Bug 825530 - SELinux is preventing /usr/bin/systemd-tmpfiles from read access on the lnk_file sda.
SELinux is preventing /usr/bin/systemd-tmpfiles from read access on the lnk_f...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-27 09:37 EDT by Marcos Mello
Modified: 2012-06-03 19:32 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-03 19:32:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marcos Mello 2012-05-27 09:37:48 EDT
I can't tune /sys options via systemd's tmpfiles.d "w" type because SELinux deny its access.

http://0pointer.de/public/systemd-man/tmpfiles.d.html

From this commit: http://cgit.freedesktop.org/systemd/systemd/commit/?id=31ed59c51126fce7d958c188772a397e2a1ed010

cat /etc/tmpfiles.d/test.conf

w /sys/block/sda/queue/scheduler - - - - deadline


-------------------------------------------------------------------------

SELinux is preventing /usr/bin/systemd-tmpfiles from read access on the lnk_file sda.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-tmpfiles should be allowed read access on the sda lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_tmpfiles_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                sda [ lnk_file ]
Source                        systemd-tmpfile
Source Path                   /usr/bin/systemd-tmpfiles
Port                          <Desconhecido>
Host                          P4
Source RPM Packages           systemd-44-8.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-121.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     P4
Platform                      Linux P4 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21
                              22:32:19 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Dom 27 Mai 2012 10:20:10 BRT
Last Seen                     Dom 27 Mai 2012 10:20:10 BRT
Local ID                      ffd4b2f3-d3e9-4c65-a052-9346c305380d

Raw Audit Messages
type=AVC msg=audit(1338124810.446:87): avc:  denied  { read } for  pid=1776 comm="systemd-tmpfile" name="sda" dev="sysfs" ino=12109 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1338124810.446:87): arch=x86_64 syscall=open success=no exit=EACCES a0=215a210 a1=a0901 a2=1a4 a3=24 items=0 ppid=1 pid=1776 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)

Hash: systemd-tmpfile,systemd_tmpfiles_t,sysfs_t,lnk_file,read

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 1 Marcos Mello 2012-05-27 12:43:53 EDT
With permissive mode it works.

-------------------------------------------------------------

SELinux is preventing /usr/bin/systemd-tmpfiles from module_request access on the system .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-tmpfiles should be allowed module_request access on the  system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_tmpfiles_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                 [ system ]
Source                        systemd-tmpfile
Source Path                   /usr/bin/systemd-tmpfiles
Port                          <Desconhecido>
Host                          P4
Source RPM Packages           systemd-44-8.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-121.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     P4
Platform                      Linux P4 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21
                              22:32:19 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Dom 27 Mai 2012 13:41:11 BRT
Last Seen                     Dom 27 Mai 2012 13:41:11 BRT
Local ID                      f38d7d24-6732-4bbf-bd84-5007ecf27fa3

Raw Audit Messages
type=AVC msg=audit(1338136871.693:92): avc:  denied  { module_request } for  pid=1557 comm="systemd-tmpfile" kmod="-iosched" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


type=SYSCALL msg=audit(1338136871.693:92): arch=x86_64 syscall=writev success=yes exit=ENOEXEC a0=4 a1=7fff81396d20 a2=2 a3=24 items=0 ppid=1 pid=1557 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)

Hash: systemd-tmpfile,systemd_tmpfiles_t,kernel_t,system,module_request

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 2 Miroslav Grepl 2012-05-28 04:32:38 EDT
Are you getting more AVC msgs in permissive mode?

grep systemd_tmpfiles_t /var/log/audit/audit.log |audit2allow
Comment 3 Marcos Mello 2012-05-28 07:53:00 EDT
Today selinux-policy was updated to version 3.10.0-125.fc17. However the problem persists.

At boot systemd doesn't trigger any AVC (enforcing mode).

---
systemctl status systemd-tmpfiles-setup.service

systemd-tmpfiles-setup.service - Recreate Volatile Files and Directories
	  Loaded: loaded (/usr/lib/systemd/system/systemd-tmpfiles-setup.service; static)
	  Active: active (exited) since Mon, 28 May 2012 08:28:26 -0300; 3min 11s ago
	 Process: 299 ExecStart=/usr/bin/systemd-tmpfiles --create --remove (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/systemd-tmpfiles-setup.service

May 28 08:28:24 P4 systemd-tmpfile[299]: Successfully loaded SELinux database in 39ms 59us, size on heap is 540K.
May 28 08:28:26 P4 systemd-tmpfile[299]: Failed to create file /sys/block/sda/queue/scheduler: Permission denied
---

Oddly in permissive mode (enforcing=0 boot option) it doesn't trigger any AVC either (/etc/tmpfiles.d/test.conf works)! I only get the AVCs when I restart systemd-tmpfiles-setup.service.

type=AVC msg=audit(1338205633.584:73): avc:  denied  { read } for  pid=1567 comm="systemd-tmpfile" name="sda" dev="sysfs" ino=12109 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file
type=AVC msg=audit(1338205633.584:73): avc:  denied  { write } for  pid=1567 comm="systemd-tmpfile" name="scheduler" dev="sysfs" ino=12188 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1338205633.584:73): avc:  denied  { open } for  pid=1567 comm="systemd-tmpfile" name="scheduler" dev="sysfs" ino=12188 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1338205633.584:73): arch=c000003e syscall=2 success=yes exit=4 a0=10cba80 a1=a0901 a2=1a4 a3=24 items=0 ppid=1 pid=1567 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)
type=AVC msg=audit(1338205633.584:74): avc:  denied  { module_request } for  pid=1567 comm="systemd-tmpfile" kmod="-iosched" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1338205633.584:74): arch=c000003e syscall=20 success=yes exit=8 a0=4 a1=7fff2b2d6520 a2=2 a3=24 items=0 ppid=1 pid=1567 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)


audit2allow output:

WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.


#============= systemd_tmpfiles_t ==============
#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'

allow systemd_tmpfiles_t kernel_t:system module_request;
#!!!! The source type 'systemd_tmpfiles_t' can write to a 'file' of the following types:
# var_auth_t, man_t, tmp_t, wtmp_t, lockfile, pidfile, faillog_t

allow systemd_tmpfiles_t sysfs_t:file { write open };
allow systemd_tmpfiles_t sysfs_t:lnk_file read;
Comment 4 Michal Schmidt 2012-05-28 07:59:05 EDT
(In reply to comment #3)
> At boot systemd doesn't trigger any AVC (enforcing mode).

Can you check the output of 'dmesg' too? If a denial happens before auditd is running, the AVC message may be logged there.
Comment 5 Marcos Mello 2012-05-28 08:13:03 EDT
Right Michal.

Enforcing:

type=1400 audit(1338206772.536:4): avc:  denied  { read } for  pid=310 comm="systemd-tmpfile" name="sda" dev="sysfs" ino=12109 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file

Permissive:

type=1400 audit(1338207026.062:3): avc:  denied  { read } for  pid=314 comm="systemd-tmpfile" name="sda" dev="sysfs" ino=12076 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file
type=1400 audit(1338207026.062:4): avc:  denied  { write } for  pid=314 comm="systemd-tmpfile" name="scheduler" dev="sysfs" ino=12155 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=1400 audit(1338207026.062:5): avc:  denied  { open } for  pid=314 comm="systemd-tmpfile" name="scheduler" dev="sysfs" ino=12155 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=1400 audit(1338207026.954:6): avc:  denied  { module_request } for  pid=314 comm="systemd-tmpfile" kmod="-iosched" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
Comment 6 Miroslav Grepl 2012-05-29 01:51:11 EDT
Fixed in selinux-policy-3.10.0-128.fc17
Comment 7 Fedora Update System 2012-05-31 02:27:44 EDT
selinux-policy-3.10.0-128.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-128.fc17
Comment 8 Fedora Update System 2012-06-01 13:09:41 EDT
Package selinux-policy-3.10.0-128.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-128.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8720/selinux-policy-3.10.0-128.fc17
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2012-06-03 19:32:07 EDT
selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.