This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1468846 - PrivateDevices=true prevents SELinux transition from init_t to daemon domain
PrivateDevices=true prevents SELinux transition from init_t to daemon domain
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-08 17:11 EDT by Juan Orti
Modified: 2017-07-16 20:29 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Juan Orti 2017-07-08 17:11:27 EDT
Description of problem:
All my services in F26 with PrivateDevices=true fail because the SELinux transition from init_t to the daemon domain is blocked, rendering the PrivateDevices directive unusable.
The services worked in F25, so something has changed between versions.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-259.fc26.noarch
systemd-233-6.fc26.x86_64
kernel-4.11.8-300.fc26.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Run a SELinux confined daemon with PrivateDevices=true

Actual results:
Daemon runs with init_t

Expected results:
Daemon process transitions to its own domain

Additional info:
This is an example AVC of amavisd.service in F26:

SELinux is preventing amavisd from ioctl access on the file /usr/sbin/amavisd.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que de manera predeterminada, amavisd debería permitir acceso ioctl sobre amavisd file.
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
allow this access for now by executing:
# ausearch -c 'amavisd' --raw | audit2allow -M my-amavisd
# semodule -X 300 -i my-amavisd.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:antivirus_exec_t:s0
Target Objects                /usr/sbin/amavisd [ file ]
Source                        amavisd
Source Path                   amavisd
Port                          <Unknown>
Host                          argon
Source RPM Packages
Target RPM Packages           amavisd-new-2.11.0-6.fc26.noarch
Policy RPM                    selinux-policy-3.13.1-259.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     argon
Platform                      Linux argon 4.11.8-300.fc26.x86_64 #1 SMP Thu Jun
                              29 20:09:48 UTC 2017 x86_64 x86_64
Alert Count                   93
First Seen                    2017-07-08 12:09:18 CEST
Last Seen                     2017-07-08 23:06:09 CEST
Local ID                      c08e43e9-df1b-4f1b-9ede-5557463000a1

Raw Audit Messages
type=AVC msg=audit(1499547969.808:321): avc:  denied  { ioctl } for  pid=3018 comm="amavisd" path="/usr/sbin/amavisd" dev="dm-0" ino=16844128 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file permissive=0


Hash: amavisd,init_t,antivirus_exec_t,file,ioctl

Note You need to log in before you can comment on or make changes to this bug.