Bug 731249 - SELinux is preventing /bin/systemctl from 'use' accesses on the fd /dev/null.
Summary: SELinux is preventing /bin/systemctl from 'use' accesses on the fd /dev/null.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:372232ddea952bc0f5d3a4abcb8...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-17 07:06 UTC by Iván Jiménez
Modified: 2011-09-07 03:19 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.10.0-21.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-07 03:19:47 UTC


Attachments (Terms of Use)

Description Iván Jiménez 2011-08-17 07:06:25 UTC
abrt version: 2.0.5
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.0.0-1.fc16.x86_64
reason:         SELinux is preventing /bin/systemctl from 'use' accesses on the fd /dev/null.
time:           Wed Aug 17 07:06:01 2011

description:
:SELinux is preventing /bin/systemctl from 'use' accesses on the fd /dev/null.
:
:*****  Plugin catchall_boolean (80.5 confidence) suggests  *******************
:
:If you want to allow all domains to use other domains file descriptors
:Then you must tell SELinux about this by enabling the 'allow_domain_fd_use' boolean.
:Do
:setsebool -P allow_domain_fd_use 1
:
:*****  Plugin leaks (10.5 confidence) suggests  ******************************
:
:If you want to ignore systemctl trying to use access the null fd, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:Do
:# grep /bin/systemctl /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:
:*****  Plugin catchall (10.5 confidence) suggests  ***************************
:
:If you believe that systemctl should be allowed use access on the null fd by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep systemctl /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:gnomeclock_systemctl_t:s0-s0:c0.
:                              c1023
:Target Context                system_u:system_r:init_t:s0
:Target Objects                /dev/null [ fd ]
:Source                        systemctl
:Source Path                   /bin/systemctl
:Port                          <Desconocido>
:Host                          (removed)
:Source RPM Packages           systemd-units-33-1.fc16
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-15.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.0.0-1.fc16.x86_64 #1
:                              SMP Fri Jul 22 16:09:29 UTC 2011 x86_64 x86_64
:Alert Count                   1
:First Seen                    mié 17 ago 2011 07:05:09 COT
:Last Seen                     mié 17 ago 2011 07:05:09 COT
:Local ID                      d08851a4-0857-4ccc-8da6-7dbd23f869ad
:
:Raw Audit Messages
:type=AVC msg=audit(1313582709.660:154): avc:  denied  { use } for  pid=5548 comm="systemctl" path="/dev/null" dev=devtmpfs ino=5062 scontext=system_u:system_r:gnomeclock_systemctl_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=fd
:
:
:type=SYSCALL msg=audit(1313582709.660:154): arch=x86_64 syscall=execve success=yes exit=0 a0=7ffff46064ba a1=7ffff4606590 a2=7ffff4608b88 a3=7ffff46083b0 items=0 ppid=5543 pid=5548 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemctl exe=/bin/systemctl subj=system_u:system_r:gnomeclock_systemctl_t:s0-s0:c0.c1023 key=(null)
:
:Hash: systemctl,gnomeclock_systemctl_t,init_t,fd,use
:
:audit2allow
:
:#============= gnomeclock_systemctl_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_domain_fd_use'
:
:allow gnomeclock_systemctl_t init_t:fd use;
:
:audit2allow -R
:
:#============= gnomeclock_systemctl_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_domain_fd_use'
:
:allow gnomeclock_systemctl_t init_t:fd use;
:

Comment 1 Daniel Walsh 2011-08-17 11:56:28 UTC
Should be fixed in selinux-policy-3.10.0-18.fc16.noarch

Comment 2 Fedora Update System 2011-08-24 11:39:03 UTC
selinux-policy-3.10.0-21.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-21.fc16

Comment 3 Fedora Update System 2011-08-24 22:46:01 UTC
Package selinux-policy-3.10.0-21.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-21.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-21.fc16
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2011-09-07 03:19:11 UTC
selinux-policy-3.10.0-21.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.