Bug 708672 - SELinux is preventing /bin/systemd-notify from 'search' accesses on the directory /sys.
Summary: SELinux is preventing /bin/systemd-notify from 'search' accesses on the direc...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:8fcb7da0667...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-28 19:08 UTC by Stijn Hoop
Modified: 2011-06-24 03:54 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.9.16-30.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-24 03:54:11 UTC


Attachments (Terms of Use)

Description Stijn Hoop 2011-05-28 19:08:18 UTC
SELinux is preventing /bin/systemd-notify from 'search' accesses on the directory /sys.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-notify should be allowed search access on the sys directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-notify /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_notify_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                /sys [ dir ]
Source                        systemd-notify
Source Path                   /bin/systemd-notify
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-28-1.fc16
Target RPM Packages           filesystem-2.4.42-1.fc16
Policy RPM                    selinux-policy-3.9.16-24.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.39-1.fc16.x86_64
                              #1 SMP Sat May 21 02:34:01 UTC 2011 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 27 May 2011 08:05:02 PM CEST
Last Seen                     Sat 28 May 2011 08:57:12 PM CEST
Local ID                      a04ed3a3-db3e-4fa3-8257-a4e23e8f07a6

Raw Audit Messages
type=AVC msg=audit(1306609032.322:49): avc:  denied  { search } for  pid=1567 comm="systemd-notify" name="/" dev=sysfs ino=1 scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir


type=SYSCALL msg=audit(1306609032.322:49): arch=x86_64 syscall=statfs success=no exit=EACCES a0=7f299eed1510 a1=7fff1f6978d0 a2=1000 a3=7fff1f697660 items=0 ppid=1 pid=1567 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-notify exe=/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null)

Hash: systemd-notify,systemd_notify_t,sysfs_t,dir,search

audit2allow

#============= systemd_notify_t ==============
allow systemd_notify_t sysfs_t:dir search;

audit2allow -R

#============= systemd_notify_t ==============
allow systemd_notify_t sysfs_t:dir search;

Comment 1 Dominick Grift 2011-05-28 19:48:32 UTC
systemd-notify --boot stat() /sys/fs/group/systemd in order to determine whether systemd is running:

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=90438146289f1e2bc07a7b01c014ccbeb9ba4ab5

Comment 2 Miroslav Grepl 2011-05-30 07:35:35 UTC
Fixed in selinux-policy-3.9.16-27.fc15

Comment 3 Fedora Update System 2011-06-10 10:49:47 UTC
selinux-policy-3.9.16-29.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15

Comment 4 Fedora Update System 2011-06-11 04:29:06 UTC
Package selinux-policy-3.9.16-29.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-29.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2011-06-21 17:30:53 UTC
Package selinux-policy-3.9.16-30.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-30.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-30.fc15
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2011-06-24 03:52:34 UTC
selinux-policy-3.9.16-30.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.