Created attachment 709928 [details] journalctl output with selinux messages Description of problem: When using readonly-root feature selinux prevents writing to /var/lib/random-seed and /var/log/wtmp Version-Release number of selected component (if applicable): selinux-policy-3.11.1-66.fc18 How reproducible: always Steps to Reproduce: 1. Enable readonly root function in /etc/sysconfig/readonly-root file, set READONLY=yes and TEMPORARY_STATE=yes. 2. Add mount option ro in /etc/fstab for / directory. 3. Reboot 4. See output of journalctl | grep random-seed and journalctl | grep wtmp Actual results: Mar 14 09:58:58 localhost.localdomain kernel: type=1400 audit(1363251538.446:4): avc: denied { mounton } for pid=388 comm="mount" path="/var/lib/random-seed" dev="dm-1" ino=141188 scontext=system ... Mar 14 09:58:58 localhost.localdomain kernel: type=1400 audit(1363251538.721:6): avc: denied { read } for pid=427 comm="systemd-tmpfile" name="config" dev="dm-1" ino=15994 scontext=system_u:syste Expected results: Write to /var/lib/random-seed succeeds. Additional info:
Vaclav, any change to get complete AVC msgs from audit.log?
Mar 14 11:52:04 localhost.localdomain kernel: type=1400 audit(1363258324.516:4): avc: denied { mounton } for pid=412 comm="mount" path="/var/lib/random-seed" dev="dm-1" ino=141188 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:random_seed_t:s0 tclass=file Mar 14 11:52:04 localhost.localdomain kernel: type=1400 audit(1363258324.517:5): avc: denied { mounton } for pid=412 comm="mount" path="/var/lib/random-seed" dev="dm-1" ino=141188 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:random_seed_t:s0 tclass=file Mar 14 11:52:04 localhost.localdomain kernel: type=1400 audit(1363258324.738:7): avc: denied { create } for pid=444 comm="systemd-tmpfile" name="wtmp" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file
commit 67598ef5a5e8b1e7f87dce14b21005f7cea386f7 fixes this in Rawhide.
Back ported. commit 96bdc5b872b3c7dd3e4223e2c437536ae33b6cc2 Author: Dan Walsh <dwalsh> Date: Fri Mar 15 12:57:02 2013 -0400 Allow sytemd_tmpfiles to create wtmp file
selinux-policy-3.11.1-87.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-87.fc18
Package selinux-policy-3.11.1-87.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-87.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-4251/selinux-policy-3.11.1-87.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-87.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.