Bug 804598 - SELinux is preventing systemd-logind
SELinux is preventing systemd-logind
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-19 07:30 EDT by Germano Massullo
Modified: 2012-04-21 23:37 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-84.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-21 23:37:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Germano Massullo 2012-03-19 07:30:52 EDT
Description of problem:
I downloaded the rpm file of DraftSight http://www.3ds.com/it/products/draftsight/download-draftsight/
and I started installing it with yum localinstall, when I had the following SELinux alerts:




SELinux is preventing systemd-logind from search access on the folder `@.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that systemd-logind should be allowed search access on the `@ directory by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       system_u:system_r:systemd_logind_t:s0
Contesto target               unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
Oggetti target                `@ [ dir ]
Sorgente                      systemd-logind
Percorso della sorgente       systemd-logind
Porta                         <Sconosciuto>
Host                          Portatile
Sorgente Pacchetti RPM        
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Host Name                     Portatile
Piattaforma                   Linux Portatile 3.2.10-3.fc16.i686 #1 SMP Thu Mar
                              15 21:16:58 UTC 2012 i686 i686
Conteggio avvisi              3
Primo visto                   lun 19 mar 2012 12:23:21 CET
Ultimo visto                  lun 19 mar 2012 12:27:36 CET
ID locale                     

Messaggi Raw Audit
type=AVC msg=audit(1332156456.117:165): avc:  denied  { search } for  pid=977 comm="systemd-logind" name="6040" dev=proc ino=59048 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=dir


Hash: systemd-logind,systemd_logind_t,rpm_script_t,dir,search

audit2allow

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:dir search;

audit2allow -R

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:dir search;













SELinux is preventing systemd-logind from read access on the file sessionid.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that systemd-logind should be allowed read access on the sessionid file by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       system_u:system_r:systemd_logind_t:s0
Contesto target               unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
Oggetti target                sessionid [ file ]
Sorgente                      systemd-logind
Percorso della sorgente       systemd-logind
Porta                         <Sconosciuto>
Host                          Portatile
Sorgente Pacchetti RPM        
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Host Name                     Portatile
Piattaforma                   Linux Portatile 3.2.10-3.fc16.i686 #1 SMP Thu Mar
                              15 21:16:58 UTC 2012 i686 i686
Conteggio avvisi              4
Primo visto                   lun 19 mar 2012 12:23:21 CET
Ultimo visto                  lun 19 mar 2012 12:27:41 CET
ID locale                   

Messaggi Raw Audit
type=AVC msg=audit(1332156461.107:194): avc:  denied  { read } for  pid=977 comm="systemd-logind" name="sessionid" dev=proc ino=59356 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=file


Hash: systemd-logind,systemd_logind_t,rpm_script_t,file,read

audit2allow

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file read;

audit2allow -R

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file read;










SELinux is preventing systemd-logind from open access on the file sessionid.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that systemd-logind should be allowed open access on the sessionid file by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       system_u:system_r:systemd_logind_t:s0
Contesto target               unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
Oggetti target                sessionid [ file ]
Sorgente                      systemd-logind
Percorso della sorgente       systemd-logind
Porta                         <Sconosciuto>
Host                          Portatile
Sorgente Pacchetti RPM        
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Host Name                     Portatile
Piattaforma                   Linux Portatile 3.2.10-3.fc16.i686 #1 SMP Thu Mar
                              15 21:16:58 UTC 2012 i686 i686
Conteggio avvisi              4
Primo visto                   lun 19 mar 2012 12:23:21 CET
Ultimo visto                  lun 19 mar 2012 12:27:41 CET
ID locale                     

Messaggi Raw Audit
type=AVC msg=audit(1332156461.107:195): avc:  denied  { open } for  pid=977 comm="systemd-logind" name="sessionid" dev=proc ino=59356 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=file


Hash: systemd-logind,systemd_logind_t,rpm_script_t,file,open

audit2allow

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file open;

audit2allow -R

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file open;













SELinux is preventing systemd-logind from getattr access on the file /proc/<pid>/sessionid.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that systemd-logind should be allowed getattr access on the sessionid file by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       system_u:system_r:systemd_logind_t:s0
Contesto target               unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
Oggetti target                /proc/<pid>/sessionid [ file ]
Sorgente                      systemd-logind
Percorso della sorgente       systemd-logind
Porta                         <Sconosciuto>
Host                          Portatile
Sorgente Pacchetti RPM        
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Host Name                     Portatile
Piattaforma                   Linux Portatile 3.2.10-3.fc16.i686 #1 SMP Thu Mar
                              15 21:16:58 UTC 2012 i686 i686
Conteggio avvisi              4
Primo visto                   lun 19 mar 2012 12:23:21 CET
Ultimo visto                  lun 19 mar 2012 12:27:41 CET
ID locale                     

Messaggi Raw Audit
type=AVC msg=audit(1332156461.107:196): avc:  denied  { getattr } for  pid=977 comm="systemd-logind" path="/proc/6303/sessionid" dev=proc ino=59356 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=file


Hash: systemd-logind,systemd_logind_t,rpm_script_t,file,getattr

audit2allow

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file getattr;

audit2allow -R

#============= systemd_logind_t ==============
allow systemd_logind_t rpm_script_t:file getattr;
Comment 1 Daniel Walsh 2012-03-19 11:03:38 EDT
yum -y update

This should be fixed in latest updates
Comment 2 Fedora Update System 2012-04-18 08:55:06 EDT
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 3 Fedora Update System 2012-04-21 23:37:16 EDT
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.