libreport version: 2.0.6 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.1-2.fc16.x86_64 reason: SELinux is preventing /lib/systemd/systemd-logind from 'setattr' accesses on the blk_file sr0. time: Mon Nov 21 17:47:57 2011 description: :SELinux is preventing /lib/systemd/systemd-logind from 'setattr' accesses on the blk_file sr0. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that systemd-logind should be allowed setattr access on the sr0 blk_file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:systemd_logind_t:s0 :Target Context system_u:object_r:virt_content_t:s0 :Target Objects sr0 [ blk_file ] :Source systemd-logind :Source Path /lib/systemd/systemd-logind :Port <Unknown> :Host (removed) :Source RPM Packages systemd-37-3.fc16 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-55.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.1.1-2.fc16.x86_64 #1 SMP Mon Nov : 14 15:46:10 UTC 2011 x86_64 x86_64 :Alert Count 2 :First Seen Sun 20 Nov 2011 23:31:06 IST :Last Seen Sun 20 Nov 2011 23:31:28 IST :Local ID c6520185-4c09-4717-9d0f-0f97a0a03b58 : :Raw Audit Messages :type=AVC msg=audit(1321812088.936:518): avc: denied { setattr } for pid=1035 comm="systemd-logind" name="sr0" dev=devtmpfs ino=1144 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file : : :type=SYSCALL msg=audit(1321812088.936:518): arch=x86_64 syscall=setxattr success=yes exit=0 a0=b57b40 a1=3c1b005d2b a2=b58340 a3=2c items=0 ppid=1 pid=1035 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) : :Hash: systemd-logind,systemd_logind_t,virt_content_t,blk_file,setattr : :audit2allow : :#============= systemd_logind_t ============== :allow systemd_logind_t virt_content_t:blk_file setattr; : :audit2allow -R : :#============= systemd_logind_t ============== :allow systemd_logind_t virt_content_t:blk_file setattr; :
We have the following sesearch -A -s systemd_logind_t -c blk_file -p setattr --dontaudit Found 1 semantic av rules: allow systemd_logind_t removable_device_t : blk_file setattr ; But I am not sure what we should do here, since this /dev/sr0 is being used by a virtual machine.
Should be fixed in the latest release.
I got this alert today, has the new policy already been released ? I have done all the updates for fc16 stable.
Could you add your output of $ rpm -q selinux-policy
And also AVC msgs which you are getting.
Here are my version info and AVC msgs: [syl@virt assembly]$ rpm -q selinux-policy selinux-policy-3.10.0-80.fc16.noarch Raw Audit Messages type=AVC msg=audit(1334439780.545:17200): avc: denied { setattr } for pid=6233 comm="systemd-logind" name="sr0" dev=devtmpfs ino=1191 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file type=SYSCALL msg=audit(1334439780.545:17200): arch=x86_64 syscall=setxattr success=yes exit=0 a0=6623d0 a1=3828805d2b a2=664810 a3=24 items=0 ppid=1 pid=6233 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=2F6C69622F73797374656D642F73797374656D642D6C6F67696E64202864656C6574656429 subj=system_u:system_r:systemd_logind_t:s0 key=(null)
We have dev_setattr_all_chr_files(systemd_logind_t) but this is used by a virtual machine I would dontaudit it.
The real bug is that libvirt relabeled the device to virt_conten_t rather then its default label, which should be matchpathcon /dev/sr0 /dev/sr0 system_u:object_r:removable_device_t:s0
*** Bug 824137 has been marked as a duplicate of this bug. ***
*** Bug 795100 has been marked as a duplicate of this bug. ***
svirt guests are already allowed to read removable_device_t, right? So maybe the fix here is to not relabel devices we can already access. Not sure if that's considered insecure WRT svirt though, or if we can even determine the list of labels that we shouldn't need to change. Besides that the only solutions I can see are 1) starting to restore label on disks marked <readonly/>, telling any affected users that their shared images need to have <shareable/>, or 2) 'that's what happens when you use svirt and a shared system device, sorry' danpb any thoughts
*** Bug 826299 has been marked as a duplicate of this bug. ***
Yes I agree a readonly device is probably going to be shared so we should not be relabeling it.
*** Bug 909590 has been marked as a duplicate of this bug. ***
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
*** Bug 871790 has been marked as a duplicate of this bug. ***
Still not fixed, but this is basically a bigger problem that should be tracked upstream.
*** Bug 1246247 has been marked as a duplicate of this bug. ***
The proper fix IMO is for libvirt to not change the label for readonly disk images, if it's already labelled in such a way that we can already access it. I previously outlined on this upstream mailing list: https://www.redhat.com/archives/libvir-list/2015-April/msg01400.html Repurposing this bug to track that work
*** Bug 842831 has been marked as a duplicate of this bug. ***
Description of problem: Just inserted an CD ROM Version-Release number of selected component: selinux-policy-3.13.1-158.12.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-301.fc23.x86_64 type: libreport
Is this fixed now? Can I close it?
Yes I think it's as fixed as it is going to get. It has limitations in that it only restores labels/uid for read/write disk images, but I don't think libvirt will ever be providing more than that. This is the setting specified by remember_owner in /etc/libvirtd/qemu.conf, it is on by default