Bug 859730 - SELinux is preventing /usr/bin/ln from 'read' accesses on the lnk_file /usr/lib/systemd/system/anaconda.target.wants/anaconda-shell@tty2.service.
SELinux is preventing /usr/bin/ln from 'read' accesses on the lnk_file /usr/l...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-09-23 11:17 EDT by Jesús Abelardo Saldívar Aguilar
Modified: 2012-12-20 11:17 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-12-20 11:17:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-09-23 11:17 EDT, Jesús Abelardo Saldívar Aguilar
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-09-23 11:17 EDT, Jesús Abelardo Saldívar Aguilar
no flags Details

  None (edit)
Description Jesús Abelardo Saldívar Aguilar 2012-09-23 11:17:21 EDT
Additional info:
libreport version: 2.0.13
kernel:         3.5.4-1.fc17.x86_64

:SELinux is preventing /usr/bin/ln from 'read' accesses on the lnk_file /usr/lib/systemd/system/anaconda.target.wants/anaconda-shell@tty2.service.
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If cree que de manera predeterminada, ln debería permitir acceso read sobre  anaconda-shell@tty2.service lnk_file.     
:Then debería reportar esto como un error.
:Puede generar un módulo de política local para permitir este acceso.
:permita el acceso momentáneamente executando:
:# grep ln /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:initrc_t:s0
:Target Context                system_u:object_r:systemd_unit_file_t:s0
:Target Objects                /usr/lib/systemd/system/anaconda.target.wants
:                              /anaconda-shell@tty2.service [ lnk_file ]
:Source                        ln
:Source Path                   /usr/bin/ln
:Port                          <Desconocido>
:Host                          (removed)
:Source RPM Packages           coreutils-8.15-7.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.5.4-1.fc17.x86_64 #1 SMP Mon Sep
:                              17 15:03:59 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    2012-09-23 10:10:43 CDT
:Last Seen                     2012-09-23 10:10:43 CDT
:Local ID                      b690b766-b1ca-40db-8b05-5b06318588e7
:Raw Audit Messages
:type=AVC msg=audit(1348413043.102:95): avc:  denied  { read } for  pid=5784 comm="ln" name="anaconda-shell@tty2.service" dev="sda5" ino=262462 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=lnk_file
:type=SYSCALL msg=audit(1348413043.102:95): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fff2e9c0ed6 a1=7fff2e9c0930 a2=7fff2e9c0930 a3=a items=0 ppid=5777 pid=5784 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ln exe=/usr/bin/ln subj=system_u:system_r:initrc_t:s0 key=(null)
:Hash: ln,initrc_t,systemd_unit_file_t,lnk_file,read
:#============= initrc_t ==============
:allow initrc_t systemd_unit_file_t:lnk_file read;
:audit2allow -R
:#============= initrc_t ==============
:allow initrc_t systemd_unit_file_t:lnk_file read;
Comment 1 Jesús Abelardo Saldívar Aguilar 2012-09-23 11:17:24 EDT
Created attachment 616141 [details]
File: type
Comment 2 Jesús Abelardo Saldívar Aguilar 2012-09-23 11:17:25 EDT
Created attachment 616142 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-09-24 06:39:53 EDT
Did it happen by default? Or did you modify an init script?
Comment 4 Jesús Abelardo Saldívar Aguilar 2012-09-24 12:01:09 EDT
(In reply to comment #3)
> Did it happen by default? Or did you modify an init script?

It happens by default
Comment 5 Daniel Walsh 2012-09-25 16:01:27 EDT
We have allowed this in F18.
Comment 6 Miroslav Grepl 2012-09-27 12:52:13 EDT
Did you disable unconfined.pp module?
Comment 7 Jesús Abelardo Saldívar Aguilar 2012-09-28 14:42:32 EDT
I'm not sure, I think I may have disabled it to speed up some policies compiling.
How can I check if it's disabled?
Comment 8 Daniel Walsh 2012-10-01 10:37:24 EDT
semodule -l | grep unconfined
Comment 9 Jesús Abelardo Saldívar Aguilar 2012-10-06 13:37:12 EDT
Yes, I have it disabled:

# semodule -l | grep unconfined
> unconfined	3.3.0	Disabled
Comment 10 Daniel Walsh 2012-10-09 13:55:29 EDT
mgrepl lets add

Comment 11 Miroslav Grepl 2012-10-17 03:45:38 EDT

commit ff478003b3f90275893c30a861143d4aeafc52d5
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Oct 17 09:45:13 2012 +0200

    Allow initrc_t to readl all systemd unit files
Comment 12 Fedora Update System 2012-10-17 08:34:32 EDT
selinux-policy-3.10.0-156.fc17 has been submitted as an update for Fedora 17.
Comment 13 Fedora Update System 2012-10-17 20:25:45 EDT
Package selinux-policy-3.10.0-156.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-156.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2012-12-20 11:17:32 EST
selinux-policy-3.10.0-156.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.