Description of problem: Occurred upon X login. SELinux is preventing /usr/bin/ps from 'search' accesses on the directory . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ps should be allowed search access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ps /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ksmtuned_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects [ dir ] Source ps Source Path /usr/bin/ps Port <Unknown> Host (removed) Source RPM Packages procps-ng-3.3.3-2.20120807git.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-62.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 14:12:51 UTC 2012 x86_64 x86_64 Alert Count 3352 First Seen 2012-12-11 20:36:54 EST Last Seen 2012-12-13 08:10:22 EST Local ID 29c3b673-75ae-4a18-bce0-4d91ae3b0532 Raw Audit Messages type=AVC msg=audit(1355404222.246:14402): avc: denied { search } for pid=10184 comm="ps" name="" dev="0:45" ino=2 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1355404222.246:14402): arch=x86_64 syscall=open success=no exit=EACCES a0=14d7260 a1=0 a2=0 a3=ffffffff items=0 ppid=10183 pid=10184 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ps exe=/usr/bin/ps subj=system_u:system_r:ksmtuned_t:s0 key=(null) Hash: ps,ksmtuned_t,nfs_t,dir,search audit2allow #============= ksmtuned_t ============== allow ksmtuned_t nfs_t:dir search; audit2allow -R #============= ksmtuned_t ============== allow ksmtuned_t nfs_t:dir search; Additional info: hashmarkername: setroubleshoot kernel: 3.6.9-4.fc18.x86_64 type: libreport
Any idea why ksmtuned is reading nfs_t?
This happened to me too, although I'm not sure if it's related. My issue is that it keeps bombing on my /share directory, which is where I throw all my shared files and media. This is labeled with samba_share_t since I export it to the other computers on my network. This is probably not the best directory to be mounted at, but I'd rather not change it now since I have various things setup to look there. ksmtuned runs ps in a loop trying to check how much memory a possibly running qemu-kvm is using. That causes ps to be run with ksmtuned_t if I'm not mistaken. I think the way that it ends up searching /share in my case is that (I guess), glibc looks for locale data in /share as well as /usr/share. At least, that's what strace says: $ strace ps -C qemu-kvm 2>&1 | grep /share open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 4 open("//share/locale/en_US.UTF-8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("//share/locale/en_US.utf8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("//share/locale/en_US/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("//share/locale/en.UTF-8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("//share/locale/en.utf8/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("//share/locale/en/LC_MESSAGES/procps-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory) Is there any reason why ksmtuned should be running with some other context than bin_t? Considering it's a shell script and it could be running any number of programs underneath, it seems like it's context would need to encompass that of all programs it intends to run. If I'm understanding selinux correctly, anyway. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that ps should be allowed search access on the share directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ps /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ksmtuned_t:s0 Target Context system_u:object_r:samba_share_t:s0 Target Objects /share [ dir ] Source ps Source Path /usr/bin/ps Port <Unknown> Host buster Source RPM Packages procps-ng-3.3.3-2.20120807git.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-67.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name buster Platform Linux buster 3.7.2-201.fc18.x86_64 #1 SMP Fri Jan 11 22:16:23 UTC 2013 x86_64 x86_64 Alert Count 466 First Seen 2013-01-18 20:33:19 PST Last Seen 2013-01-19 01:45:43 PST Local ID 97c11cce-351c-4611-a359-51d549dad897 Raw Audit Messages type=AVC msg=audit(1358588743.174:1980): avc: denied { search } for pid=22037 comm="ps" name="/" dev="dm-2" ino=2 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir type=SYSCALL msg=audit(1358588743.174:1980): arch=x86_64 syscall=open success=no exit=EACCES a0=8d5260 a1=0 a2=0 a3=ffffffff items=0 ppid=22036 pid=22037 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=ps exe=/usr/bin/ps subj=system_u:system_r:ksmtuned_t:s0 key=(null) Hash: ps,ksmtuned_t,samba_share_t,dir,search audit2allow #============= ksmtuned_t ============== allow ksmtuned_t samba_share_t:dir search; audit2allow -R #============= ksmtuned_t ============== allow ksmtuned_t samba_share_t:dir search;
Great analysis. Thank you. The problem is [Service] ExecStart=/usr/sbin/ksmtuned It means it would run as initrc_t with bin_t labeling which we don't want. I am adding fixes.
Ok, I added ksmtuned_use_nfs ksmtuned_use_cifs booleans to cover these problems.
selinux-policy-3.11.1-73.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-73.fc18
Package selinux-policy-3.11.1-73.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-73.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1272/selinux-policy-3.11.1-73.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-73.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.