SELinux is preventing /bin/systemd-tty-ask-password-agent from 'read' accesses on the fifo_file 0. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-tty-ask-password-agent should be allowed read access on the 0 fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /bin/systemd-tty-ask-password-agent /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:systemd_passwd_agent_t:s0 Target Context unconfined_u:object_r:device_t:s0 Target Objects 0 [ fifo_file ] Source systemd-tty-ask Source Path /bin/systemd-tty-ask-password-agent Port <Inconnu> Host (removed) Source RPM Packages systemd-13-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.11-2.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.37-0.rc6.git0.1.fc15.x86_64 #1 SMP Thu Dec 16 15:48:53 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen sam. 18 déc. 2010 11:36:26 CET Last Seen sam. 18 déc. 2010 11:36:26 CET Local ID 5e5f0056-b7dd-4bf7-bae3-0cb9fc9088a6 Raw Audit Messages type=AVC msg=audit(1292668586.758:20234): avc: denied { read } for pid=26411 comm="systemd-tty-ask" name="0" dev=devtmpfs ino=194114 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=fifo_file systemd-tty-ask,systemd_passwd_agent_t,device_t,fifo_file,read type=AVC msg=audit(1292668586.758:20234): avc: denied { open } for pid=26411 comm="systemd-tty-ask" name="0" dev=devtmpfs ino=194114 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=fifo_file systemd-tty-ask,systemd_passwd_agent_t,device_t,fifo_file,read type=SYSCALL msg=audit(1292668586.758:20234): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7df0b0 a1=80900 a2=fffffffffffffed0 a3=6b636f6c622d6472 items=0 ppid=26410 pid=26411 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=204 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null) systemd-tty-ask,systemd_passwd_agent_t,device_t,fifo_file,read #============= systemd_passwd_agent_t ============== allow systemd_passwd_agent_t device_t:fifo_file { read open };
What were you doing when this happened? During boot?
Unfortunately, I have no idea :( There are so many avcs in rawhide right now the icon is up almost all the time and I don't notice new problems real-time
IIRC, this one occured when running the printing trobleshooter, clicking cancel in one of the dialogs that asked for root access
Nicolas, this looks like you might have a labeling problem on your system. If you are getting hundreds of AVC's something strange is going on. Could you attach a compressed ausearch -m AVC -ts recent
(In reply to comment #4) > Nicolas, this looks like you might have a labeling problem on your system. If > you are getting hundreds of AVC's something strange is going on. Well, not really, dovecot has not been happy with selinux lately, and mail subsystem avcs are triggered whenever a new mail arrives or I check mail. > Could you attach a compressed > > ausearch -m AVC -ts recent Will do now
Created attachment 469824 [details] ausearch As requested. After a system relabel, and the box had little activity today, to it's pretty small
Ok I will fix two of the AVC's that make sense #============= setroubleshootd_t ============== allow setroubleshootd_t mock_var_lib_t:chr_file getattr; Fixed #============= spamd_t ============== allow spamd_t etc_runtime_t:file append; Makes no sense, You have a razor-agent.log labeled etc_runtime_t? Do you have this file in / or under /etc? #============= telepathy_idle_t ============== allow telepathy_idle_t random_device_t:chr_file read; allow telepathy_idle_t urandom_device_t:chr_file { read getattr open }; Fixed No mention in these avc's of systemd.
(In reply to comment #7) > Ok I will fix two of the AVC's that make sense > > #============= setroubleshootd_t ============== > allow setroubleshootd_t mock_var_lib_t:chr_file getattr; > > Fixed > > #============= spamd_t ============== > allow spamd_t etc_runtime_t:file append; > Makes no sense, > > You have a razor-agent.log labeled etc_runtime_t? Do you have this file in / > or under /etc? This is a security bug razor-side (does not set up a working dir properly) > #============= telepathy_idle_t ============== > allow telepathy_idle_t random_device_t:chr_file read; > allow telepathy_idle_t urandom_device_t:chr_file { read getattr open }; > > Fixed > > No mention in these avc's of systemd. Yes, it's starting to look better after all the bugs I filled recently
Ok I take it that bug has been filed. Closing as fixed in rawhide.