Bug 801740 - SELinux is preventing /usr/sbin/chkconfig from 'getattr' accesses on the file /usr/lib/systemd/systemd.
Summary: SELinux is preventing /usr/sbin/chkconfig from 'getattr' accesses on the file...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-samba
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nils Philippsen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:eea515ba0e2876e6ab5ec5caa58...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-09 10:25 UTC by Barry Godusky
Modified: 2023-09-14 01:27 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-26 07:41:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Barry Godusky 2012-03-09 10:25:35 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-0.rc6.git0.2.fc17.x86_64
reason:         SELinux is preventing /usr/sbin/chkconfig from 'getattr' accesses on the file /usr/lib/systemd/systemd.
time:           Fri 09 Mar 2012 05:25:18 AM EST

description:
:SELinux is preventing /usr/sbin/chkconfig from 'getattr' accesses on the file /usr/lib/systemd/systemd.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that chkconfig should be allowed getattr access on the systemd file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep chkconfig /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:sambagui_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:init_exec_t:s0
:Target Objects                /usr/lib/systemd/systemd [ file ]
:Source                        chkconfig
:Source Path                   /usr/sbin/chkconfig
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           chkconfig-1.3.59-1.fc17.x86_64
:Target RPM Packages           systemd-43-2.fc17.x86_64
:Policy RPM                    selinux-policy-3.10.0-95.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.3.0-0.rc6.git0.2.fc17.x86_64 #1 SMP Mon Mar 5
:                              16:54:07 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    Fri 09 Mar 2012 05:07:16 AM EST
:Last Seen                     Fri 09 Mar 2012 05:08:07 AM EST
:Local ID                      8e573136-f988-4706-9ec2-8b76f5ea45f7
:
:Raw Audit Messages
:type=AVC msg=audit(1331287687.280:117): avc:  denied  { getattr } for  pid=2085 comm="chkconfig" path="/usr/lib/systemd/systemd" dev="dm-1" ino=1445516 scontext=system_u:system_r:sambagui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1331287687.280:117): arch=x86_64 syscall=lstat success=no exit=EACCES a0=1c53430 a1=7fff0b549cb0 a2=7fff0b549cb0 a3=1000 items=0 ppid=2084 pid=2085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=chkconfig exe=/usr/sbin/chkconfig subj=system_u:system_r:sambagui_t:s0-s0:c0.c1023 key=(null)
:
:Hash: chkconfig,sambagui_t,init_exec_t,file,getattr
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Miroslav Grepl 2012-03-09 11:58:00 UTC 
Why does s-c-samba use chkconfig instead of systemctl?
Comment 2 Daniel Walsh 2012-03-09 14:33:01 UTC 
Does not seem like something we should block.
Comment 3 Nils Philippsen 2012-04-26 10:13:17 UTC 
(In reply to comment #1)
> Why does s-c-samba use chkconfig instead of systemctl?

Probably because of the old codebase... I have a piece of code to abstract SysV and systemd services lying around in s-c-date which I'll add to s-c-samba.
Comment 4 Nils Philippsen 2012-04-26 10:39:30 UTC 
commit 212f6b4287e2366f583a719c5a0cbdc49e2a568e
Author:     Nils Philippsen <nils>
AuthorDate: Thu Apr 26 12:21:59 2012 +0200

    don't run chkconfig on systemd service units (#801740)
    
    Copy and use service abstraction classes from system-config-date.
Comment 5 Fedora Update System 2012-04-26 11:21:51 UTC 
system-config-samba-1.2.97-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/system-config-samba-1.2.97-1.fc17
Comment 6 Fedora Update System 2012-04-26 11:21:52 UTC 
system-config-samba-1.2.97-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/system-config-samba-1.2.97-1.fc16
Comment 7 Fedora Update System 2012-04-26 11:21:54 UTC 
system-config-samba-1.2.97-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/system-config-samba-1.2.97-1.fc15
Comment 8 Fedora Update System 2012-04-26 19:25:14 UTC 
Package system-config-samba-1.2.97-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing system-config-samba-1.2.97-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6641/system-config-samba-1.2.97-1.fc17
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2012-05-11 10:25:43 UTC 
system-config-samba-1.2.97-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-05-11 10:32:38 UTC 
system-config-samba-1.2.97-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-05-26 07:41:07 UTC 
system-config-samba-1.2.97-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 David Sieg 2012-06-11 09:16:49 UTC 
(In reply to comment #11)
> system-config-samba-1.2.97-1.fc17 has been pushed to the Fedora 17 stable
> repository.  If problems still persist, please make note of it in this bug
> report.
Still happens on my system.
system-config-samba version: 1.2.97-1.fc17
selinux-policy-targeted: 3.10.0-128.fc17
Comment 13 Nils Philippsen 2012-06-11 13:38:46 UTC 
(In reply to comment #12)
> (In reply to comment #11)
> > system-config-samba-1.2.97-1.fc17 has been pushed to the Fedora 17 stable
> > repository.  If problems still persist, please make note of it in this bug
> > report.
> Still happens on my system.
> system-config-samba version: 1.2.97-1.fc17
> selinux-policy-targeted: 3.10.0-128.fc17

I've just tried this out with this version of s-c-samba, both smb and nmb services disabled and stopped. I straced both the frontend and backend (mechanism) programs and found no indication that s-c-samba called chkconfig for any reason. Would you please strace this and check if this is somehow different with you? The commands are:

As root:

strace -Ff -e execve -o /tmp/scsamba-mech.out /usr/share/system-config-samba/system-config-samba-mechanism.py

--> leave it running

As user:

strace -Ff -e execve -o /tmp/scsamba-ui.out /usr/bin/system-config-samba



Try to reproduce the issue and attach the resulting files /tmp/scsamba-mech.out and /tmp/scsamba-ui.out to this ticket. Thanks!
Comment 14 Red Hat Bugzilla 2023-09-14 01:27:58 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.