Bug 1481376 - selinux prevents cockpit from running
Summary: selinux prevents cockpit from running
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1481454
TreeView+ depends on / blocked
 
Reported: 2017-08-14 19:02 UTC by Paul Whalen
Modified: 2017-10-31 15:35 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-283.14.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-27 19:11:39 UTC


Attachments (Terms of Use)

Description Paul Whalen 2017-08-14 19:02:19 UTC
Description of problem:
selinux prevents cockpit from running

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-270.fc27.noarch

How reproducible:
everytime

Steps to Reproduce:
1. Install Server using the Fedora-Rawhide-20170811.n.2 compose
2. Attempt to login through the web interface


Actual results:
Web page displaying "Internal Server Error"

Additional info:

ausearch -m avc -ts recent

----
time->Mon Aug 14 14:43:45 2017
type=AVC msg=audit(1502736225.883:586): avc:  denied  { map } for  pid=938 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949477 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 14:43:47 2017
type=AVC msg=audit(1502736227.647:587): avc:  denied  { map } for  pid=939 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949477 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 14:43:48 2017
type=AVC msg=audit(1502736228.023:589): avc:  denied  { map } for  pid=940 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949477 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 14:43:49 2017
type=AVC msg=audit(1502736229.560:594): avc:  denied  { map } for  pid=942 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949477 scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissi0
----
time->Mon Aug 14 14:44:17 2017
type=AVC msg=audit(1502736257.040:605): avc:  denied  { map } for  pid=970 comm="cockpit-ws" path="/etc/ld.so.cache" dev="dm-0" ino=8949477 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permi0
----
time->Mon Aug 14 14:44:17 2017
type=AVC msg=audit(1502736257.183:606): avc:  denied  { read } for  pid=970 comm="cockpit-ws" name="cpuinfo" dev="proc" ino=4026531942 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissiv0
----
time->Mon Aug 14 14:44:17 2017
type=AVC msg=audit(1502736257.238:607): avc:  denied  { read } for  pid=970 comm="cockpit-ws" name="cpuinfo" dev="proc" ino=4026531942 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissiv0
----
time->Mon Aug 14 14:44:44 2017
type=AVC msg=audit(1502736284.733:609): avc:  denied  { map } for  pid=970 comm="cockpit-ws" path="/usr/share/cockpit/static/login.html" dev="dm-0" ino=25488131 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t0
----
time->Mon Aug 14 14:44:44 2017
type=AVC msg=audit(1502736284.805:610): avc:  denied  { map } for  pid=970 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Light-webfont.woff" dev="dm-0" ino=657188 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=sy0
----
time->Mon Aug 14 14:44:44 2017
type=AVC msg=audit(1502736284.728:608): avc:  denied  { map } for  pid=970 comm="cockpit-ws" path="/usr/share/cockpit/static/login.po.html" dev="dm-0" ino=25488141 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:us0
----
time->Mon Aug 14 14:44:46 2017
type=AVC msg=audit(1502736286.955:611): avc:  denied  { map } for  pid=970 comm="cockpit-ws" path="/usr/share/cockpit/static/login.po.html" dev="dm-0" ino=25488141 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:us0
----
time->Mon Aug 14 14:44:46 2017
type=AVC msg=audit(1502736286.960:612): avc:  denied  { map } for  pid=970 comm="cockpit-ws" path="/usr/share/cockpit/static/login.html" dev="dm-0" ino=25488131 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t0
----
time->Mon Aug 14 14:44:47 2017
type=AVC msg=audit(1502736287.021:613): avc:  denied  { map } for  pid=970 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Light-webfont.woff" dev="dm-0" ino=657188 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=sy0
----
time->Mon Aug 14 14:47:19 2017
type=AVC msg=audit(1502736439.304:638): avc:  denied  { map } for  pid=1011 comm="plymouthd" path="/etc/ld.so.cache" dev="dm-0" ino=8949477 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permis0
----
time->Mon Aug 14 14:50:38 2017
type=AVC msg=audit(1502736638.462:584): avc:  denied  { map } for  pid=944 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949486 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 14:50:40 2017
type=AVC msg=audit(1502736640.121:585): avc:  denied  { map } for  pid=945 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949486 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 14:50:40 2017
type=AVC msg=audit(1502736640.529:587): avc:  denied  { map } for  pid=946 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949486 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 14:50:41 2017
type=AVC msg=audit(1502736641.712:592): avc:  denied  { map } for  pid=948 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949486 scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissi0
----
time->Mon Aug 14 14:52:41 2017
type=AVC msg=audit(1502736761.987:602): avc:  denied  { map } for  pid=997 comm="cockpit-ws" path="/etc/ld.so.cache" dev="dm-0" ino=8949486 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permi0
----
time->Mon Aug 14 14:52:42 2017
type=AVC msg=audit(1502736762.131:603): avc:  denied  { read } for  pid=997 comm="cockpit-ws" name="cpuinfo" dev="proc" ino=4026531942 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissiv0
----
time->Mon Aug 14 14:52:42 2017
type=AVC msg=audit(1502736762.185:604): avc:  denied  { read } for  pid=997 comm="cockpit-ws" name="cpuinfo" dev="proc" ino=4026531942 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissiv0

When in permissive web interface works as expected.

Comment 1 Jan Kurik 2017-08-15 08:56:03 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 2 Fedora Update System 2017-10-25 10:12:48 UTC
selinux-policy-3.13.1-283.13.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2

Comment 3 Fedora Update System 2017-10-27 18:45:35 UTC
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2

Comment 4 Paul Whalen 2017-10-27 19:11:39 UTC
This has been fixed, closing.

Comment 5 Fedora Update System 2017-10-31 15:35:28 UTC
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.