SELinux is preventing /bin/systemctl from 'search' accesses on the directory 1. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemctl should be allowed search access on the 1 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep telinit /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c 1023 Target Context system_u:system_r:init_t:s0 Target Objects 1 [ dir ] Source telinit Source Path /bin/systemctl Port <Неизвестно> Host (removed) Source RPM Packages systemd-units-24-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-12.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38.2-9.fc15.x86_64 #1 SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Птн 08 Апр 2011 03:16:46 Last Seen Птн 08 Апр 2011 03:16:46 Local ID 0a3ca729-55d1-4311-8372-d8ac39905597 Raw Audit Messages type=AVC msg=audit(1302218206.356:782): avc: denied { search } for pid=29577 comm="telinit" name="1" dev=proc ino=6005 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir type=AVC msg=audit(1302218206.356:782): avc: denied { read } for pid=29577 comm="telinit" name="root" dev=proc ino=1334681 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file type=AVC msg=audit(1302218206.356:782): avc: denied { read } for pid=29577 comm="telinit" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1302218206.356:782): arch=x86_64 syscall=stat success=yes exit=0 a0=41f7bc a1=7fffeabe2c60 a2=7fffeabe2c60 a3=3 items=0 ppid=28601 pid=29577 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=93 comm=telinit exe=/bin/systemctl subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) Hash: telinit,prelink_cron_system_t,init_t,dir,search audit2allow #============= prelink_cron_system_t ============== allow prelink_cron_system_t init_t:dir search; allow prelink_cron_system_t init_t:file read; allow prelink_cron_system_t init_t:lnk_file read; audit2allow -R #============= prelink_cron_system_t ============== allow prelink_cron_system_t init_t:dir search; allow prelink_cron_system_t init_t:file read; allow prelink_cron_system_t init_t:lnk_file read;
Fixed in selinux-policy-3.9.16-13.fc15
selinux-policy-3.9.16-14.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-14.fc15
Package selinux-policy-3.9.16-14.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-14.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-14.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-15.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-15.fc15
selinux-policy-3.9.16-15.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
I just got this denial, but I have selinux-policy-3.9.16-15.fc15 installed already
Please show us the actual avc ausearch -m avc -ts recent Also if you run the AVC though audit2allow, what does it say ausearch -m avc -ts recent | audit2allow
it returns just <no match> looking at man page, I've replaced 'recent' (10 minutes) with 'today' # ausearch -m avc -ts today time->Wed Apr 27 03:28:52 2011 type=SYSCALL msg=audit(1303867732.377:1126): arch=c000003e syscall=4 success=yes exit=0 a0=41fd14 a1=7fffad7dd280 a2=7fffad7dd280 a3=3 items=0 ppid=1936 pid=8197 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=131 comm="telinit" exe="/bin/systemctl" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1303867732.377:1126): avc: denied { read } for pid=8197 comm="telinit" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=AVC msg=audit(1303867732.377:1126): avc: denied { read } for pid=8197 comm="telinit" name="root" dev=proc ino=17538341 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file type=AVC msg=audit(1303867732.377:1126): avc: denied { search } for pid=8197 comm="telinit" name="1" dev=proc ino=8349 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir ---- time->Wed Apr 27 13:04:26 2011 type=SYSCALL msg=audit(1303902266.590:1299): arch=c000003e syscall=137 success=yes exit=0 a0=e87640 a1=7fff570d8130 a2=3cf3716628 a3=7fff570d7eb0 items=0 ppid=18004 pid=18005 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=109 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:staff_gkeyringd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1303902266.590:1299): avc: denied { read } for pid=18005 comm="gnome-keyring-d" name=".cache" dev=sdb2 ino=1831502 scontext=unconfined_u:unconfined_r:staff_gkeyringd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=lnk_file =============================================== # ausearch -m avc -ts today | audit2allow libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:staff_gkeyringd_t:s0-s0:c0.c1023" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:staff_gkeyringd_t:s0-s0:c0.c1023 to sid #============= prelink_cron_system_t ============== allow prelink_cron_system_t init_t:dir search; allow prelink_cron_system_t init_t:file read; allow prelink_cron_system_t init_t:lnk_file read; ======================================================= looking at setroubleshoot report there is: SELinux is preventing /bin/systemctl from search access on the directory 1. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemctl should be allowed search access on the 1 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep telinit /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c 1023 Target Context system_u:system_r:init_t:s0 Target Objects 1 [ dir ] Source telinit Source Path /bin/systemctl Port <Unknown> Host krles.brq.redhat.com Source RPM Packages systemd-units-25-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-15.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name krles.brq.redhat.com Platform Linux krles.brq.redhat.com 2.6.38.2-14.fc15.x86_64 #1 SMP Mon Apr 11 23:50:28 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 27 Apr 2011 03:28:52 AM CEST Last Seen Wed 27 Apr 2011 03:28:52 AM CEST Local ID 91d0da69-1896-4ec0-9616-af7dbaec682a Raw Audit Messages type=AVC msg=audit(1303867732.377:1126): avc: denied { search } for pid=8197 comm="telinit" name="1" dev=proc ino=8349 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir type=AVC msg=audit(1303867732.377:1126): avc: denied { read } for pid=8197 comm="telinit" name="root" dev=proc ino=17538341 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file type=AVC msg=audit(1303867732.377:1126): avc: denied { read } for pid=8197 comm="telinit" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1303867732.377:1126): arch=x86_64 syscall=stat success=yes exit=0 a0=41fd14 a1=7fffad7dd280 a2=7fffad7dd280 a3=3 items=0 ppid=1936 pid=8197 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=131 comm=telinit exe=/bin/systemctl subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) Hash: telinit,prelink_cron_system_t,init_t,dir,search audit2allow #============= prelink_cron_system_t ============== allow prelink_cron_system_t init_t:dir search; allow prelink_cron_system_t init_t:file read; allow prelink_cron_system_t init_t:lnk_file read; audit2allow -R #============= prelink_cron_system_t ============== allow prelink_cron_system_t init_t:dir search; allow prelink_cron_system_t init_t:file read; allow prelink_cron_system_t init_t:lnk_file read;
Miroslav it looks like we need to add ps_process_pattern($1, init_t) to init_telinit
Fixed in selinux-policy-3.9.16-19.fc15
selinux-policy-3.9.16-21.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-21.fc15
Package selinux-policy-3.9.16-21.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-21.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-21.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-21.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.