Bug 858125 - AVC denial for systemd-tmpfile
Summary: AVC denial for systemd-tmpfile
Keywords:
Status: CLOSED DUPLICATE of bug 858137
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-18 03:03 UTC by Mamoru TASAKA
Modified: 2012-09-18 08:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-18 08:56:21 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Mamoru TASAKA 2012-09-18 03:03:36 UTC 
Description of problem:
On reboot, /var/log/messages contains the following messages:

Sep 18 11:13:47 localhost kernel: [   11.693156] EXT4-fs (sda1): mounting ext3 file system using the ext4 subsystem
Sep 18 11:13:47 localhost kernel: [   11.696926] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
Sep 18 11:13:47 localhost kernel: [   12.357304] EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: (null)
Sep 18 11:13:47 localhost kernel: [   12.546847] EXT4-fs (dm-3): mounted filesystem with ordered data mode. Opts: (null)
Sep 18 11:13:47 localhost kernel: [   12.626662] EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: (null)
Sep 18 11:13:47 localhost kernel: [   13.540618] type=1400 audit(1347934424.415:4): avc:  denied  { read } for  pid=573 comm="systemd-tmpfile" name="lock" dev="dm
-1" ino=14123 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
Sep 18 11:13:47 localhost kernel: [   13.540849] type=1400 audit(1347934424.415:5): avc:  denied  { read } for  pid=573 comm="systemd-tmpfile" name="lock" dev="dm
-1" ino=14123 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
Sep 18 11:13:47 localhost kernel: [   13.542692] type=1400 audit(1347934424.417:6): avc:  denied  { read } for  pid=573 comm="systemd-tmpfile" name="lock" dev="dm
-1" ino=14123 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
Sep 18 11:13:47 localhost kernel: [   13.543068] type=1400 audit(1347934424.418:7): avc:  denied  { read } for  pid=573 comm="systemd-tmpfile" name="lock" dev="dm
-1" ino=14123 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file


Version-Release number of selected component (if applicable):
kernel-3.5.3-1.fc17.i686
selinux-policy-targeted-3.10.0-149.fc17.noarch
systemd-44-17.fc17.i686


How reproducible:
Seems 100%

Steps to Reproduce:
1. reboot
2. check /var/log/messages
3.
  
Actual results:
See above

Expected results:
No SELinux avc (perhaps)

Additional info:
# LANG=C df -k
Filesystem                      1K-blocks     Used Available Use% Mounted on
rootfs                           20158332 10338340   8795992  55% /
devtmpfs                           764840        4    764836   1% /dev
tmpfs                              773440      300    773140   1% /dev/shm
tmpfs                              773440     1172    772268   1% /run
/dev/sda2                        20158332 10338340   8795992  55% /
tmpfs                              773440        0    773440   0% /sys/fs/cgroup
tmpfs                              773440        0    773440   0% /media
/dev/sda1                          705512    94604    575068  15% /boot
/dev/mapper/VolGroup00-LogVol01   8063408  3938056   3715752  52% /var
/dev/mapper/VolGroup00-LogVol03 225195500 53178844 160577348  25% /home
/dev/mapper/VolGroup00-LogVol00   8063408   151036   7502772   2% /tmp
/dev/sr0                            50984    50984         0 100% /run/media/mtasaka/VBOXADDITIONS_4.1.22_80657

# LANG=C ls -al /dev/mapper/VolGroup00-LogVol01 
lrwxrwxrwx. 1 root root 7 Sep 18 11:13 /dev/mapper/VolGroup00-LogVol01 -> ../dm-1

# LANG=C ls -al /var
total 108
drwxr-xr-x. 24 root root  4096 May 25 11:00 .
dr-xr-xr-x. 19 root root  4096 May 25 11:54 ..
drwxr-xr-x.  2 root root  4096 Jan 26  2012 account
drwxr-xr-x.  2 root root  4096 Feb  3  2012 adm
drwxr-xr-x. 15 root root  4096 Feb  3  2012 cache
drwxr-xr-x.  2 root root  4096 Feb  7  2012 cvs
drwxr-xr-x.  3 root root  4096 Sep 18 09:12 db
drwxr-xr-x.  3 root root  4096 Feb  3  2012 empty
drwxr-xr-x.  2 root root  4096 Feb  3  2012 games
drwxrwx--T.  2 root gdm   4096 Jun  9 08:05 gdm
drwxr-xr-x.  2 root root  4096 Feb  3  2012 gopher
drwxr-xr-x. 53 root root  4096 Sep 11 12:10 lib
drwxr-xr-x.  2 root root  4096 Feb  3  2012 local
lrwxrwxrwx.  1 root root    11 May 25 10:55 lock -> ../run/lock
drwxr-xr-x.  7 root root  4096 Nov 18  2011 lock.lockmove~
drwxr-xr-x. 17 root root  4096 Sep 18 11:14 log
drwx------.  2 root root 16384 Apr  6  2011 lost+found
lrwxrwxrwx.  1 root root    10 May 25 11:00 mail -> spool/mail
drwxr-xr-x.  2 root root  4096 Feb  3  2012 nis
drwxr-xr-x.  2 root root  4096 Feb  3  2012 opt
drwxr-xr-x.  2 root root  4096 Feb  3  2012 preserve
lrwxrwxrwx.  1 root root     6 May 25 10:55 run -> ../run
drwxr-xr-x. 32 root root  4096 Nov 18  2011 run.runmove~
drwxr-xr-x. 15 root root  4096 May 25 11:00 spool
drwxrwxrwt.  3 root root  4096 Sep 18 11:16 tmp
drwxr-xr-x.  6 root root  4096 Apr 30 18:55 www
drwxr-xr-x.  3 root root  4096 May 25 11:27 yp
Comment 1 Mamoru TASAKA 2012-09-18 05:31:42 UTC 
By the way, this AVC denial seems to happen before auditd starts (systemd-tmpfile with this AVC denial had pid 573, while auditd has pid 589)
Comment 2 Miroslav Grepl 2012-09-18 08:56:21 UTC 

*** This bug has been marked as a duplicate of bug 858137 ***
Note You need to log in before you can comment on or make changes to this bug.