Hide Forgot
Description of problem: systemd-readahead gets an avc from selinux. Version-Release number of selected component (if applicable): systemd-17-1.fc15.x86_64 selinux-policy-targeted-3.9.13-8.fc15.noarch kernel-2.6.38-0.rc3.git0.1.fc15.x86_64 How reproducible: every time Steps to Reproduce: 1. Fresh install DVD of today's rawhide (2011-02-03; Thursday). 2. boot 3. Actual results: on text console and in output of dmesg: [ 8.670771] type=1400 audit(1296752507.393:4): avc: denied { sys_admin } for pid=472 comm="systemd-readahe" capability=21 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability Expected results: no complaint Additional info:
Dan, I don#t really understand this AVC, what is this about?
sys_admin is kind of the catchall of capabilities Looking in /usr/include/linux/capabilty.h sys_admin could mean: /* Allow configuration of the secure attention key */ /* Allow administration of the random device */ /* Allow examination and configuration of disk quotas */ /* Allow setting the domainname */ /* Allow setting the hostname */ /* Allow calling bdflush() */ /* Allow mount() and umount(), setting up new smb connection */ /* Allow some autofs root ioctls */ /* Allow nfsservctl */ /* Allow VM86_REQUEST_IRQ */ /* Allow to read/write pci config on alpha */ /* Allow irix_prctl on mips (setstacksize) */ /* Allow flushing all cache on m68k (sys_cacheflush) */ /* Allow removing semaphores */ /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory */ /* Allow locking/unlocking of shared memory segment */ /* Allow turning swap on/off */ /* Allow forged pids on socket credentials passing */ /* Allow setting readahead and flushing buffers on block devices */ /* Allow setting geometry in floppy driver */ /* Allow turning DMA on/off in xd driver */ /* Allow administration of md devices (mostly the above, but some extra ioctls) */ /* Allow tuning the ide driver */ /* Allow access to the nvram device */ /* Allow administration of apm_bios, serial and bttv (TV) device */ /* Allow manufacturer commands in isdn CAPI support driver */ /* Allow reading non-standardized portions of pci configuration space */ /* Allow DDI debug ioctl on sbpcd driver */ /* Allow setting up serial ports */ /* Allow sending raw qic-117 commands */ /* Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands */ /* Allow setting encryption key on loopback filesystem */ /* Allow setting zone reclaim policy */
Did you have a syscall record with that AVC? That could tell you what it was doing when the AVC happened. ausearch -m avc -ts recent Would return the complete messages.
There was no syscall record then [or in a fresh re-creating] on the console or in the output of dmesg. I do not see "systemd-read*" in the output from "ausearch -m avc -ts recent" : ---- time->Tue Feb 8 09:18:24 2011 type=AVC msg=audit(1297185504.817:58): avc: denied { link } for pid=902 comm="plymouthd" name="boot.log" dev=sdd7 ino=656669 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file ---- time->Tue Feb 8 09:18:25 2011 type=SYSCALL msg=audit(1297185505.226:61): arch=c000003e syscall=6 success=no exit=-13 a0=7fe8fecbc587 a1=7fff64a8b200 a2=7fff64a8b200 a3=7fff64a8af70 items=0 ppid=1279 pid=1284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1297185505.226:61): avc: denied { getattr } for pid=1284 comm="mount" path="/etc/mtab" dev=sdd7 ino=525330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=lnk_file ---- time->Tue Feb 8 09:18:25 2011 type=SYSCALL msg=audit(1297185505.230:62): arch=c000003e syscall=2 success=no exit=-13 a0=7fe8fecbc587 a1=42 a2=1a4 a3=7fff64a8af60 items=0 ppid=1279 pid=1284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1297185505.230:62): avc: denied { read } for pid=1284 comm="mount" name="mtab" dev=sdd7 ino=525330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=lnk_file ----- [Everything has been overwritten. Today's rawhide fails to install: bug #676032 . I re-ran the install with a DVD from Sat.Feb.5.] More context from 'dmesg' [with stripped leading date and wall-clock time]: ----- [ 16.638494] systemd[1]: Startup finished in 821ms 703us (kernel) + 6s 898ms 674us (initrd) + 8s 918ms 99us (userspace) = 16s 638ms 476us. [ 125.747445] type=1400 audit(1297185499.467:22): avc: denied { create } for pid=990 comm="system-setup-ke" name="00-system-setup-keyboard.conf" scontext=system_u:system_r:keyboardd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file [ 125.767718] type=1400 audit(1297185499.487:23): avc: denied { sys_admin } for pid=991 comm="systemd-readahe" capability=21 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:readahead_t:s0 tclass=capability [ 125.777189] systemd-readahead-collect[991]: Failed to create fanotify object: Operation not permitted [ 125.779187] systemd[1]: systemd-readahead-collect.service: main process exited, code=exited, status=1 [ 125.851175] type=1400 audit(1297185499.571:24): avc: denied { getattr } for pid=1005 comm="mount" path="/etc/mtab" dev=sdd7 ino=525330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=lnk_file -----
So it looks like fanotify is causing sys_admin capabilty to be required. (I guess) Mount access should be available in tonights update. The boot.log access is an open bug on plymouthd, I have no idea why they want this as a hard link.
Fixed in selinux-policy-3.9.14-1.fc15