Bug 864784 - systemd-analyze triggers selinux denial
systemd-analyze triggers selinux denial
Status: CLOSED DUPLICATE of bug 859614
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-10 02:26 EDT by Chris Murphy
Modified: 2012-10-15 05:34 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-14 19:17:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Murphy 2012-10-10 02:26:03 EDT
Description of problem:
systemd-analyze results in SELinux denial

Version-Release number of selected component (if applicable):
systemd-analyze.x86_64 0:194-1.fc18 
selinux-policy-3.11.1-32.fc18
dbus-1.6.8-2.fc18.x86_64

How reproducible:
100%

Steps to Reproduce:
1. install systemd-analyze
2. run systemd-analyze


Actual results:
ERROR:dbus.proxies:Introspect error on :1.1:/org/freedesktop/systemd1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
Traceback (most recent call last):
  File "/usr/bin/systemd-analyze", line 307, in <module>
    time()
  File "/usr/bin/systemd-analyze", line 91, in time
    initrd_time, start_time, finish_time = acquire_start_time()
  File "/usr/bin/systemd-analyze", line 34, in acquire_start_time
    initrd_time = int(properties.Get('org.freedesktop.systemd1.Manager', 'InitRDTimestampMonotonic'))
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.


Expected results:
To report startup time stats.

Additional info:
audit.log reports

type=USER_AVC msg=audit(1349849442.134:40): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 cmdline="/usr/bin/python /usr/bin/systemd-analyze" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

This was working with alpha a week or two ago, so this may actually be dbus, not systemd-analyze triggering the denial.
Comment 1 Chris Murphy 2012-10-14 18:57:45 EDT
Not reproducible with selinux-policy-3.11.1-36.fc18.noarch; other component versions remain the same.
Comment 2 Chris Murphy 2012-10-14 19:05:18 EDT
'systemd-analyze blame' still produces an SE Linux denial; whereas with no option or time option, there is no error.

[root@f18v ~]# systemd-analyze blame
ERROR:dbus.proxies:Introspect error on :1.0:/org/freedesktop/systemd1/unit/network_2eservice: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
Traceback (most recent call last):
  File "/usr/bin/systemd-analyze", line 309, in <module>
    verb.get(args[0], unknown_verb)()
  File "/usr/bin/systemd-analyze", line 108, in blame
    data = acquire_time_data()
  File "/usr/bin/systemd-analyze", line 22, in acquire_time_data
    ixt = int(properties.Get('org.freedesktop.systemd1.Unit', 'InactiveExitTimestampMonotonic'))
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
Comment 3 Chris Murphy 2012-10-14 19:17:19 EDT

*** This bug has been marked as a duplicate of bug 859614 ***
Comment 4 Chris Murphy 2012-10-15 05:34:31 EDT
After applying:
selinux-policy-targeted-3.11.1-38.fc18.noarch
selinux-policy-3.11.1-38.fc18.noarch

And autorelabel=1, "systemd-analyze blame" is working for me without the comment 2 denial. So this bug may not be a duplicate of Bug 859614.

Note You need to log in before you can comment on or make changes to this bug.