Description of problem: SELinux is preventing (ostnamed) from 'mounton' accesses on the directory /proc/irq. ***** Plugin catchall (100. confidence) suggests ************************** If vous pensez que (ostnamed) devrait être autorisé à accéder mounton sur irq directory par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do allow this access for now by executing: # ausearch -c '(ostnamed)' --raw | audit2allow -M my-ostnamed # semodule -X 300 -i my-ostnamed.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:sysctl_irq_t:s0 Target Objects /proc/irq [ dir ] Source (ostnamed) Source Path (ostnamed) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-222.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.0-1.fc26.x86_64 #1 SMP Mon Oct 3 14:09:56 UTC 2016 x86_64 x86_64 Alert Count 8 First Seen 2016-11-04 19:15:31 CET Last Seen 2016-11-04 22:00:41 CET Local ID e515b0ae-36d7-4120-9a82-cd045650911e Raw Audit Messages type=AVC msg=audit(1478293241.618:1111): avc: denied { mounton } for pid=4004 comm="(-localed)" path="/proc/irq" dev="proc" ino=4026531858 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=0 Hash: (ostnamed),init_t,sysctl_irq_t,dir,mounton Version-Release number of selected component: selinux-policy-3.13.1-222.fc26.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.0-1.fc26.x86_64 type: libreport
Description of problem: Installed Fedora-Workstation-Live-x86_64-Rawhide-20170110.n.0.iso. As soon as the system booted the first time, was issued this SELinux denial alert. Version-Release number of selected component: selinux-policy-3.13.1-233.fc26.noarch Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.10.0-0.rc3.git0.1.fc26.x86_64 type: libreport
Proposed as a Blocker for 26-final by Fedora user coremodule using the blocker tracking app because: This bug violates the following F26 Final criteria: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."
Description of problem: Updated Rawhide 26. AVC regarding truncated 'ostnamed' after logging in. Duplicate of 1392161. Looks like 1361809 , 1367292 . Last comment on 1367292 said "If problems still persist, please make note of it in this bug report." Version-Release number of selected component: selinux-policy-3.13.1-231.fc26.noarch Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.10.0-0.rc2.git4.1.fc26.x86_64 type: libreport
And attached audit log with permissive mode type=AVC msg=audit(1484227039.425:11726): avc: denied { mounton } for pid=19024 comm="(ostnamed)" path="/proc/irq" dev="proc" ino=4026531858 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1484227039.425:11727): avc: denied { mounton } for pid=19024 comm="(ostnamed)" path="/proc/mtrr" dev="proc" ino=4026531973 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file permissive=1 type=SERVICE_START msg=audit(1484227039.463:11728): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nearly every openQA test is running into this in recent composes. +1 blocker.
+1 blocker
Description of problem: Simply booted a freshly installed Rawhide VM and logged in. Version-Release number of selected component: selinux-policy-3.13.1-233.fc26.noarch Additional info: reporter: libreport-2.9.0 hashmarkername: setroubleshoot kernel: 4.10.0-0.rc3.git4.1.fc26.x86_64 type: libreport
AVC is generated because systemd-hostnamed.service has option ProtectKernelTunables set to yes. If this option is enabled for the service then systemd will disable sysctl syscall by installing seccomp filter. Also the service will be spawned in its own mount namespace where some filesystem paths that are otherwise write-able by root will become read-only. This is done by recursively bind mounting those paths into the same locations and then remounting bind mounts as read-only. If you want to get rid of AVC then either allow systemd to do remounting or remove ProtectKernelTunables=yes from systemd-hostnamed.service. Note that that localed, resolved, timesyncd and timedated unit files also contain ProtectKernelTunables=yes option. I think it would make sense to adjust our SELinux policy because otherwise services can't take full advantage of this new systemd security feature.
(In reply to Adam Williamson from comment #5) > Nearly every openQA test is running into this in recent composes. +1 blocker. (In reply to Stephen Gallagher from comment #6) > +1 blocker It super nice that you gave +1 for harmless AVC bug. IMHO there are different bugs which should get blocker. (BZ1413075 and maybe related/duplicate BZ1413047)
It's hard to know which one is at fault, but SELinux is preventing the system from working *at all* on Fedora 26/Rawhide right now. This looked likely to be the culprit. If this one is indeed harmless and the problem is elsewhere, please advise.
I can see this AVC even on older kernel but it does not cause such problem as I reported in different bugs(BZ1413075 BZ1413047)
FWIW, filesystem paths that systemd may try to remount due to use of new security related features can be found in respective tables here, https://github.com/systemd/systemd/blob/master/src/core/namespace.c
Michal, Thank you. Fixed. Build will be available ASAP.
Any news on that build?
commit 08645ba5ed6467bee8218bec32015ef4f1c70fa0 Author: Lukas Vrabec <lvrabec> Date: Tue Jan 17 17:47:55 2017 +0100 Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)
Adam, Issue is fixed here: https://koji.fedoraproject.org/koji/buildinfo?buildID=834475
I think that this change caused another bug @see BZ1418682
Discussed during the 2017-02-13 blocker review meeting: [1] The decision was made to classify this bug as an AcceptedBlocker was made as it violates the following Final criteria: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-02-13/f26-blocker-review.2017-02-13-18.01.txt
A similar AVC still shows up in Fedora-Rawhide-20170214.n.0 testing, e.g.: https://openqa.fedoraproject.org/tests/56815#step/_console_avc_crash/9 it now seems to be complaining about /proc/mtrr .
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
There's another report for the /proc/mtrr one: https://bugzilla.redhat.com/show_bug.cgi?id=1411360 so let's close this.