Description of problem: readhead does not gather data because of a selinux denial. Apr 23 21:13:48 fedora kernel: type=1404 audit(1366766027.362:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Apr 23 21:13:48 fedora kernel: SELinux: 2048 avtab hash slots, 96919 rules. Apr 23 21:13:48 fedora kernel: SELinux: 2048 avtab hash slots, 96919 rules. Apr 23 21:13:48 fedora kernel: SELinux: 8 users, 82 roles, 4428 types, 249 bools, 1 sens, 1024 cats Apr 23 21:13:48 fedora kernel: SELinux: 83 classes, 96919 rules Apr 23 21:13:48 fedora kernel: SELinux: Completing initialization. Apr 23 21:13:48 fedora kernel: SELinux: Setting up existing superblocks. Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev proc, type proc), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev sockfs, type sockfs), uses task SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev pipefs, type pipefs), uses task SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev devpts, type devpts), uses transition SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev pstore, type pstore), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev cgroup, type cgroup), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev dm-1, type ext4), uses xattr Apr 23 21:13:48 fedora kernel: type=1403 audit(1366766027.814:3): policy loaded auid=4294967295 ses=4294967295 Apr 23 21:13:48 fedora systemd[1]: Successfully loaded SELinux policy in 463.374ms. Apr 23 21:13:48 fedora systemd[1]: Relabelled /dev and /run in 28.184ms. Apr 23 21:13:48 fedora LVM: Logical Volume autoactivation enabled. Apr 23 21:13:48 fedora LVM: Activation generator successfully completed. Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev autofs, type autofs), uses genfs_contexts Apr 23 21:13:48 fedora systemd-readahead[392]: Failed to create /run/systemd: Permission denied Apr 23 21:13:48 fedora systemd-readahead[392]: Failed to create shared memory segment: No such file or directory Apr 23 21:13:48 fedora systemd-readahead[391]: Failed to create /run/systemd: Permission denied Apr 23 21:13:48 fedora systemd-readahead[391]: Failed to create shared memory segment: No such file or directory Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev autofs, type autofs), uses genfs_contexts Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Apr 23 21:13:48 fedora kernel: SELinux: initialized (dev configfs, type configfs), uses genfs_contexts (Messages about permission denied are from a line I added myself to see what's going on. I'll push the patch to systemd later on.) Version-Release number of selected component (if applicable): In general this is an up-to-date Fedora 19. systemd is compiled from git. Apr 23 21:13:41 fedora systemd[1]: systemd 202 running in system mode. (+PAM -LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT -LIBCRYPTSETUP +GCRYPT +ACL +XZ) Apr 23 21:13:47 fedora systemd[1]: systemd 202 running in system mode. (+PAM -LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT -LIBCRYPTSETUP +GCRYPT +ACL +XZ) selinux-policy-targeted-3.12.1-34.fc19.noarch selinux-policy-3.12.1-34.fc19.noarch How reproducible: 100% Additional info: % ls -lZd /run /run/systemd /run/systemd/readahead drwxr-xr-x. root root system_u:object_r:var_run_t:s0 /run/ drwxr-xr-x. root root system_u:object_r:init_var_run_t:s0 /run/systemd/ drwxr-xr-x. root root system_u:object_r:readahead_var_run_t:s0 /run/systemd/readahead/
Avc messages?
I don't see any AVC messages. Is it possible that they are not generated or logged because auditd is not yet running? auditd is initialized a while later, along with other services, while readahead is started already in the boot.
Hm, after looking at it again, systemd probably might create /run/systemd by itself. It is convenient to create it in systemd-readahead, but I see that it might be inconvenient for selinux.
# dmesg |grep avc
# dmesg |grep avc nada Hm, I'll reboot with selinux=0 when I have acccess to the machine and see what happens.
Any progress on this issue?
Same problem here: [ 9.887300] systemd-readahead[267]: Failed to create /run/systemd: Permission denied [ 9.887311] systemd-readahead[267]: Failed to create shared memory segment: No such file or directory [ 9.887495] systemd-readahead[266]: Failed to create /run/systemd: Permission denied [ 9.887506] systemd-readahead[266]: Failed to create shared memory segment: No such file or directory
a1cf4f67ed46cabfb111b287577be0c9b71e0672 fixes this in git.
selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19
Package selinux-policy-3.12.1-47.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.