Description of problem: This popped up on me on first boot after a default Workstation Live install (Fedora-Workstation-Live-x86_64-25-20160815.n.2.iso). I just started terminal and ran dnf, nothing else. Not sure whether this occurred before or after. SELinux is preventing systemd from 'getattr' accesses on the blk_file /run/systemd/inaccessible/blk. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /run/systemd/inaccessible/blk default label should be init_var_run_t. Then you can run restorecon. Do # /sbin/restorecon -v /run/systemd/inaccessible/blk ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that systemd should be allowed getattr access on the blk blk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /run/systemd/inaccessible/blk [ blk_file ] Source systemd Source Path systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-207.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.0-0.rc1.git0.1.fc25.x86_64 #1 SMP Mon Aug 8 16:20:07 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-08-16 08:09:01 CEST Last Seen 2016-08-16 08:09:03 CEST Local ID efe86201-1e0d-47fc-9e89-60ea7470a02d Raw Audit Messages type=AVC msg=audit(1471327743.298:166): avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=10054 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Hash: systemd,init_t,tmpfs_t,blk_file,getattr Version-Release number of selected component: selinux-policy-3.13.1-207.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc1.git0.1.fc25.x86_64 type: libreport Potential duplicate: bug 1364816
Proposing as a Final blocker: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. " https://fedoraproject.org/wiki/Fedora_25_Final_Release_Criteria#SELinux_and_crash_notifications
Michal, How is files: blk,fifo,chr files are created in /run/systemd/inaccessible/ ? Thank you.
*** Bug 1364816 has been marked as a duplicate of this bug. ***
Description of problem: Right after system start Version-Release number of selected component: selinux-policy-3.13.1-206.fc26.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc0.git5.1.fc26.x86_64 type: libreport
Description of problem: I've encountered this after logging into a Gnome session. Version-Release number of selected component: selinux-policy-3.13.1-207.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc0.git3.1.fc25.x86_64 type: libreport
Description of problem: Do a default installation with workstation-live-20160817; boot the newly installed system; this pops up immediately after the login Version-Release number of selected component: selinux-policy-3.13.1-208.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc1.git0.1.fc25.x86_64 type: libreport
Discussed during the 2016-08-22 blocker review meeting: [1] The decision to classify this bug as an AcceptedBlocker was made as it is a clear violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-08-22/f25-blocker-review.2016-08-22-16.00.txt
Description of problem: Alert appears after booting from Fedora-Workstation-Live-x86_64-25_Alpha-1.1. Version-Release number of selected component: selinux-policy-3.13.1-208.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc2.git3.1.fc25.x86_64 type: libreport
selinux-policy-3.13.1-211.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-cbdde50ec4
This is still happening with new package: > rpm -qa|grep selinux rpm-plugin-selinux-4.13.0-0.rc1.46.fc25.x86_64 libselinux-utils-2.5-11.fc25.x86_64 libselinux-2.5-11.fc25.i686 docker-selinux-1.12.1-6.git49151a1.fc25.x86_64 libselinux-python3-2.5-11.fc25.x86_64 libselinux-devel-2.5-11.fc25.x86_64 selinux-policy-targeted-3.13.1-211.fc25.noarch selinux-policy-3.13.1-211.fc25.noarch libselinux-2.5-11.fc25.x86_64
Description of problem: On firt boot Version-Release number of selected component: selinux-policy-3.13.1-208.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc2.git3.1.fc25.i686+PAE type: libreport
Description of problem: This alert happened when booting a 2016-08-27 workstation live iso image. Version-Release number of selected component: selinux-policy-3.13.1-208.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc2.git3.1.fc25.x86_64 type: libreport
Description of problem: Just launch Fedora from live USB Version-Release number of selected component: selinux-policy-3.13.1-208.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc2.git3.1.fc25.x86_64 type: libreport
Description of problem: Boot into f25 after upgrade Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc2.git3.1.fc25.x86_64 type: libreport
Description of problem: install Fedora 25 Alpha Version-Release number of selected component: selinux-policy-3.13.1-208.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc2.git3.1.fc25.x86_64 type: libreport
(In reply to Lukas Vrabec from comment #2) > Michal, > > How is files: blk,fifo,chr files are created in /run/systemd/inaccessible/ ? > > Thank you. Sorry, for the long delay. I've missed this one. These files are created in mount_setup function [1]. If you put rd.break on kernel command line you could see that systemd will create them already while in initrd. But after switch root to the real root fs, systemd is re-executed and mount_setup function is run again, this time with loaded SELinux policy. Files already exists and they should get relabeled. systemd will attempt to create them once more but all those mknod and mkdir calls [2] should just fail with EEXIST, but we don't check for error in this case. [1]https://github.com/systemd/systemd/blob/2056ec192742d45aa72a851dbd22ad1fe0bc91a2/src/core/mount-setup.c#L359 [2]https://github.com/systemd/systemd/blob/2056ec192742d45aa72a851dbd22ad1fe0bc91a2/src/core/mount-setup.c#L409 I see no problems here wrt. systemd as it does explicit relabel on files that were created in initrd.
*** Bug 1372776 has been marked as a duplicate of this bug. ***
Description of problem: foi feito as atualizações e o upgrade do fedora 24 para o 25 , começou aparecer o erro Version-Release number of selected component: selinux-policy-3.13.1-208.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.i686+PAE type: libreport
The update didn't fix this. [root@omiday ~]# rpm -q selinux-policy selinux-policy-3.13.1-211.fc25.noarch [root@omiday ~]# last -n1 reboot reboot system boot 4.8.0-0.rc4.git0 Sat Sep 3 23:48 still running wtmp begins Mon Jul 25 17:00:39 2016 [root@omiday ~]# ausearch -m avc -ts 23:48 | grep "{ getattr }" type=AVC msg=audit(1472968121.957:143): avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Related boot logs: Sep 03 23:48:39 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules. Sep 03 23:48:39 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules. Sep 03 23:48:39 omiday.can.local kernel: SELinux: 8 users, 14 roles, 5046 types, 305 bools, 1 sens, 1024 cats Sep 03 23:48:39 omiday.can.local kernel: SELinux: 94 classes, 105642 rules Sep 03 23:48:39 omiday.can.local kernel: SELinux: Permission validate_trans in class security not defined in policy. Sep 03 23:48:39 omiday.can.local kernel: SELinux: Permission module_load in class system not defined in policy. Sep 03 23:48:39 omiday.can.local kernel: SELinux: the above unknown classes and permissions will be allowed Sep 03 23:48:39 omiday.can.local kernel: SELinux: Completing initialization. Sep 03 23:48:39 omiday.can.local kernel: SELinux: Setting up existing superblocks. Sep 03 23:48:39 omiday.can.local systemd[1]: Successfully loaded SELinux policy in 76.855ms. Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied Sep 03 23:48:39 omiday.can.local systemd[1]: Relabelled /dev and /run in 20.613ms. Sep 03 23:48:39 omiday.can.local systemd-journald[1093]: Journal started Sep 03 23:48:39 omiday.can.local audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Sep 03 23:48:39 omiday.can.local audit: MAC_POLICY_LOAD policy loaded auid=4294967295 ses=4294967295 Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc: denied { relabelto } for pid=1 comm="systemd" name="fifo" dev="tmpfs" ino=1173 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=fifo_file permissive=0 Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc: denied { relabelfrom } for pid=1 comm="systemd" name="chr" dev="tmpfs" ino=1171 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=0
Description of problem: After upgrading to the latest updates in F25 updates-testing I started seeing this SELinux denial. Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.x86_64 type: libreport
Description of problem: Happened when I was in gnome-control-center seting up privacy. Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.x86_64 type: libreport
Description of problem: I've found this right after loggin' in to a Xfce session (Fedora Workstation x86_64, as qemu-guest). Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.x86_64 type: libreport
Along with Comment 19, also other messages in the boot log [ 12.894023] systemd[1]: Successfully loaded SELinux policy in 97.592ms. [ 12.920799] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied [ 12.921457] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied [ 12.922162] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied [ 12.922977] systemd[1]: Relabelled /dev and /run in 18.814ms.
[ardrigh@ardrigh ~]$ uname -a Linux ardrigh 4.8.0-0.rc5.git1.1.fc25.x86_64 #1 SMP Tue Sep 6 15:52:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [ardrigh@ardrigh ~]$ rpm -qa | grep selinux rpm-plugin-selinux-4.13.0-0.rc1.46.fc25.x86_64 selinux-policy-targeted-3.13.1-211.fc25.noarch libselinux-utils-2.5-11.fc25.x86_64 libselinux-python3-2.5-11.fc25.x86_64 libselinux-2.5-11.fc25.x86_64 selinux-policy-3.13.1-211.fc25.noarch [ardrigh@ardrigh ~]$ rpm -qa | grep systemd systemd-231-4.fc25.x86_64 python-systemd-doc-231-6.fc25.x86_64 systemd-libs-231-4.fc25.x86_64 rpm-plugin-systemd-inhibit-4.13.0-0.rc1.46.fc25.x86_64 systemd-pam-231-4.fc25.x86_64 systemd-container-231-4.fc25.x86_64 systemd-udev-231-4.fc25.x86_64 python3-systemd-231-6.fc25.x86_64
*** Bug 1374820 has been marked as a duplicate of this bug. ***
[root@host ~]# ausearch -m avc -i -ts today | tail ---- type=AVC msg=audit(09/10/2016 14:58:20.785:1774) : avc: denied { getattr } for pid=1 comm=systemd path=/run/systemd/inaccessible/blk dev="tmpfs" ino=11209 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 ---- type=AVC msg=audit(09/10/2016 14:58:42.825:1776) : avc: denied { getattr } for pid=1 comm=systemd path=/run/systemd/inaccessible/blk dev="tmpfs" ino=11209 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 ---- type=AVC msg=audit(09/10/2016 15:37:10.051:1842) : avc: denied { getattr } for pid=1 comm=systemd path=/run/systemd/inaccessible/blk dev="tmpfs" ino=11209 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 ---- type=AVC msg=audit(09/10/2016 15:38:28.221:1845) : avc: denied { getattr } for pid=1 comm=systemd path=/run/systemd/inaccessible/blk dev="tmpfs" ino=11209 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 ---- type=AVC msg=audit(09/10/2016 20:07:30.499:1964) : avc: denied { getattr } for pid=1 comm=systemd path=/run/systemd/inaccessible/blk dev="tmpfs" ino=11209 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 I can reproduce it with restarting NetworkManager or wifi change.
Actually, I am not sure whether bug is in selinux-policy. sh-4.3# ls -lZ /run/systemd/inaccessible/blk b---------. 1 root root system_u:object_r:tmpfs_t:s0 0, 0 Sep 10 23:30 /run/systemd/inaccessible/blk sh-4.3# sh-4.3# matchpathcon /run/systemd/inaccessible/blk /run/systemd/inaccessible/blk system_u:object_r:init_var_run_t:s0 AVC is gone after restoring context. However, it is on tmpfs and file has wrong SELinux context after reboot. So workaround for annoying AVCs is: restorecon -v /run/systemd/inaccessible/bl
Actually, I am not sure whether bug is in selinux-policy. sh-4.3# ls -lZ /run/systemd/inaccessible/blk b---------. 1 root root system_u:object_r:tmpfs_t:s0 0, 0 Sep 10 23:30 /run/systemd/inaccessible/blk sh-4.3# sh-4.3# matchpathcon /run/systemd/inaccessible/blk /run/systemd/inaccessible/blk system_u:object_r:init_var_run_t:s0 AVC is gone after restoring context. However, it is on tmpfs and file has wrong SELinux context after reboot. So workaround for annoying AVCs is: restorecon -v /run/systemd/inaccessible/blk
Description of problem: 1. Just boot F26. Version-Release number of selected component: selinux-policy-3.13.1-210.fc26.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git3.2.fc26.x86_64 type: libreport
selinux-policy-3.13.1-211.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1372242 has been marked as a duplicate of this bug. ***
I don't believe this is fixed. I am still getting these errors after updating. $ dmesg | grep -i selinux [ 0.040503] SELinux: Initializing. [ 0.040516] SELinux: Starting in permissive mode [ 1.053015] SELinux: Registering netfilter hooks [ 1.662351] systemd[1]: systemd 231 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN) [ 12.655254] SELinux: 32768 avtab hash slots, 105705 rules. [ 12.686218] SELinux: 32768 avtab hash slots, 105705 rules. [ 12.707473] SELinux: 8 users, 14 roles, 5047 types, 305 bools, 1 sens, 1024 cats [ 12.707475] SELinux: 94 classes, 105705 rules [ 12.709766] SELinux: Permission validate_trans in class security not defined in policy. [ 12.709772] SELinux: Permission module_load in class system not defined in policy. [ 12.709822] SELinux: the above unknown classes and permissions will be allowed [ 12.709825] SELinux: Completing initialization. [ 12.709825] SELinux: Setting up existing superblocks. [ 12.718944] systemd[1]: Successfully loaded SELinux policy in 93.656ms. [ 12.742385] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied [ 12.742440] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied [ 12.742548] systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied $ rpm -qa | grep selinux rpm-plugin-selinux-4.13.0-0.rc1.46.fc25.x86_64 libselinux-utils-2.5-11.fc25.x86_64 selinux-policy-targeted-3.13.1-212.fc25.noarch libselinux-python3-2.5-11.fc25.x86_64 libselinux-2.5-11.fc25.x86_64 selinux-policy-3.13.1-212.fc25.noarch
Reopening per comment 32, we need additional works/doesn't work verification.
Yeah, I'm also still seeing this during boot with -211.
Description of problem: appreared during kernel testing Version-Release number of selected component: selinux-policy-3.13.1-210.fc26.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git4.1.fc26.x86_64 type: libreport
Fix: https://github.com/fedora-selinux/selinux-policy/commit/759e5505129f742e7131f1bd3cbed9d4baab05be
selinux-policy-3.13.1-214.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c
Description of problem: Reproduces always after bootup and login. Restorecon was attempted and was ineffective; problem reproduced immediately after running restorecon Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc5.git1.1.fc25.x86_64 type: libreport
selinux-policy-3.13.1-214.fc25 seems to fix this issue.
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.