Bug 669672 (readahead) - SELinux is preventing systemd-readahe from 'write' accesses on the file /etc/abrt/abrt.conf.
Summary: SELinux is preventing systemd-readahe from 'write' accesses on the file /etc/...
Keywords:
Status: CLOSED UPSTREAM
Alias: readahead
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Eric Paris
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:711a11967f9...
: 669668 669669 669670 669671 669673 669675 669677 669679 669681 669683 669685 669931 671596 677763 681127 682383 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-14 11:58 UTC by satellitgo
Modified: 2011-10-12 17:49 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-12 17:49:03 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description satellitgo 2011-01-14 11:58:26 UTC
SELinux is preventing systemd-readahe from 'write' accesses on the file /etc/abrt/abrt.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-readahe should be allowed write access on the abrt.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-readahe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:readahead_t:s0
Target Context                system_u:object_r:abrt_etc_t:s0
Target Objects                /etc/abrt/abrt.conf [ file ]
Source                        systemd-readahe
Source Path                   systemd-readahe
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           abrt-1.1.14-1.fc15
Policy RPM                    selinux-policy-3.9.12-6.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.37-2.fc15.i686 #1
                              SMP Fri Jan 7 15:46:20 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Fri 14 Jan 2011 08:49:17 AM EST
Last Seen                     Fri 14 Jan 2011 08:49:17 AM EST
Local ID                      253b54ae-fa8e-4ca9-8b80-3578f891f86c

Raw Audit Messages
type=AVC msg=audit(1295012957.742:147): avc:  denied  { write } for  pid=444 comm="systemd-readahe" path="/etc/abrt/abrt.conf" dev=dm-0 ino=18034 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file


Hash: systemd-readahe,readahead_t,abrt_etc_t,file,write

audit2allow

#============= readahead_t ==============
allow readahead_t abrt_etc_t:file write;

audit2allow -R

#============= readahead_t ==============
allow readahead_t abrt_etc_t:file write;

Comment 1 Daniel Walsh 2011-01-14 14:13:12 UTC
*** Bug 669685 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Walsh 2011-01-14 14:13:21 UTC
*** Bug 669683 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2011-01-14 14:13:28 UTC
*** Bug 669681 has been marked as a duplicate of this bug. ***

Comment 4 Daniel Walsh 2011-01-14 14:13:35 UTC
*** Bug 669679 has been marked as a duplicate of this bug. ***

Comment 5 Daniel Walsh 2011-01-14 14:13:41 UTC
*** Bug 669677 has been marked as a duplicate of this bug. ***

Comment 6 Daniel Walsh 2011-01-14 14:13:48 UTC
*** Bug 669675 has been marked as a duplicate of this bug. ***

Comment 7 Daniel Walsh 2011-01-14 14:13:55 UTC
*** Bug 669673 has been marked as a duplicate of this bug. ***

Comment 8 Daniel Walsh 2011-01-14 14:15:07 UTC
*** Bug 669671 has been marked as a duplicate of this bug. ***

Comment 9 Daniel Walsh 2011-01-14 14:15:14 UTC
*** Bug 669670 has been marked as a duplicate of this bug. ***

Comment 10 Daniel Walsh 2011-01-14 14:15:22 UTC
*** Bug 669669 has been marked as a duplicate of this bug. ***

Comment 11 Daniel Walsh 2011-01-14 14:15:31 UTC
*** Bug 669668 has been marked as a duplicate of this bug. ***

Comment 12 Daniel Walsh 2011-01-14 14:17:34 UTC
Why is systemd trying to write to every file on the system, or at least checking 

access(X,W_OK) on every file.

Comment 13 Daniel Walsh 2011-01-14 14:18:53 UTC
satellit  If you see lots of AVC's that look exactly the same, please do not report every single one.  Make ours and your life easier by reporting one or two and then telling us you are seeing lots of others similar.

Comment 14 Miroslav Grepl 2011-01-17 10:33:41 UTC
*** Bug 669931 has been marked as a duplicate of this bug. ***

Comment 15 Lennart Poettering 2011-01-18 11:56:59 UTC
(In reply to comment #12)
> Why is systemd trying to write to every file on the system, or at least
> checking 
> 
> access(X,W_OK) on every file.

Hmm, good question, I have no idea really. And looking through the sources I can't see where that could come from.

Is there any way to figure out whether these AVCs got generated by the "systemd-readahead-collect" or by the "systemd-readahead-replay" tool? It would be really useful if those selinux reports could also include the argv[] array of the offending process, or at least argv[0] in addition to comm.

Comment 16 Lennart Poettering 2011-01-18 12:00:53 UTC
(btw, I think it would make sense to label systemd-readahead-replay differently from systemd-readahead-collect, as replay does not need any kind of write access to disk and collect needs only to write the final readahead data blob.)

Comment 17 Daniel Walsh 2011-01-18 14:34:44 UTC
What is really strange here is no one else has ever reported these and we have not  seen this ourselves.

satellit  are you  continuing to see these AVC when you boot?  Lennart I looked through your code and did not see anything obvious either.

Comment 18 Daniel Walsh 2011-01-18 14:35:42 UTC
Actually Joachim Namislow  saw this also.

Comment 19 Daniel Walsh 2011-01-18 14:37:45 UTC
We can turn on full auditing to get more data although I am not sure these AVC's since they happen so early in the boot would be affected.

If anyone is continuing to see this, could you add 

-w /etc/shadow -p w 

to /etc/audit/audit.rules
and reboot, then see if any better paths are showing up in the AVC messages.

Comment 20 satellitgo 2011-01-18 15:39:15 UTC
This occurred on soas spin from nightly composes.
(VMworkstation 6.5.2 booted from .iso)
Booted to blank screen with pop up to report bugs (simple window manager?).
Never got to sugar or gdm login.
As only booting from .iso there is no way to edit and reboot.

Comment 21 Daniel Walsh 2011-01-18 15:57:53 UTC
I don't think these SELinux issues would have blocked anything.  It might have been just a broken build.  Are you seeing it on newer builds.

Comment 22 Lennart Poettering 2011-01-20 18:42:47 UTC
Hmm, Dan, so I have been seeing this now too. The process that triggers that is the readahead collector, which uses fanotify() to figure out what files are access during boot. My guess what might be going wrong here now is that the fds for the accessed files that fanotify() passes back to us are not properly handled by selinux on the kernel side: by calling read() on the fanotify fd we get one or more fds passed to us (yes, the semantics are weird like this), and my wild guess here is that the selinux checks for these fds don't properly take into account the file flags of these fds (i.e. the flags for these fds are configured a single time via fanotify_init() at very early start-up which can be much much earlier then when we actually get the fd.

But then again, given that Eric wrote both fanotify and is an Selinux hacker this might be a completely wrong guess.

Comment 23 Daniel Walsh 2011-01-20 19:46:42 UTC
Ok lets reassign to kernel...

Comment 24 Lennart Poettering 2011-01-20 22:38:39 UTC
So, Eric tracked this down to the FS_IOC_FIEMAP ioctl which is considered a write access by SELinux although it really isn't. Patch  242631c49d4cf39642741d6627750151b058233b seems to be the culprit. Eric is working on a fix (i.e. revert).

Comment 25 Miroslav Grepl 2011-01-24 09:10:59 UTC
*** Bug 671596 has been marked as a duplicate of this bug. ***

Comment 26 satellitgo 2011-02-03 06:17:24 UTC
soas-x86_64-20110202.15.iso still throwing 39 bugs (local policy modules needed) starts in openbox (right click> logout get graphical Fedora release 15 (rawhide)logon for live System user which returns to openbox.

Comment 27 Clyde E. Kunkel 2011-02-11 04:26:04 UTC
seeing this with Fedora 15 alpha release candidate.  50 occurences in one boot.

Comment 28 Miroslav Grepl 2011-02-16 14:48:56 UTC
*** Bug 677763 has been marked as a duplicate of this bug. ***

Comment 29 Daniel Walsh 2011-02-16 19:50:02 UTC
The latest F15 policy has a dontaudit for this until the kernel is fixed.

Comment 30 Lennart Poettering 2011-02-18 12:48:11 UTC
BTW, this made LWN:

http://lwn.net/Articles/428140/

Comment 31 Dominick Grift 2011-02-19 14:21:14 UTC
So how would i use eparis' "audit_access" access vector to deal with these issues?
I tried "dontaudit systemd_readahead_collect_t file_type:file audit_access;" but no go.

Comment 32 Eric Paris 2011-02-19 18:18:58 UTC
You can't.  audit_access only applies when the check came from the access(2) syscall.  In this case it came from the ioctl(2) syscall, so the only thing you can do it a normal dontaudit rule....

Comment 33 Miroslav Grepl 2011-03-01 12:28:43 UTC
*** Bug 681127 has been marked as a duplicate of this bug. ***

Comment 34 Miroslav Grepl 2011-03-07 10:17:20 UTC
*** Bug 682383 has been marked as a duplicate of this bug. ***

Comment 35 yunustj 2011-03-10 16:03:48 UTC
the problem still persist even if the system updated to
  selinux-policy-3.9.16-1.fc15.noarch
  selinux-policy-targeted-3.9.16-1.fc15.noarch

Comment 36 Daniel Walsh 2011-03-10 16:07:00 UTC
Yunustj please show us a couple of the AVC's you are seeing?

Comment 37 yunustj 2011-03-10 16:48:43 UTC
I still have 21 SElinux Alerts 
  see Bug 681127 (mark duplicate above)

Comment 38 yunustj 2011-03-10 16:49:16 UTC
Raw Audit Messages
type=AVC msg=audit(1299774390.577:22): avc:  denied  { write } for  pid=561 comm="systemd-readahe" path="/etc/NetworkManager/VPN" dev=dm-1 ino=25463 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir

Comment 39 yunustj 2011-03-10 16:50:33 UTC
Raw Audit Messages
type=AVC msg=audit(1299774390.651:25): avc:  denied  { write } for  pid=561 comm="systemd-readahe" path="/etc/cron.d" dev=dm-1 ino=25140 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir

Comment 40 yunustj 2011-03-10 16:51:56 UTC
Raw Audit Messages
type=AVC msg=audit(1299774390.713:27): avc:  denied  { write } for  pid=561 comm="systemd-readahe" path="/var/spool/abrt" dev=dm-1 ino=17394 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir

Comment 41 yunustj 2011-03-10 16:53:55 UTC
Raw Audit Messages
type=AVC msg=audit(1299774390.883:32): avc:  denied  { write } for  pid=561 comm="systemd-readahe" path="/usr/share/cups/banners" dev=dm-1 ino=145520 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:cupsd_etc_t:s0 tclass=dir

Comment 42 yunustj 2011-03-10 16:55:07 UTC
Raw Audit Messages
type=AVC msg=audit(1299774391.151:44): avc:  denied  { write } for  pid=561 comm="systemd-readahe" path="/etc/sysconfig/network-scripts" dev=dm-1 ino=22079 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir

Comment 43 yunustj 2011-03-10 16:58:30 UTC
Raw Audit Messages
type=AVC msg=audit(1299774432.185:97): avc:  denied  { read } for  pid=1828 comm="mission-control" name=".mc_connections" dev=dm-3 ino=8913106 scontext=unconfined_u:unconfined_r:telepathy_mission_control_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=AVC msg=audit(1299774432.185:97): avc:  denied  { open } for  pid=1828 comm="mission-control" name=".mc_connections" dev=dm-3 ino=8913106 scontext=unconfined_u:unconfined_r:telepathy_mission_control_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1299774432.185:97): arch=x86_64 syscall=open success=yes exit=EBADF a0=e88ca0 a1=0 a2=736e6f69746365 a3=2f65686361632e2f items=0 ppid=1827 pid=1828 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=mission-control exe=/usr/libexec/mission-control-5 subj=unconfined_u:unconfined_r:telepathy_mission_control_t:s0-s0:c0.c1023 key=(null)

Comment 44 yunustj 2011-03-10 17:00:35 UTC
Raw Audit Messages
type=AVC msg=audit(1299774395.980:81): avc:  denied  { write } for  pid=561 comm="systemd-readahe" path="/etc/selinux/targeted/policy" dev=dm-1 ino=56854 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=dir


Please let me know if you required further information. You may want to guide me to provide them for you

Comment 45 Daniel Walsh 2011-03-10 17:34:11 UTC
Ok this is the rule we added,  I guess we need to add dir.


   dontaudit readahead_t file_type : file { write audit_access } ;

Comment 46 Daniel Walsh 2011-03-10 17:40:37 UTC
The next selinux-policy for F15 will have this fix.

Probably selinux-policy-3.9.16-3.fc15

Comment 47 Daniel Walsh 2011-03-10 17:42:02 UTC
The readaheads are different then the Munin one.  That should be opened in a different bugzilla

Comment 48 Miroslav Grepl 2011-03-10 20:15:42 UTC
(In reply to comment #46)
> The next selinux-policy for F15 will have this fix.
> 
> Probably selinux-policy-3.9.16-3.fc15

Just building.

Comment 49 yunustj 2011-03-11 14:42:05 UTC
Thank you
Yes, It fix the problems with 
   selinux-policy-targeted-3.9.16-3.fc15.noarch
   selinux-policy-3.9.16-3.fc15.noarch

It remain Comment #43. Should this have its own bugzilla?


Note You need to log in before you can comment on or make changes to this bug.