Bug 820491 - SELinux is preventing /usr/bin/ls from getattr access on the blk_file /dev/sda.
SELinux is preventing /usr/bin/ls from getattr access on the blk_file /dev/sda.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: tuned (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jaroslav Škarvada
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-10 03:27 EDT by Sebastian Krämer
Modified: 2013-02-14 04:24 EST (History)
8 users (show)

See Also:
Fixed In Version: tuned-2.1.0-1.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-14 04:24:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux alert after starting tuned in daemon mode (via systemd) (2.27 KB, text/plain)
2012-05-10 03:27 EDT, Sebastian Krämer
no flags Details

  None (edit)
Description Sebastian Krämer 2012-05-10 03:27:04 EDT
Created attachment 583460 [details]
SELinux alert after starting tuned in daemon mode (via systemd)

Description of problem:
Installed tuned. Running as non-daemon yesterday worked fine. Today I did a 'service tuned start' and got an se-alert (see attachment). Systemd says the service started just fine and is running.

I'm using F17 Beta with latest 'yum upgrade'. selinux-policy{-targeted} have version 3.10.0-121.fc17.
Comment 1 Daniel Walsh 2012-05-12 07:12:11 EDT
Is tuned executing an ls of /dev?
Comment 2 Miroslav Grepl 2012-05-14 01:53:35 EDT
tuned do a lot of things now


https://bugzilla.redhat.com/show_bug.cgi?id=809832#c15

Mainly

"Remounts no boot and no root partitions with parameters 'barrier', 'nobarrier',
'commit=*', 'noatime'"

which means there is a script executing the mount command. But it looks like the tuned policy is going to be pretty powerful.
Comment 3 Jaroslav Škarvada 2012-05-14 03:02:43 EDT
(In reply to comment #2)
> Mainly
> 
> "Remounts no boot and no root partitions with parameters 'barrier',
> 'nobarrier',
> 'commit=*', 'noatime'"
> 
This is not new feature, it was there in previous tuned versions (e.g. in RHEL-6), but the commands were initiated from /etc/ktune.d/tunedadm.sh (if virtual-host profile was selected and tuned started). Now they are by default (can be changed) initiated from /etc/tuned/*/script.sh or /usr/lib/tuned/*/script.sh.

> which means there is a script executing the mount command. But it looks like
> the tuned policy is going to be pretty powerful.
>
We are working hard to move the functionality into main tuned daemon. We are going to release new f17 version of tuned soon, which will execute all tunings directly from the main daemon and not from the script. The script functionality will be still there for 'user specific tunings', but by default will not be used.
Comment 4 Daniel Walsh 2012-05-18 14:58:36 EDT
Well tuned currently has

optional_policy(`
	mount_domtrans(tuned_t)
')

Fixed in selinux-policy-3.10.0-126.fc17
Comment 5 Jan Vcelak 2012-12-03 06:10:35 EST
Resolved in:
tuned-2.1.0-1.fc18
tuned-2.1.0-1.fc19
Comment 6 Fedora Admin XMLRPC Client 2013-02-04 16:44:59 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 7 Jaroslav Škarvada 2013-02-14 04:24:21 EST
I cannot see the AVC in the log. The current selinux policy is:
selinux-policy-3.10.0-166.fc17

Thus I think the problem is already fixed - I am closing this bug. Feel free to reopen if the problem persists.

Note You need to log in before you can comment on or make changes to this bug.