I can't tune /sys options via systemd's tmpfiles.d "w" type because SELinux deny its access. http://0pointer.de/public/systemd-man/tmpfiles.d.html From this commit: http://cgit.freedesktop.org/systemd/systemd/commit/?id=31ed59c51126fce7d958c188772a397e2a1ed010 cat /etc/tmpfiles.d/test.conf w /sys/block/sda/queue/scheduler - - - - deadline ------------------------------------------------------------------------- SELinux is preventing /usr/bin/systemd-tmpfiles from read access on the lnk_file sda. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-tmpfiles should be allowed read access on the sda lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_tmpfiles_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects sda [ lnk_file ] Source systemd-tmpfile Source Path /usr/bin/systemd-tmpfiles Port <Desconhecido> Host P4 Source RPM Packages systemd-44-8.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-121.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name P4 Platform Linux P4 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21 22:32:19 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Dom 27 Mai 2012 10:20:10 BRT Last Seen Dom 27 Mai 2012 10:20:10 BRT Local ID ffd4b2f3-d3e9-4c65-a052-9346c305380d Raw Audit Messages type=AVC msg=audit(1338124810.446:87): avc: denied { read } for pid=1776 comm="systemd-tmpfile" name="sda" dev="sysfs" ino=12109 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1338124810.446:87): arch=x86_64 syscall=open success=no exit=EACCES a0=215a210 a1=a0901 a2=1a4 a3=24 items=0 ppid=1 pid=1776 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null) Hash: systemd-tmpfile,systemd_tmpfiles_t,sysfs_t,lnk_file,read audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
With permissive mode it works. ------------------------------------------------------------- SELinux is preventing /usr/bin/systemd-tmpfiles from module_request access on the system . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-tmpfiles should be allowed module_request access on the system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_tmpfiles_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects [ system ] Source systemd-tmpfile Source Path /usr/bin/systemd-tmpfiles Port <Desconhecido> Host P4 Source RPM Packages systemd-44-8.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-121.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name P4 Platform Linux P4 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21 22:32:19 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Dom 27 Mai 2012 13:41:11 BRT Last Seen Dom 27 Mai 2012 13:41:11 BRT Local ID f38d7d24-6732-4bbf-bd84-5007ecf27fa3 Raw Audit Messages type=AVC msg=audit(1338136871.693:92): avc: denied { module_request } for pid=1557 comm="systemd-tmpfile" kmod="-iosched" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=SYSCALL msg=audit(1338136871.693:92): arch=x86_64 syscall=writev success=yes exit=ENOEXEC a0=4 a1=7fff81396d20 a2=2 a3=24 items=0 ppid=1 pid=1557 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null) Hash: systemd-tmpfile,systemd_tmpfiles_t,kernel_t,system,module_request audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
Are you getting more AVC msgs in permissive mode? grep systemd_tmpfiles_t /var/log/audit/audit.log |audit2allow
Today selinux-policy was updated to version 3.10.0-125.fc17. However the problem persists. At boot systemd doesn't trigger any AVC (enforcing mode). --- systemctl status systemd-tmpfiles-setup.service systemd-tmpfiles-setup.service - Recreate Volatile Files and Directories Loaded: loaded (/usr/lib/systemd/system/systemd-tmpfiles-setup.service; static) Active: active (exited) since Mon, 28 May 2012 08:28:26 -0300; 3min 11s ago Process: 299 ExecStart=/usr/bin/systemd-tmpfiles --create --remove (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/systemd-tmpfiles-setup.service May 28 08:28:24 P4 systemd-tmpfile[299]: Successfully loaded SELinux database in 39ms 59us, size on heap is 540K. May 28 08:28:26 P4 systemd-tmpfile[299]: Failed to create file /sys/block/sda/queue/scheduler: Permission denied --- Oddly in permissive mode (enforcing=0 boot option) it doesn't trigger any AVC either (/etc/tmpfiles.d/test.conf works)! I only get the AVCs when I restart systemd-tmpfiles-setup.service. type=AVC msg=audit(1338205633.584:73): avc: denied { read } for pid=1567 comm="systemd-tmpfile" name="sda" dev="sysfs" ino=12109 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file type=AVC msg=audit(1338205633.584:73): avc: denied { write } for pid=1567 comm="systemd-tmpfile" name="scheduler" dev="sysfs" ino=12188 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1338205633.584:73): avc: denied { open } for pid=1567 comm="systemd-tmpfile" name="scheduler" dev="sysfs" ino=12188 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=SYSCALL msg=audit(1338205633.584:73): arch=c000003e syscall=2 success=yes exit=4 a0=10cba80 a1=a0901 a2=1a4 a3=24 items=0 ppid=1 pid=1567 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null) type=AVC msg=audit(1338205633.584:74): avc: denied { module_request } for pid=1567 comm="systemd-tmpfile" kmod="-iosched" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=SYSCALL msg=audit(1338205633.584:74): arch=c000003e syscall=20 success=yes exit=8 a0=4 a1=7fff2b2d6520 a2=2 a3=24 items=0 ppid=1 pid=1567 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null) audit2allow output: WARNING: Policy would be downgraded from version 27 to 26. WARNING: Policy would be downgraded from version 27 to 26. #============= systemd_tmpfiles_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow systemd_tmpfiles_t kernel_t:system module_request; #!!!! The source type 'systemd_tmpfiles_t' can write to a 'file' of the following types: # var_auth_t, man_t, tmp_t, wtmp_t, lockfile, pidfile, faillog_t allow systemd_tmpfiles_t sysfs_t:file { write open }; allow systemd_tmpfiles_t sysfs_t:lnk_file read;
(In reply to comment #3) > At boot systemd doesn't trigger any AVC (enforcing mode). Can you check the output of 'dmesg' too? If a denial happens before auditd is running, the AVC message may be logged there.
Right Michal. Enforcing: type=1400 audit(1338206772.536:4): avc: denied { read } for pid=310 comm="systemd-tmpfile" name="sda" dev="sysfs" ino=12109 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file Permissive: type=1400 audit(1338207026.062:3): avc: denied { read } for pid=314 comm="systemd-tmpfile" name="sda" dev="sysfs" ino=12076 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file type=1400 audit(1338207026.062:4): avc: denied { write } for pid=314 comm="systemd-tmpfile" name="scheduler" dev="sysfs" ino=12155 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=1400 audit(1338207026.062:5): avc: denied { open } for pid=314 comm="systemd-tmpfile" name="scheduler" dev="sysfs" ino=12155 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=1400 audit(1338207026.954:6): avc: denied { module_request } for pid=314 comm="systemd-tmpfile" kmod="-iosched" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
Fixed in selinux-policy-3.10.0-128.fc17
selinux-policy-3.10.0-128.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-128.fc17
Package selinux-policy-3.10.0-128.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-128.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-8720/selinux-policy-3.10.0-128.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.