Description of problem: SELinux is preventing (imedated) from 'mounton' accesses on the chr_file /run/systemd/unit-root/dev/kmsg. ***** Plugin catchall (100. confidence) suggests ************************** Si vous pensez que (imedated) devrait être autorisé à accéder mounton sur kmsg chr_file par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # ausearch -c "(imedated)" --raw | audit2allow -M my-imedated # semodule -X 300 -i my-imedated.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:kmsg_device_t:s0 Target Objects /run/systemd/unit-root/dev/kmsg [ chr_file ] Source (imedated) Source Path (imedated) Port <Inconnu> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.5-16.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.4.0-0.rc6.git0.1.fc32.x86_64 #1 SMP Mon Nov 4 16:37:09 UTC 2019 x86_64 x86_64 Alert Count 3 First Seen 2019-11-22 18:09:04 CET Last Seen 2019-11-23 09:11:25 CET Local ID 0239c08e-0bcb-469c-8549-f37aeacbbb5a Raw Audit Messages type=AVC msg=audit(1574496685.631:3117): avc: denied { mounton } for pid=471519 comm="(imedated)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=3080 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1 Hash: (imedated),init_t,kmsg_device_t,chr_file,mounton Version-Release number of selected component: selinux-policy-3.14.5-16.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.4.0-0.rc6.git0.1.fc32.x86_64 type: libreport
*** Bug 1775883 has been marked as a duplicate of this bug. ***
I'm seeing denials like this on openQA tests of today's Rawhide compose, and they seem to be causing all the tests to fail because initial login takes two minutes(!). Journal shows a ton of these denials: Nov 26 11:17:57 localhost.localdomain audit[744]: AVC avc: denied { mounton } for pid=744 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:17:57 localhost.localdomain audit[745]: AVC avc: denied { mounton } for pid=745 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:17:57 localhost.localdomain audit[748]: AVC avc: denied { mounton } for pid=748 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:17:57 localhost.localdomain audit[749]: AVC avc: denied { mounton } for pid=749 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:17:57 localhost.localdomain audit[752]: AVC avc: denied { mounton } for pid=752 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:17:57 localhost.localdomain audit[753]: AVC avc: denied { mounton } for pid=753 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:17:57 localhost.localdomain audit[756]: AVC avc: denied { mounton } for pid=756 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:17:57 localhost.localdomain audit[757]: AVC avc: denied { mounton } for pid=757 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:17:57 localhost.localdomain audit[760]: AVC avc: denied { mounton } for pid=760 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:17:57 localhost.localdomain audit[761]: AVC avc: denied { mounton } for pid=761 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:17:57 localhost.localdomain audit[784]: AVC avc: denied { mounton } for pid=784 comm="(ostnamed)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:18:23 localhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/iscsi.service" cmdline="" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:iscsi_unit_file_t:s0 tclass=service permissive=0 Nov 26 11:18:32 localhost.localdomain audit[922]: AVC avc: denied { mounton } for pid=922 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:18:32 localhost.localdomain audit[923]: AVC avc: denied { mounton } for pid=923 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:18:32 localhost.localdomain audit[926]: AVC avc: denied { mounton } for pid=926 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:18:32 localhost.localdomain audit[927]: AVC avc: denied { mounton } for pid=927 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:18:32 localhost.localdomain audit[930]: AVC avc: denied { mounton } for pid=930 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:18:32 localhost.localdomain audit[931]: AVC avc: denied { mounton } for pid=931 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:18:32 localhost.localdomain audit[934]: AVC avc: denied { mounton } for pid=934 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:18:32 localhost.localdomain audit[935]: AVC avc: denied { mounton } for pid=935 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:18:32 localhost.localdomain audit[938]: AVC avc: denied { mounton } for pid=938 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 Nov 26 11:18:32 localhost.localdomain audit[939]: AVC avc: denied { mounton } for pid=939 comm="(d-logind)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=11340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 and they seem to cause some systemd errors: Nov 26 11:18:32 localhost.localdomain systemd[931]: systemd-logind.service: Failed to set up mount namespacing: /run/systemd/unit-root/dev/kmsg: Permission denied Nov 26 11:18:32 localhost.localdomain systemd[931]: systemd-logind.service: Failed at step NAMESPACE spawning /usr/lib/systemd/systemd-logind: Permission denied and I think that results in systemd waiting for something for two minutes before timing out: Nov 26 11:20:32 localhost.localdomain login[901]: pam_systemd(login:session): Failed to create session: Connection timed out Nov 26 11:20:32 localhost.localdomain login[901]: pam_unix(login:session): session opened for user test by LOGIN(uid=0) and only after that does the console login actually complete. Oddly, this doesn't reproduce on a local VM, I'm not sure why not - I don't have these denials there and login works instantly. But it's happening every time in openQA.
confirmed openQA test works OK if I hack selinux to permissive mode, so it's the selinux denials causing the problem.
oh, and I just upgraded my desktop to latest Rawhide and on that box, this bug seems to mean it never reaches gdm *at all*. It just gets stuck at the boot screen. I have to boot with enforcing=0 to be able to log in at all. Not sure why this seems to manifest so differently on different systems, that's weird.
I'm fairly certain that also kills networking for systems that use networkd (at least I had one of them DOA after this update, that had to be recued to permissive mode fpr networking to work; didn't have had time to check actual avcs on it yet)
Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
That's not 29. That's rawhide!
Since this prevents my box booting at all, proposing as an F32 Beta blocker.
commit 3874269a715a60bca048a76da372fd90b7294e9c (HEAD -> rawhide, origin/rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Nov 27 19:06:42 2019 +0100 Update dev_mounton_all_device_nodes() interface Update the interface to allow a caller domain to mounton also device_node chr_files and blk_files. Resolves: rhbz#1775882 Fixes backported also to F31.
*** Bug 1777083 has been marked as a duplicate of this bug. ***
Thanks Lukas. Can we get a new build ASAP so the next Rawhide is testable?
Here we go! Building selinux-policy-3.14.5-17.fc32 for rawhide Created task: 39380917 Task info: https://koji.fedoraproject.org/koji/taskinfo?taskID=39380917
I've tested selinux-policy-3.14.5-17.fc32.noarch and I still have issues when booting with enforcing=1. On audit log I see: type=AVC msg=audit(1574930779.828:51): avc: denied { getattr } for pid=562 comm="(modprobe)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1 type=AVC msg=audit(1574930779.829:52): avc: denied { mounton } for pid=562 comm="(modprobe)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1 type=AVC msg=audit(1574930780.657:56): avc: denied { getattr } for pid=601 comm="(ostnamed)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1 type=AVC msg=audit(1574930780.657:57): avc: denied { mounton } for pid=601 comm="(ostnamed)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1
Yeah, openQA tests all failed on today's compose too. openQA logs from a run I did with a hack to set the installed system in permissive mode show this: ---- time->Wed Nov 27 13:21:35 2019 type=AVC msg=audit(1574878895.838:77): avc: denied { mounton } for pid=619 comm="(modprobe)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=1033 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1 ---- time->Wed Nov 27 13:21:35 2019 type=AVC msg=audit(1574878895.839:78): avc: denied { getattr } for pid=619 comm="(modprobe)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1 ---- time->Wed Nov 27 13:21:35 2019 type=AVC msg=audit(1574878895.840:79): avc: denied { mounton } for pid=619 comm="(modprobe)" path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532031 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file permissive=1
*** Bug 1778022 has been marked as a duplicate of this bug. ***
Looks like selinux-policy-3.14.5-18.fc32 fixes this - openQA tests for the 1129.n.0 compose mostly passed. Anyone else confirm for them?
With: selinux-policy-targeted-3.14.5-18.fc32.noarch selinux-policy-3.14.5-18.fc32.noarch login and networkd work again
OK, let's call this closed then. Thanks lvrabec.