Hide Forgot
SELinux is preventing /bin/systemd-tty-ask-password-agent from 'open' accesses on the chr_file tty8. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow all daemons the ability to read/write terminals Then you must tell SELinux about this by enabling the 'allow_daemons_use_tty' boolean. Do setsebool -P allow_daemons_use_tty 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that systemd-tty-ask-password-agent should be allowed open access on the tty8 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tty-ask /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_passwd_agent_t:s0 Target Context system_u:object_r:tty_device_t:s0 Target Objects tty8 [ chr_file ] Source systemd-tty-ask Source Path /bin/systemd-tty-ask-password-agent Port <Unbekannt> Host (removed) Source RPM Packages systemd-19-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.15-2.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38-rc7-00142-g212e349 #267 Sat Mar 5 21:22:31 CET 2011 i686 i686 Alert Count 4 First Seen So 06 Mär 2011 12:30:09 CET Last Seen So 06 Mär 2011 13:35:02 CET Local ID dec1b3a1-fd2f-45ec-a2ab-01de211dc0ae Raw Audit Messages type=AVC msg=audit(1299414902.499:560): avc: denied { open } for pid=870 comm="systemd-tty-ask" name="tty8" dev=tmpfs ino=6208 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1299414902.499:560): arch=i386 syscall=open success=yes exit=ENOEXEC a0=8cd9338 a1=80901 a2=80518c4 a3=0 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=system_u:system_r:systemd_passwd_agent_t:s0 key=(null) Hash: systemd-tty-ask,systemd_passwd_agent_t,tty_device_t,chr_file,open audit2allow #============= systemd_passwd_agent_t ============== #!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty' allow systemd_passwd_agent_t tty_device_t:chr_file open; audit2allow -R #============= systemd_passwd_agent_t ============== #!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty' allow systemd_passwd_agent_t tty_device_t:chr_file open;
Thomas, so you are seeing these issues allow systemd_passwd_agent_t tty_device_t:chr_file open; allow systemd_passwd_agent_t user_tty_device_t:chr_file open; allow systemd_passwd_agent_t self:capability dac_override; allow systemd_passwd_agent_t self:capability sys_tty_config; Could you try to do these steps # yum reinstall selinux-policy # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules # service auditd restart # restorecon -R -v /dev/log # reboot and see if you still get these issues? Also do you have encrypted partition?
I tried your steps, and after reboot I get 17 new SELinux entries in SeAlert: - Two entries because of wrong labeld /dev/log file - One entry because of operation "search" on /dev/input/event5 from hal-setup-keymap - 14 entries because of "write" on socket file "(null). Just check again. Now I'm up to 20 alerts in SeAlert. The three new ones are: - systemd-tmpfiles wants to write on socket file (null) - systemd-tmpfiles wants to read /proc/net/unix - systemd-tmpfiles wants to getattr on /proc/<pid>/unix Yes, i have to encrypted disk: - /home -> /dev/mapper/luksHome - swapfs /dev/mapper/luksSwap Currently I'm running in permissive mode to get a login screen (gdm). Do I need to run in enforcing mode to let auditd catch the access on /etc/shadow? I guess because of the mislabeled /dev/log SeAlert fails to catch these alerts in the dmesg?! $ dmesg | grep avc | xclip [ 16.280789] type=1400 audit(1299518723.213:3): avc: denied { read write } for pid=404 comm="loadkeys" name="tty" dev=tmpfs ino=5955 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file [ 16.280807] type=1400 audit(1299518723.213:4): avc: denied { open } for pid=404 comm="loadkeys" name="tty" dev=tmpfs ino=5955 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file [ 16.280837] type=1400 audit(1299518723.213:5): avc: denied { ioctl } for pid=404 comm="loadkeys" path="/dev/tty0" dev=tmpfs ino=5958 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file [ 16.639022] type=1400 audit(1299518723.569:6): avc: denied { add_name } for pid=392 comm="mount" name=".mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir [ 16.639048] type=1400 audit(1299518723.569:7): avc: denied { create } for pid=392 comm="mount" name=".mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir [ 16.639174] type=1400 audit(1299518723.569:8): avc: denied { create } for pid=392 comm="mount" name="utab" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file [ 18.650856] type=1400 audit(1299515125.581:9): avc: denied { mmap_zero } for pid=441 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect [ 21.133780] type=1400 audit(1299515128.064:10): avc: denied { write } for pid=688 comm="systemd-tty-ask" name="sck.9851750355031607354" dev=tmpfs ino=11194 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file [ 21.135111] type=1400 audit(1299515128.064:11): avc: denied { connectto } for pid=688 comm="systemd-tty-ask" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket [ 22.583092] type=1400 audit(1299515129.511:15): avc: denied { write } for pid=730 comm="systemd-tmpfile" name="log" dev=tmpfs ino=7683 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file [ 23.094973] type=1400 audit(1299515130.024:16): avc: denied { read } for pid=730 comm="systemd-tmpfile" name="rpm" dev=sda2 ino=175 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir [ 23.108239] type=1400 audit(1299515130.041:17): avc: denied { write } for pid=730 comm="systemd-tmpfile" name="rpm" dev=sda2 ino=175 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir [ 23.108256] type=1400 audit(1299515130.041:18): avc: denied { remove_name } for pid=730 comm="systemd-tmpfile" name="__db.004" dev=sda2 ino=2344 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir [ 23.108300] type=1400 audit(1299515130.041:19): avc: denied { unlink } for pid=730 comm="systemd-tmpfile" name="__db.004" dev=sda2 ino=2344 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file [ 23.411663] type=1400 audit(1299515130.341:20): avc: denied { write } for pid=754 comm="rtkit-daemon" name="log" dev=tmpfs ino=7683 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file [ 24.819773] type=1400 audit(1299515131.748:21): avc: denied { setrlimit } for pid=777 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=process [ 25.024744] type=1400 audit(1299515131.954:22): avc: denied { write } for pid=824 comm="auditd" name="log" dev=tmpfs ino=7683 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file [ 25.703484] nscd[900]: Can't send to audit system: USER_AVC avc: netlink poll: error 4 [ 25.703559] nscd[900]: Can't send to audit system: USER_AVC avc: netlink recvfrom: error 1 [ 25.703634] nscd[900]: Can't send to audit system: USER_AVC avc: netlink thread: errors encountered, terminating Full message from "systemd-tmpfiles wants to write on socket file (null)" SELinux is preventing /bin/systemd-tmpfiles from write access on the sock_file (null). ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-tmpfiles should be allowed write access on the (null) sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Quellkontext system_u:system_r:systemd_tmpfiles_t:s0 Zielkontext system_u:object_r:tmpfs_t:s0 Zielobjekte (null) [ sock_file ] Quelle systemd-tmpfile Quellpfad /bin/systemd-tmpfiles Port <Unbekannt> Host localhost.localdomain RPM-Pakete der Quelle systemd-units-19-1.fc15 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.9.15-2.fc15 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Rechnername localhost.localdomain Plattform Linux localhost.localdomain 2.6.38-rc7-00142-g212e349 #268 Sun Mar 6 14:17:47 CET 2011 i686 i686 Anzahl der Alarme 1 Zuerst gesehen Mo 07 Mär 2011 17:40:06 CET Zuletzt gesehen Mo 07 Mär 2011 17:40:06 CET Lokale ID 4f11e08a-8344-49a5-9712-c8775c90653e Raw-Audit-Meldungen type=AVC msg=audit(1299516006.943:118): avc: denied { write } for pid=2038 comm="systemd-tmpfile" name="log" dev=tmpfs ino=14510 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file type=SYSCALL msg=audit(1299516006.943:118): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bfa6c010 a2=80535b0 a3=bfa6c03e items=1 ppid=1 pid=2038 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null) type=PATH msg=audit(1299516006.943:118): item=0 name=(null) inode=14510 dev=00:10 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 Hash: systemd-tmpfile,systemd_tmpfiles_t,tmpfs_t,sock_file,write audit2allow #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t tmpfs_t:sock_file write; audit2allow -R #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t tmpfs_t:sock_file write;
Thomas, please could you install the latest F15 policy which will remove some issues http://koji.fedoraproject.org/koji/buildinfo?buildID=231533 The following command echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules give us the full path in an error message.
I just installed the new version and rebooted. Do I need to rebuild my initramfs? I didn't do that. After reboot I found 16 alerts in my SeAlert. the /dev/ and /dev/log are still misslabeled: Example 1 - Mislabeled /dev/ ----------------------------- SELinux is preventing /sbin/rsyslogd from write access on the directory /dev/. ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /dev/ default label should be device_t. Then you can run restorecon. Do # /sbin/restorecon -v /dev/ ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that rsyslogd should be allowed write access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rsyslogd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Quellkontext system_u:system_r:syslogd_t:s0 Zielkontext system_u:object_r:tmpfs_t:s0 Zielobjekte /dev/ [ dir ] Quelle rsyslogd Quellpfad /sbin/rsyslogd Port <Unbekannt> Host localhost.localdomain RPM-Pakete der Quelle rsyslog-5.6.2-2.fc15 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.9.15-6.fc15 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Rechnername localhost.localdomain Plattform Linux localhost.localdomain 2.6.38-rc7-00142-g212e349 #268 Sun Mar 6 14:17:47 CET 2011 i686 i686 Anzahl der Alarme 1 Zuerst gesehen Mo 07 Mär 2011 23:13:07 CET Zuletzt gesehen Mo 07 Mär 2011 23:13:07 CET Lokale ID 486e4bb8-241c-4e11-9d42-effa12c6fc62 Raw-Audit-Meldungen type=AVC msg=audit(1299535987.389:29): avc: denied { write } for pid=886 comm="rsyslogd" name="/" dev=tmpfs ino=5796 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1299535987.389:29): avc: denied { remove_name } for pid=886 comm="rsyslogd" name="log" dev=tmpfs ino=7677 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1299535987.389:29): avc: denied { unlink } for pid=886 comm="rsyslogd" name="log" dev=tmpfs ino=7677 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file type=SYSCALL msg=audit(1299535987.389:29): arch=i386 syscall=unlink success=yes exit=0 a0=b76a3e6d a1=b9653278 a2=b76a5f74 a3=0 items=2 ppid=863 pid=886 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rsyslogd exe=/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null) type=CWD msg=audit(1299535987.389:29): cwd=/ type=PATH msg=audit(1299535987.389:29): item=0 name=/dev/ inode=5796 dev=00:10 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 type=PATH msg=audit(1299535987.389:29): item=1 name=/dev/log inode=7677 dev=00:10 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 Hash: rsyslogd,syslogd_t,tmpfs_t,dir,write audit2allow #============= syslogd_t ============== #!!!! The source type 'syslogd_t' can write to a 'dir' of the following types: # plymouthd_var_log_t, var_run_t, var_log_t, syslogd_tmp_t, tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, root_t allow syslogd_t tmpfs_t:dir { write remove_name }; allow syslogd_t tmpfs_t:sock_file unlink; audit2allow -R #============= syslogd_t ============== #!!!! The source type 'syslogd_t' can write to a 'dir' of the following types: # plymouthd_var_log_t, var_run_t, var_log_t, syslogd_tmp_t, tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, root_t allow syslogd_t tmpfs_t:dir { write remove_name }; allow syslogd_t tmpfs_t:sock_file unlink; Example 2 - Mislabeled /dev/log ------------------------------- SELinux is preventing /sbin/rsyslogd from setattr access on the sock_file /dev/log. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that rsyslogd should be allowed setattr access on the log sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rsyslogd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Quellkontext system_u:system_r:syslogd_t:s0 Zielkontext system_u:object_r:tmpfs_t:s0 Zielobjekte /dev/log [ sock_file ] Quelle rsyslogd Quellpfad /sbin/rsyslogd Port <Unbekannt> Host localhost.localdomain RPM-Pakete der Quelle rsyslog-5.6.2-2.fc15 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.9.15-6.fc15 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Rechnername localhost.localdomain Plattform Linux localhost.localdomain 2.6.38-rc7-00142-g212e349 #268 Sun Mar 6 14:17:47 CET 2011 i686 i686 Anzahl der Alarme 1 Zuerst gesehen Mo 07 Mär 2011 23:13:07 CET Zuletzt gesehen Mo 07 Mär 2011 23:13:07 CET Lokale ID b82f2fa5-f96c-4b10-93d1-c7e6bba72399 Raw-Audit-Meldungen type=AVC msg=audit(1299535987.392:31): avc: denied { setattr } for pid=886 comm="rsyslogd" name="log" dev=tmpfs ino=14281 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file type=SYSCALL msg=audit(1299535987.392:31): arch=i386 syscall=chmod success=yes exit=0 a0=b76a3e6d a1=1b6 a2=b76a5f74 a3=0 items=1 ppid=863 pid=886 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rsyslogd exe=/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null) type=CWD msg=audit(1299535987.392:31): cwd=/ type=PATH msg=audit(1299535987.392:31): item=0 name=/dev/log inode=14281 dev=00:10 mode=0140700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 Hash: rsyslogd,syslogd_t,tmpfs_t,sock_file,setattr audit2allow #============= syslogd_t ============== allow syslogd_t tmpfs_t:sock_file setattr; audit2allow -R #============= syslogd_t ============== allow syslogd_t tmpfs_t:sock_file setattr;
*** Bug 681661 has been marked as a duplicate of this bug. ***
Looks like udev is broken in the latest release or systemd?
Still the socket file /dev/log is mislabeled: Look what happens in this command sequence: $ ll -Z /dev/log srw-rw-rw-. root root system_u:object_r:tmpfs_t:s0 /dev/log $ sudo restorecon -v /dev/log restorecon reset /dev/log context system_u:object_r:tmpfs_t:s0->system_u:object_r:devlog_t:s0 $ ll -Z /dev/log srw-rw-rw-. root root system_u:object_r:devlog_t:s0 /dev/log $ sudo service rsyslog restart Restarting rsyslog (via systemctl): [ OK ] $ ll -Z /dev/log srw-rw-rw-. root root system_u:object_r:tmpfs_t:s0 /dev/log How can that be?
The /dev is mislabeled. Try restorecon -R -v /dev THen your service rsyslog restart should work.
okay, thanks. My system seems to be somewhat special, because the /dev filesystem is mislabeled after every reboot! But I don't know why. I seem to be the only person to hit that error?!
Is udev running?
yes, it is: $ pidof udevd 1650 1428 364 $ dmesg |grep udev [ 2.430496] udev[111]: starting version 166 [ 37.213748] systemd[1]: Walked on cycle path to udev-retry.service/start [ 37.213770] systemd[1]: Breaking ordering cycle by deleting job udev-retry.service/start [ 38.643163] udevd[364]: specified group 'pcscd' unknown [ 38.941342] udev[364]: starting version 166 maybe some timing issue?
I still run into this problem. Currently I boot into the systemd emergency target and relabel (I can attach the output of these runs here if you like) the tmpfs /dev and /run. After that I can boot into the system with "systemctl default". Can we please change the title of this bug to "SELinux: tmpfs /dev is mislabeld for systemd" or something like that? current versions: dracut.noarch 009-5.fc15 udev.i686 167-2.fc15 systemd.i686 21-2.fc15 selinux-policy.noarch 3.9.16-10.fc15 selinux-policy-targeted.noarch 3.9.16-10.fc15
Their is supposed to be a version of systemd being released tonight that fixes the labels 23-1
*** Bug 692429 has been marked as a duplicate of this bug. ***
Good news, everyone! This version combination seems to fix this bug already: dracut.noarch 009-5.fc15 systemd.i686 22-1.fc15 selinux-policy.noarch 3.9.16-11.fc15 selinux-policy-targeted.noarch 3.9.16-11.fc15