Description of problem: SELinux is preventing systemd from 'create' accesses on the unix_stream_socket Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects Unknown [ unix_stream_socket ] Source systemd Source Path systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-224.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.8-300.fc25.x86_64 #1 SMP Tue Nov 15 18:10:06 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-12-06 20:53:18 CET Last Seen 2016-12-06 20:53:18 CET Local ID f61f5e4e-a165-4724-b45e-0d96921bfe31 Raw Audit Messages type=AVC msg=audit(1481053998.273:283): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0 Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.12-300.fc27.x86_64 type: libreport Potential duplicate: bug 1459076
*** Bug 1515990 has been marked as a duplicate of this bug. ***
Description of problem: Tyring to start docker service using the command systemctl start docker.service Version-Release number of selected component: selinux-policy-3.13.1-283.17.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.16-302.fc27.x86_64 type: libreport
Hi, Could you attach output of: # ps -efZ | grep unconfined_service_t Thanks.
As requested here are the details - [root@ideapad ~]# ps -efZ | grep unconfined_service_t unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 9225 9191 0 10:47 pts/1 00:00:00 grep --color=auto unconfined_service_t
Hmm, I don't see any service runs as unconfined_service_t. Are you able to reproduce the AVC?
Issuing the command 'systemctl start docker.service' from sudo user I got the AVC again. ----------------------------------------------------------------------- SELinux is preventing systemd-logind from unlink access on the file ora_XE_32768_66. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed unlink access on the ora_XE_32768_66 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind # semodule -X 300 -i my-systemdlogind.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:initrc_state_t:s0 Target Objects ora_XE_32768_66 [ file ] Source systemd-logind Source Path systemd-logind Port <Unknown> Host ideapad Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.17.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ideapad Platform Linux ideapad 4.14.5-300.fc27.x86_64 #1 SMP Mon Dec 11 16:00:36 UTC 2017 x86_64 x86_64 Alert Count 1791 First Seen 2017-11-19 20:33:58 EST Last Seen 2017-12-18 07:31:55 EST Local ID 65edb0ed-3569-4b8f-bdec-7e62049d2bd2 Raw Audit Messages type=AVC msg=audit(1513600315.683:382): avc: denied { unlink } for pid=1010 comm="systemd-logind" name="ora_XE_32768_66" dev="tmpfs" ino=29798 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=file permissive=0 Hash: systemd-logind,systemd_logind_t,initrc_state_t,file,unlink ----------------------------------------------------------------------- And this time around I was able to get something different as the output for the command you had requested - system_u:system_r:unconfined_service_t:s0 root 909 1 0 07:29 ? 00:00:02 /usr/libexec/docker/docker-containerd-current --listen unix:///run/containerd.sock --shim /usr/libexec/docker/docker-containerd-shim-current --start-timeout 2m unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 7329 6771 0 21:57 pts/1 00:00:00 grep --color=auto unconfined_service_t ----------------------------------------------------------------------- Please note, its quite possible that with the docker/kubernetes package still not verified with Fedora 27 I'm encountering the error.
Godfrey, What is output of command: # rpm -q container-selinux If this package is not installed please install it and try to reproduce the issue. Also please add output of: # ls -Z /usr/libexec/docker/docker-containerd-current # semodule -lfull | grep container Thanks, Lukas.
The container-selinux seems to be installed - [root@ideapad ~]# rpm -q container-selinux container-selinux-2.36-1.fc27.noarch As requested here is the output of the other two commands - [root@ideapad ~]# ls -Z /usr/libexec/docker/docker-containerd-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-containerd-current [root@ideapad ~]# semodule -lfull | grep container 200 container pp
Please use: # semanage fcontext -a -t container_runtime_exec_t /usr/libexec/docker/docker-containerd-current # restorecon -v /usr/libexec/docker/docker-containerd-current It looks like in F27 there is no labeling for docker-containerd-current, but in Rawhide it looks fine. Guys could you backport it? Thanks, Lukas.
I think we have labeling for those # matchpathcon /usr/libexec/docker/docker-* /usr/libexec/docker/docker-containerd-current system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker-containerd-shim-current system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker-ctr-current system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker-init-current system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker-proxy-current system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker-runc-current system_u:object_r:container_runtime_exec_t:s0 (reverse-i-search)`': ^ # ls -lZ /usr/libexec/docker/docker-* -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 7885728 Nov 17 10:26 /usr/libexec/docker/docker-containerd-current -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 1919840 Nov 17 10:26 /usr/libexec/docker/docker-containerd-shim-current -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 7290360 Nov 17 10:26 /usr/libexec/docker/docker-ctr-current -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 781904 Nov 17 10:25 /usr/libexec/docker/docker-init-current -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 1707240 Nov 17 10:26 /usr/libexec/docker/docker-proxy-current -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 5189024 Nov 17 10:26 /usr/libexec/docker/docker-runc-current sh-4.4# exit # rpm -q container-selinux container-selinux-2.36-1.fc27.noarch grep /usr/libexec/docker /etc/selinux/targeted/contexts/files/file_contexts /usr/libexec/docker/.* -- system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker.* -- system_u:object_r:container_runtime_exec_t:s0
Godfrey can you reinstall container-selinux dnf reinstall container-selinux matchpathcon /usr/libexec/docker/*
Daniel, That did not help. Here is the AVC update that got in the SELinux Alert Browser - -------- SELinux is preventing systemd from create access on the unix_stream_socket Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects Unknown [ unix_stream_socket ] Source systemd Source Path systemd Port <Unknown> Host ideapad Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.17.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ideapad Platform Linux ideapad 4.14.6-300.fc27.x86_64 #1 SMP Thu Dec 14 15:31:24 UTC 2017 x86_64 x86_64 Alert Count 2 First Seen 2017-12-21 07:18:58 EST Last Seen 2017-12-21 07:20:20 EST Local ID 3c4369fa-79e5-42da-b91e-13300956728c Raw Audit Messages type=AVC msg=audit(1513858820.772:511): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0 Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create --------- Trying to generate the policy rule -- [root@ideapad ~]# ausearch -c 'systemd' --raw | audit2allow -M my-systemd ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-systemd.pp [root@ideapad ~]# semodule -X 300 -i my-systemd.pp libsemanage.semanage_make_sandbox: Could not copy files to sandbox /var/lib/selinux/targeted/tmp. (Input/output error). semodule: Failed on my-systemd.pp! [root@ideapad ~]# systemctl start docker.service A dependency job for docker.service failed. See 'journalctl -xe' for details.
What is the output of matchpathcon /usr/libexec/docker/*
[root@ideapad ~]# matchpathcon /usr/libexec/docker/* /usr/libexec/docker/docker-containerd-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-containerd-shim-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-ctr-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-init-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-proxy-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-runc-current system_u:object_r:bin_t:s0 /usr/libexec/docker/rhel-push-plugin system_u:object_r:bin_t:s0
I receive the same AVC whenever I run the fedora kernel-tests. Nothing here remotely related to docker.
And when you executed dnf reinstall container-selinux do you see any errors?
[root@ideapad ~]# dnf reinstall container-selinux Last metadata expiration check: 1:41:37 ago on Thu 21 Dec 2017 05:29:13 AM EST. Dependencies resolved. ======================================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================================== Reinstalling: container-selinux noarch 2:2.36-1.fc27 updates 36 k Transaction Summary ======================================================================================================================================================================== Total download size: 36 k Is this ok [y/N]: y Downloading Packages: container-selinux-2.36-1.fc27.noarch.rpm 70 kB/s | 36 kB 00:00 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Total 27 kB/s | 36 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Reinstalling : container-selinux-2:2.36-1.fc27.noarch 1/2 Running scriptlet: container-selinux-2:2.36-1.fc27.noarch 1/2 libsemanage.semanage_make_sandbox: Could not copy files to sandbox /var/lib/selinux/targeted/tmp. (Input/output error). /usr/sbin/semodule: Failed on /usr/share/selinux/packages/container.pp.bz2! Erasing : container-selinux-2:2.36-1.fc27.noarch 2/2 Running scriptlet: container-selinux-2:2.36-1.fc27.noarch 2/2 Verifying : container-selinux-2:2.36-1.fc27.noarch 1/2 Verifying : container-selinux-2:2.36-1.fc27.noarch 2/2 Reinstalled: container-selinux.noarch 2:2.36-1.fc27 Complete!
So that is the issue for some reason container-selinux is failing to install. Lukas do you have any idea what is going on here?
(In reply to Godfrey from comment #12) > [root@ideapad ~]# semodule -X 300 -i my-systemd.pp > libsemanage.semanage_make_sandbox: Could not copy files to sandbox > /var/lib/selinux/targeted/tmp. (Input/output error). > semodule: Failed on my-systemd.pp! Something in /var/lib/selinux seems to be broken. EIO A low-level I/O error occurred while modifying the inode. This error may relate to the write-back of data written by an earlier write(2), which may have been issued to a different file descriptor on the same file. Since Linux 4.13, errors from write-back come with a promise that they may be reported by subsequent. write(2) requests, and will be reported by a subsequent fsync(2) (whether or not they were also reported by write(2)). Is there /var/lib/selinux/targeted/tmp directory in your filesystem? If it's there, try to remove it and run reinstall again.
No tmp directory in the targeted folder - [root@ideapad ~]# ls -ltr /var/lib/selinux/targeted/tmp ls: cannot access '/var/lib/selinux/targeted/tmp': No such file or directory [root@ideapad ~]# ls -ltr /var/lib/selinux/targeted total 4 -rw-------. 1 root root 0 Nov 21 11:05 semanage.trans.LOCK -rw-------. 1 root root 0 Nov 21 11:05 semanage.read.LOCK drwx------. 3 root root 4096 Nov 29 20:09 active I created the /var/lib/selinux/targeted/tmp directory to check if that may be the reason but reinstalling seems to be removing that directory and again causing it to fail - Running transaction Preparing : 1/1 Reinstalling : container-selinux-2:2.36-1.fc27.noarch 1/2 Running scriptlet: container-selinux-2:2.36-1.fc27.noarch 1/2 libsemanage.semanage_make_sandbox: Could not copy files to sandbox /var/lib/selinux/targeted/tmp. (Input/output error). /usr/sbin/semodule: Failed on /usr/share/selinux/packages/container.pp.bz2! Erasing : container-selinux-2:2.36-1.fc27.noarch 2/2 Running scriptlet: container-selinux-2:2.36-1.fc27.noarch 2/2 Verifying : container-selinux-2:2.36-1.fc27.noarch 1/2 Verifying : container-selinux-2:2.36-1.fc27.noarch
Description of problem: I ran Fedora kernel tests from the command line. Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch selinux-policy-3.13.1-225.1.fc25.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.8-300.fc27.x86_64 type: libreport
container-selinux-2.39-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2
container-selinux-2.39-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9
container-selinux-2.39-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2
container-selinux-2.39-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9
container-selinux-2.41-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3
container-selinux-2.40-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd
container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd
container-selinux-2.41-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3
container-selinux-2.42-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1
container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1
container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Description of problem: https://bugzilla.redhat.com/show_bug.cgi?id=1539213 Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch selinux-policy-3.13.1-225.23.fc25.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.14-300.fc27.i686+PAE type: libreport
Description of problem: Occured at boot time Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.14-300.fc27.x86_64 type: libreport