Seeing this on F17 - with selinux-policy-3.10.0-128.fc17

This is a kernel issue since the policy has the filename transition rules to create the files with the right label.  And the files endup with the correct label.

*** Bug 829431 has been marked as a duplicate of this bug. ***

Still seen with 3.5.0-0.rc2.git0.3.fc18.x86_64

I now believe this is a systemd issue.  The problem is systemd-tmpfiles is telling the kernel to create the content as device_t rather then allowing the labeling to happen automatically or specifying the correct label.

Later within the same process the device gets relabeled with the correct label.


If you just remove the device and run systemd-tmpfiles create it will generate the avc, I believe.

I see the bug:

  label_context_set(i->path, CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR);

Notice that the condition is a constant. It should be i->type==CREATE_BLOCK_DEVICE

http://cgit.freedesktop.org/systemd/systemd/commit/?id=e7aee75932e8a5bee54eefcc77f4702a3ea79db2

(In reply to comment #1)
> Seeing this on F17 - with selinux-policy-3.10.0-128.fc17

[root@localhost selinux]# rpm -qi selinux-policy
Name        : selinux-policy
Version     : 3.10.0
Release     : 128.fc17
Architecture: noarch
Install Date: Пн. 04 июня 2012 23:03:55
Group       : System Environment/Base
Size        : 62
License     : GPLv2+
Signature   : RSA/SHA256, Пт. 01 июня 2012 08:29:00, Key ID 50e94c991aca3465
Source RPM  : selinux-policy-3.10.0-128.fc17.src.rpm
Build Date  : Чт. 31 мая 2012 01:42:11
Build Host  : x86-16.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

Error in /var/log/messages:

Jun 13 20:46:38 localhost kernel: [   35.799743] type=1400 audit(1339605995.256:4): avc:  denied  { create } for  pid=700 comm="systemd-tmpfile" name="lp0" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Jun 13 20:46:38 localhost kernel: [   35.799840] type=1400 audit(1339605995.256:5): avc:  denied  { create } for  pid=700 comm="systemd-tmpfile" name="lp1" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Jun 13 20:46:38 localhost kernel: [   35.799899] type=1400 audit(1339605995.256:6): avc:  denied  { create } for  pid=700 comm="systemd-tmpfile" name="lp2" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Jun 13 20:46:38 localhost kernel: [   35.799956] type=1400 audit(1339605995.256:7): avc:  denied  { create } for  pid=700 comm="systemd-tmpfile" name="lp3" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

[root@localhost selinux]# rpm -qi cups
Name        : cups
Epoch       : 1
Version     : 1.5.3
Release     : 2.fc17
Architecture: x86_64
Install Date: Чт. 07 июня 2012 23:11:00
Group       : System Environment/Daemons
Size        : 9505130
License     : GPLv2
Signature   : RSA/SHA256, Пн. 28 мая 2012 19:53:40, Key ID 50e94c991aca3465
Source RPM  : cups-1.5.3-2.fc17.src.rpm
Build Date  : Пн. 28 мая 2012 13:19:09
Build Host  : x86-04.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://www.cups.org/
Summary     : Common Unix Printing System
Description :
The Common UNIX Printing System provides a portable printing layer for
UNIX® operating systems. It has been developed by Easy Software Products
to promote a standard printing solution for all UNIX vendors and users.
CUPS provides the System V and Berkeley command-line interfaces.

Great catch Michal, sorry to say I stared at that code and did not see the bug.  :^(

systemd-44-14.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/systemd-44-14.fc17

For Rawhide the fix is in systemd-185-6.gite7aee75.fc18.

I can confirm systemd-44-14.fc17 fixes this bug for me.

Package systemd-44-14.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-44-14.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9471/systemd-44-14.fc17
then log in and leave karma (feedback).

(In reply to comment #13)
> Package systemd-44-14.fc17:
> * should fix your issue,
> * was pushed to the Fedora 17 testing repository,
> * should be available at your local mirror within two days.
> Update it with:
> # su -c 'yum update --enablerepo=updates-testing systemd-44-14.fc17'
> as soon as you are able to.
> Please go to the following url:
> https://admin.fedoraproject.org/updates/FEDORA-2012-9471/systemd-44-14.fc17
> then log in and leave karma (feedback).

All ok. You can add to stable repository.

In 44.14 /dev/lp* create sequesfull.

After downgrade to 44.12 again /dev/lp* not created.

And why did this suddenly bug?)

systemd-44-14.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.