Bug 687991 - SELinux is preventing /bin/systemd-notify from 'create' accesses on the fichier done.
Summary: SELinux is preventing /bin/systemd-notify from 'create' accesses on the fichi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:fda7c3afe15...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-15 23:52 UTC by Marc Bessière
Modified: 2011-03-25 07:04 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.9.16-6.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-25 07:04:05 UTC


Attachments (Terms of Use)

Description Marc Bessière 2011-03-15 23:52:05 UTC
SELinux is preventing /bin/systemd-notify from 'create' accesses on the fichier done.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-notify should be allowed create access on the done file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-notify /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_notify_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                done [ file ]
Source                        systemd-notify
Source Path                   /bin/systemd-notify
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           systemd-20-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-1.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38-0.rc8.git0.1.fc15.x86_64 #1 SMP Tue Mar 8
                              08:22:15 UTC 2011 x86_64 x86_64
Alert Count                   12
First Seen                    dim. 13 mars 2011 23:14:30 CET
Last Seen                     mer. 16 mars 2011 00:49:08 CET
Local ID                      50d74493-1bb2-4851-a224-d28448399b5c

Raw Audit Messages
type=AVC msg=audit(1300232948.110:55): avc:  denied  { create } for  pid=1340 comm="systemd-notify" name="done" scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file


type=AVC msg=audit(1300232948.110:55): avc:  denied  { write open } for  pid=1340 comm="systemd-notify" name="done" dev=devtmpfs ino=18239 scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file


type=SYSCALL msg=audit(1300232948.110:55): arch=x86_64 syscall=open success=yes exit=ESRCH a0=40506d a1=80141 a2=1b6 a3=3161083250 items=0 ppid=1 pid=1340 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-notify exe=/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null)

Hash: systemd-notify,systemd_notify_t,device_t,file,create

audit2allow

#============= systemd_notify_t ==============
#!!!! The source type 'systemd_notify_t' can write to a 'file' of the following type:
# readahead_var_run_t

allow systemd_notify_t device_t:file { write create open };

audit2allow -R

#============= systemd_notify_t ==============
#!!!! The source type 'systemd_notify_t' can write to a 'file' of the following type:
# readahead_var_run_t

allow systemd_notify_t device_t:file { write create open };

Comment 1 Oliver Henshaw 2011-03-20 17:48:13 UTC
Also seen on the kde-x86_64-20110315.01 nightly, along with some other denials:

Mar 20 17:21:09 localhost setroubleshoot: SELinux is preventing /bin/systemd-not
ify from write access on the directory .systemd. For complete SELinux messages. 
run sealert -l c7e362b3-9f13-4a4f-9d0e-c27eb9dcfacb
Mar 20 17:21:09 localhost setroubleshoot: SELinux is preventing /bin/systemd-not
ify from write access on the directory .systemd. For complete SELinux messages. 
run sealert -l c7e362b3-9f13-4a4f-9d0e-c27eb9dcfacb
Mar 20 17:21:09 localhost setroubleshoot: SELinux is preventing /bin/systemd-not
ify from write access on the directory .systemd. For complete SELinux messages. 
run sealert -l c7e362b3-9f13-4a4f-9d0e-c27eb9dcfacb
Mar 20 17:21:10 localhost setroubleshoot: SELinux is preventing /bin/systemd-not
ify from create access on the file done. For complete SELinux messages. run seal
ert -l c3df1656-2728-4ef2-addd-9acc9b416eff
Mar 20 17:21:10 localhost setroubleshoot: SELinux is preventing /bin/systemd-not
ify from create access on the file done. For complete SELinux messages. run seal
ert -l c3df1656-2728-4ef2-addd-9acc9b416eff


systemd-20-1.fc15.x86_64
selinux-policy-3.9.16-1.fc15.noarch

Comment 2 Daniel Walsh 2011-03-21 22:14:37 UTC
Fixed in selinux-policy-3.9.16-6.fc15

Comment 3 Fedora Update System 2011-03-22 23:07:24 UTC
selinux-policy-3.9.16-6.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-6.fc15

Comment 4 Fedora Update System 2011-03-25 07:03:46 UTC
selinux-policy-3.9.16-6.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.