagan McGregor 2016-09-14 01:44:56 UTC
I don't believe this is fixed. I am still getting these errors after updating.

$ dmesg | grep -i selinux
[    0.040503] SELinux:  Initializing.
[    0.040516] SELinux:  Starting in permissive mode
[    1.053015] SELinux:  Registering netfilter hooks
[    1.662351] systemd[1]: systemd 231 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
[   12.655254] SELinux: 32768 avtab hash slots, 105705 rules.
[   12.686218] SELinux: 32768 avtab hash slots, 105705 rules.
[   12.707473] SELinux:  8 users, 14 roles, 5047 types, 305 bools, 1 sens, 1024 cats
[   12.707475] SELinux:  94 classes, 105705 rules
[   12.709766] SELinux:  Permission validate_trans in class security not defined in policy.
[   12.709772] SELinux:  Permission module_load in class system not defined in policy.
[   12.709822] SELinux: the above unknown classes and permissions will be allowed
[   12.709825] SELinux:  Completing initialization.
[   12.709825] SELinux:  Setting up existing superblocks.
[   12.718944] systemd[1]: Successfully loaded SELinux policy in 93.656ms.
[   12.742385] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied
[   12.742440] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied
[   12.742548] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied


$ rpm -qa | grep selinux
rpm-plugin-selinux-4.13.0-0.rc1.46.fc25.x86_64
libselinux-utils-2.5-11.fc25.x86_64
selinux-policy-targeted-3.13.1-212.fc25.noarch
libselinux-python3-2.5-11.fc25.x86_64
libselinux-2.5-11.fc25.x86_64
selinux-policy-3.13.1-212.fc25.noarch

Comment 33 Kamil Páral 2016-09-14 08:39:22 UTC
Reopening per comment 32, we need additional works/doesn't work verification.

Comment 34 Kamil Páral 2016-09-14 08:53:29 UTC
Yeah, I'm also still seeing this during boot with -211.

Comment 35 Zdenek Chmelar 2016-09-14 13:09:26 UTC
Description of problem:
appreared during kernel testing

Version-Release number of selected component:
selinux-policy-3.13.1-210.fc26.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc4.git4.1.fc26.x86_64
type:           libreport

Comment 37 Fedora Update System 2016-09-15 17:23:09 UTC
selinux-policy-3.13.1-214.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c

Comment 38 Fedora Update System 2016-09-16 01:23:37 UTC
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c

Comment 39 Seppo Yli-Olli 2016-09-17 10:43:30 UTC
Description of problem:
Reproduces always after bootup and login. Restorecon was attempted and was ineffective; problem reproduced immediately after running restorecon

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc5.git1.1.fc25.x86_64
type:           libreport

Comment 40 Kamil Páral 2016-09-19 14:51:45 UTC
selinux-policy-3.13.1-214.fc25 seems to fix this issue.

Comment 41 Fedora Update System 2016-09-21 00:36:42 UTC
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.