Bug 1777083 - SELinux is preventing (machined) from 'mounton' accesses on the chr_file /run/systemd/unit-root/dev/kmsg.
Summary: SELinux is preventing (machined) from 'mounton' accesses on the chr_file /run...
Keywords:
Status: CLOSED DUPLICATE of bug 1775882
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:177d6a94948011aeba6dcc86e81...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-26 21:56 UTC by Michael
Modified: 2019-11-27 18:54 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-27 18:54:00 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Michael 2019-11-26 21:56:35 UTC 
Description of problem:
SELinux is preventing (machined) from 'mounton' accesses on the chr_file /run/systemd/unit-root/dev/kmsg.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (machined) should be allowed mounton access on the kmsg chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(machined)' --raw | audit2allow -M my-machined
# semodule -X 300 -i my-machined.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:kmsg_device_t:s0
Target Objects                /run/systemd/unit-root/dev/kmsg [ chr_file ]
Source                        (machined)
Source Path                   (machined)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.5-16.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.4.0-2.fc32.x86_64 #1 SMP Mon Nov
                              25 22:45:19 UTC 2019 x86_64 x86_64
Alert Count                   27
First Seen                    2019-11-26 22:52:06 CET
Last Seen                     2019-11-26 22:55:52 CET
Local ID                      5e8463d0-a756-497c-8539-9d3d13e8e35a

Raw Audit Messages
type=AVC msg=audit(1574805352.734:263): avc:  denied  { mounton } for  pid=5068 comm="(imedated)" path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=2066 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1


Hash: (machined),init_t,kmsg_device_t,chr_file,mounton

Version-Release number of selected component:
selinux-policy-3.14.5-16.fc32.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.11.3
hashmarkername: setroubleshoot
kernel:         5.4.0-2.fc32.x86_64
type:           libreport
Comment 1 Ben Cotton 2019-11-27 14:22:16 UTC 
Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 2 Michael 2019-11-27 14:24:01 UTC 
That's not 29. That's rawhide!
Comment 3 Lukas Vrabec 2019-11-27 18:54:00 UTC 

*** This bug has been marked as a duplicate of bug 1775882 ***
Note You need to log in before you can comment on or make changes to this bug.