Description of problem: SELinux reports that it "is preventing /bin/systemd-tmpfiles from getattr access on the sock_file /run/lirc/lircd." I did search for this error message on bugzilla and the search reported no such bug report. See SELinux report below. Version-Release number of selected component (if applicable): systemd-37-17.fc16.x86_64 How reproducible: Every time system starts, re-boots or recovers from hibernating or sleeping. Steps to Reproduce: 1. Start/Re-Boot/Awaken from sleep or hibernation the computer. 2. 3. Actual results: SELinux is preventing /bin/systemd-tmpfiles from getattr access on the sock_file /run/lirc/lircd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-tmpfiles should be allowed getattr access on the lircd sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_tmpfiles_t:s0 Target Context system_u:object_r:lircd_var_run_t:s0 Target Objects /run/lirc/lircd [ sock_file ] Source systemd-tmpfile Source Path /bin/systemd-tmpfiles Port <Unknown> Host localhost.localdomain Source RPM Packages systemd-units-37-17.fc16.x86_64 Target RPM Packages lirc-0.9.0-7.fc16.x86_64 Policy RPM selinux-policy-3.10.0-80.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.3.1-5.fc16.x86_64 #1 SMP Tue Apr 10 19:56:52 UTC 2012 x86_64 x86_64 Alert Count 4 First Seen Mon 16 Apr 2012 09:25:42 PM CDT Last Seen Sun 22 Apr 2012 06:27:55 PM CDT Local ID 9e32fe72-3fa1-416b-ae40-8f1ba04855f9 Raw Audit Messages type=AVC msg=audit(1335137275.785:38419): avc: denied { getattr } for pid=23955 comm="systemd-tmpfile" path="/run/lirc/lircd" dev="tmpfs" ino=24710 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:lircd_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1335137275.785:38419): arch=x86_64 syscall=newfstatat success=no exit=EACCES a0=4 a1=b4b30b a2=7fffe86e5c30 a3=100 items=0 ppid=1 pid=23955 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null) Hash: systemd-tmpfile,systemd_tmpfiles_t,lircd_var_run_t,sock_file,getattr audit2allow #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t lircd_var_run_t:sock_file getattr; audit2allow -R #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t lircd_var_run_t:sock_file getattr; Expected results: No error message. Additional info:
lirc ships /etc/tmpfiles.d/lirc.conf with the contents: d /var/run/lirc 0755 root root 10d The "10d" tells systemd-tmpfiles to periodically remove files that have not been used for 10 days. The SELinux denial occured when systemd-tmpfiles attempted to test the age of the file. Assuming this configuration makes sense for lircd, the policy should not prevent the operation. Dan, Miroslav, since any package can install a tmpfiles.d fragment to let systemd-tmpfiles handle the package's directories, which can have all kinds of SELinux contexts, it seems that systemd-tmpfiles should be granted quite broad permissions by the policy to avoid these kinds of denial reports in the future. Is it acceptable? Or would you recommend some changes in how systemd-tmpfiles works to make it work more nicely with SELinux? For example, systemd-tmpfiles could switch its domain depending on the context of the config file it is processing.
(In reply to comment #1) > For example, systemd-tmpfiles could switch its domain depending on the context > of the config file it is processing. On second thought, this may not be the brightest idea. It would be difficult to explain the rules for SELinux labels of files in /etc/tmpfiles.d/ to administrators. And allowing systemd-tmpfiles to transition to various domains would annihilate the possible benefits.
We should allow it to getattr on all sockets and pipes. Fixed in selinux-policy-3.10.0-118.fc17
selinux-policy-3.10.0-86.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-86.fc16
Package selinux-policy-3.10.0-86.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-86.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-6613/selinux-policy-3.10.0-86.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-86.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.