This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 748921 - (selinux_systemctl) SELinux is preventing /bin/systemctl from 'read' accesses on the file cgroup.procs.
SELinux is preventing /bin/systemctl from 'read' accesses on the file cgroup....
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:9141bf342b348e9456eaf5fccd0...
:
: 752145 752202 753081 753082 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-25 11:09 EDT by Jeremy
Modified: 2011-11-12 13:28 EST (History)
31 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-55.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-11-10 12:30:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jeremy 2011-10-25 11:09:21 EDT
libreport version: 2.0.6
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.0-0.rc10.git0.1.fc16.x86_64
reason:         SELinux is preventing /bin/systemctl from 'read' accesses on the file cgroup.procs.
time:           Tue Oct 25 11:09:05 2011

description:
:SELinux is preventing /bin/systemctl from 'read' accesses on the file cgroup.procs.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that systemctl should be allowed read access on the cgroup.procs file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep systemctl /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:cgroup_t:s0
:Target Objects                cgroup.procs [ file ]
:Source                        systemctl
:Source Path                   /bin/systemctl
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           systemd-units-37-2.fc16
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-46.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux fed-lap 3.1.0-0.rc10.git0.1.fc16.x86_64 #1
:                              SMP Wed Oct 19 05:02:17 UTC 2011 x86_64 x86_64
:Alert Count                   1
:First Seen                    Tue 25 Oct 2011 02:32:35 PM EDT
:Last Seen                     Tue 25 Oct 2011 02:32:35 PM EDT
:Local ID                      ed6b60b1-5d12-496b-b837-89de08ff974b
:
:Raw Audit Messages
:type=AVC msg=audit(1319567555.312:61): avc:  denied  { read } for  pid=2178 comm="systemctl" name="cgroup.procs" dev=cgroup ino=16437 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1319567555.312:61): arch=x86_64 syscall=open success=no exit=EACCES a0=7250b0 a1=80000 a2=1b6 a3=68632f6d65747379 items=0 ppid=2176 pid=2178 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemctl exe=/bin/systemctl subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
:
:Hash: systemctl,gnomeclock_t,cgroup_t,file,read
:
:audit2allow
:
:#============= gnomeclock_t ==============
:allow gnomeclock_t cgroup_t:file read;
:
:audit2allow -R
:
:#============= gnomeclock_t ==============
:allow gnomeclock_t cgroup_t:file read;
:
Comment 1 Sandro Mathys 2011-10-28 04:07:29 EDT
I've also seen this with a fresh F16 Final TC3 Live Desktop installation. After installation, I rebooted, did the firstboot stuff, logged in, clicked around a little (including the Gnome Shell's panel clock).

I think this AVC came up by clicking "Date and Time Settings" below the calendar that's shown as part of the panel clock.
Comment 2 Daniel Walsh 2011-10-28 09:59:55 EDT
Fixed in selinux-policy-3.10.0-52.fc16
Comment 3 Charles R. Anderson 2011-10-31 06:00:50 EDT
Opened Date and Time Settings.

Possible blocker under:

http://fedoraproject.org/wiki/QA:Testcase_desktop_panel_basic

"No crashes should occur in any item of the default panel configuration upon basic interaction"
Comment 4 Charles R. Anderson 2011-10-31 06:45:52 EDT
Or rather a possible blocker under this one:

https://fedoraproject.org/wiki/QA:Testcase_desktop_panel_advanced

"No crashes should occur in any item of the default panel configuration upon typical interaction"
Comment 5 Charles R. Anderson 2011-10-31 07:10:19 EDT
(In reply to comment #2)
> Fixed in selinux-policy-3.10.0-52.fc16

I did a full relabel/reboot after installing this, and it does not fix the problem for me.  I still see the AVC when opening Date and Time Settings, reproducible every single time.

selinux-policy-3.10.0-52.fc16.noarch
selinux-policy-targeted-3.10.0-52.fc16.noarch
Comment 6 Paul W. Frields 2011-10-31 08:39:24 EDT
The SELinux alert happens, but this doesn't crash the applet for me.  I'm still able to perform the app functions such as setting the timezone, display, and network time subscription.
Comment 7 Miroslav Grepl 2011-10-31 09:37:53 EDT
Fixed in selinux-policy-3.10.0-53.fc16
Comment 8 Adam Williamson 2011-10-31 10:59:01 EDT
if it's not a crash, it's not a blocker. -1.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 9 Adam Williamson 2011-10-31 12:24:52 EDT
Discussed at 2011-10-31 QA meeting acting as blocker review meeting. Agreed that as it doesn't cause the app to crash or fail this does not meet the criterion cited, and as it doesn't happen just when you boot up, it doesn't meet the 'no AVCs on boot' criterion either. As it requires an selinux-policy update to fix and those are dangerous, we also won't take it as NTH, we think it's best just to fix with a post-release update.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 10 Daniel Walsh 2011-10-31 14:21:14 EDT
I agree, and it does not block the resetting of the clock either, so it really is a nuisance AVC.  I am sure we will have the first update ready to go after F16 ships.
Comment 11 Fedora Update System 2011-11-08 09:05:35 EST
selinux-policy-3.10.0-55.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-55.fc16
Comment 12 Andre Inglis 2011-11-08 11:46:22 EST
When I try the solution given:

"You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep systemctl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp"

... I get this very similiar bug:

https://bugzilla.redhat.com/show_bug.cgi?id=752145
Comment 13 Daniel Walsh 2011-11-08 12:17:27 EST
*** Bug 752145 has been marked as a duplicate of this bug. ***
Comment 14 Daniel Walsh 2011-11-08 12:19:41 EST
Looks like this is all fixed in selinux-policy-3.10.0-55.fc16
Comment 15 Daniel Walsh 2011-11-08 15:03:26 EST
*** Bug 752202 has been marked as a duplicate of this bug. ***
Comment 16 Miroslav Grepl 2011-11-08 17:28:58 EST
Yes, it should be definitely fixed.
Comment 17 Fedora Update System 2011-11-10 12:30:03 EST
selinux-policy-3.10.0-55.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Daniel Walsh 2011-11-11 09:41:25 EST
*** Bug 753081 has been marked as a duplicate of this bug. ***
Comment 19 Daniel Walsh 2011-11-11 09:44:30 EST
*** Bug 753082 has been marked as a duplicate of this bug. ***
Comment 20 Andre Inglis 2011-11-12 13:28:56 EST
selinux-policy-3.10.0-55.fc16 was in the updates and applied on this machine. The issue seems to be resolved.

Thanks for fixing that so quickly. :)

Note You need to log in before you can comment on or make changes to this bug.