614574 – tracker : SELinux policy for Systemd

Bug 614574 - tracker : SELinux policy for Systemd

Summary: tracker : SELinux policy for Systemd

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	614710 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-07-14 19:15 UTC by Bill Nottingham
Modified:	2014-03-17 03:24 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2011-05-26 20:15:58 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bill Nottingham 2010-07-14 19:15:04 UTC

Description of problem:

At least, I can't log in in enforcing mode. If I'm not in enforcing mode,
my login shell ends up being unconfined_u:system_r:abrt_helper_t, which is very wrong.

Version-Release number of selected component (if applicable):

systemd-3-3
selinux-policy-targeted-3.8.6-3.fc14

How reproducible:

100%

Comment 1 Jeffrey C. Ollie 2010-07-14 20:52:13 UTC

Same problem here for me, same versions of systemd and selinux policy.  I can log in if I disable selinux and switch to permissive mode.  I tried doing a full relabel of the FS but it didn't help.

Comment 2 Lennart Poettering 2010-07-14 21:01:55 UTC

Hmm, I thought we had fixed the policy already. Reassigning to the policy package.

Comment 3 Daniel Walsh 2010-07-15 13:10:36 UTC

Labeling is fixed in selinux-policy-3_8_7-1_fc14

But I will leave this bug open for a while since lots of other changes need to be made to systemd to get it to work properly with SELinux.

Lennart we are going to have to either make systemd impersonate services or setup proper labeling on things like sockets, when doing autostart.

Comment 4 Orion Poplawski 2010-07-16 22:44:19 UTC

My current messages:

type=AVC msg=audit(1279341708.897:8): avc:  denied  { accept } for  pid=713 comm="dbus-daemon" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1279341708.897:9): avc:  denied  { getattr } for  pid=713 comm="dbus-daemon" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1279341708.897:10): avc:  denied  { getopt } for  pid=713 comm="dbus-daemon" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket

Does not boot in enforcing.

Comment 5 Carl G. 2010-07-17 02:38:05 UTC

Please open a new bug report, this bug report is for tracking bug & change required for SELinux to work with Systemd.

Thanks.

---

Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 6 Lennart Poettering 2010-07-17 13:47:44 UTC

*** Bug 614710 has been marked as a duplicate of this bug. ***

Comment 7 Daniel Walsh 2010-07-20 18:00:08 UTC

selinux-policy-3.8.8-1.fc14 policy should allow you to boot systemd in enforcing mode.  I had to hack policy to allow messagebus and avahi to work.  We need to change systemd to properly impersonate those services.  Currently the first app that tries to communicate with avahi or dbus ends up with an avc requiring.

allow telepathy_msn_t init_t:unix_stream_socket connectto;


Since init_t creates the socket.  systemd should have setsockcreatecon("system_u:system_r:dbusd_t:s0")

Then the avc would have been solved with the allow rule. 

allow telepathy_msn_t dbusd_t:unix_stream_socket connectto;

Comment 8 François Cami 2010-07-30 19:22:47 UTC

Err, reverting. sorry.

Note You need to log in before you can comment on or make changes to this bug.