Summary: SELinux is preventing /lib/upstart/shutdown "unlink" access on nologin. Detailed Description: SELinux denied access requested by shutdown. It is not expected that this access is required by shutdown and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:shutdown_t:s0 Target Context system_u:object_r:etc_runtime_t:s0 Target Objects nologin [ file ] Source shutdown Source Path /lib/upstart/shutdown Port <Unknown> Host (removed) Source RPM Packages upstart-0.6.5-10.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-10.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.35.6-48.fc14.i686.PAE #1 SMP Fri Oct 22 15:27:53 UTC 2010 i686 i686 Alert Count 1 First Seen Wed 17 Nov 2010 01:58:17 AM EST Last Seen Wed 17 Nov 2010 01:58:17 AM EST Local ID b686ae6b-36da-4e06-9e86-f23ae0657007 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1289977097.781:50930): avc: denied { unlink } for pid=25106 comm="shutdown" name="nologin" dev=dm-3 ino=3285168 scontext=system_u:system_r:shutdown_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1289977097.781:50930): arch=40000003 syscall=10 success=no exit=-13 a0=8052c01 a1=0 a2=bffcd30c a3=0 items=0 ppid=25102 pid=25106 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="shutdown" exe="/lib/upstart/shutdown" subj=system_u:system_r:shutdown_t:s0 key=(null) Hash String generated from catchall,shutdown,shutdown_t,etc_runtime_t,file,unlink audit2allow suggests: #============= shutdown_t ============== allow shutdown_t etc_runtime_t:file unlink;
John, any idea where is this nologin file located? # locate -r /nologin$
Petr, could you look at this bug and also the #652989 bug. Both bugs are related to "nologin" file.
/etc/nologin file is created by /sbin/shutdown -> ../lib/upstart/shutdown during shutdown process. It is used by pam_nologin(8) to avoid new users login into the system. # shutdown +4 shutdown & ... wait one minute # ls -lZ /etc/nologin -rw-r--r--. root root unconfined_u:object_r:shutdown_etc_t:s0 /etc/nologin # shutdown -c shutdown: Shutdown cancelled [1]+ Done shutdown +4 shutdown # ls -lZ /etc/nologin ls: cannot access /etc/nologin: No such file or directory
I think we are missing a transition here. Miroslav, we need to add init_system_domain(shutdown_t, shutdown_exec_t) I believe what is happening is some init script is executing shutdown, but not transitioning to shutdown_t. shutdown ends up running as initrc_t and when it creates files in /etc creates them as etc_runtime_t. If we add the shutdown transition, intirc_t -> shutdown_exec_t -> shutdown_t And when shutdown_t creates files in etc_t it will create them as shutdown_etc_t which will work.
Sounds reasonably.
It was fixed in selinux-policy-3.9.7-12.fc14