Description of problem: First boot into gnome classic session after update SELinux is preventing /usr/libexec/accounts-daemon from 'read' accesses on the directory /var/log. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that accounts-daemon should be allowed read access on the log directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log [ dir ] Source accounts-daemon Source Path /usr/libexec/accounts-daemon Port <Unknown> Host (removed) Source RPM Packages accountsservice-0.6.34-1.fc19.i686 Target RPM Packages filesystem-3.2-10.fc19.i686 Policy RPM selinux-policy-3.12.1-48.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.5-301.fc19.i686.PAE #1 SMP Tue Jun 11 19:46:44 UTC 2013 i686 i686 Alert Count 39 First Seen 2013-06-12 23:28:57 GMT Last Seen 2013-06-12 23:31:52 GMT Local ID f594b007-00b9-478b-839a-c793327e7b7a Raw Audit Messages type=AVC msg=audit(1371079912.935:486): avc: denied { read } for pid=608 comm="accounts-daemon" name="log" dev="dm-0" ino=524325 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1371079912.935:486): arch=i386 syscall=inotify_add_watch success=no exit=EACCES a0=8 a1=b8790ce0 a2=1002fce a3=b8790cc0 items=0 ppid=1 pid=608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) Hash: accounts-daemon,accountsd_t,var_log_t,dir,read Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.i686.PAE type: libreport Potential duplicate: bug 973367
Description of problem: right after booting Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Same problem here (x86_64). This problem slows down my system extremely because the exception is raised continously so I'm forced to downgrade accountsservice to have an useable system again
Why does it need to watch /var/log?
Description of problem: Booted and logged into Gnome 3. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: just restarted my computer after an update Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: After boot system to gnome shell Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
because it watches when accounts come and go in wtmp. This isn't new behavior though, afaik. I guess something must have changed in the release, not sure what, but I don't think it's a bug.
Description of problem: It appeared just after reboot Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.i686 type: libreport
Added.
Description of problem: I'm not sure; the SELinux Alert Browser just popped up with this. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
SELinux is preventing /usr/libexec/accounts-daemon from read access on the directory /var/log. ***** Plugin catchall (100. confidence) suggests *************************** Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log [ dir ] Source accounts-daemon Source Path /usr/libexec/accounts-daemon Port <Unknown> Source RPM Packages accountsservice-0.6.34-1.fc19.x86_64 Target RPM Packages filesystem-3.2-10.fc19.x86_64 Policy RPM selinux-policy-3.12.1-48.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Platform Linux 3.9.5-301.fc19.x86_64 #1 SMP Tue Jun 11 19:39:38 UTC 2013 x86_64 x86_64 Alert Count 8226 First Seen 2013-06-13 00:49:05 EDT Last Seen 2013-06-13 09:57:25 EDT Local ID be5bcb9b-ad10-4683-8464-0f350bccedad Raw Audit Messages type=AVC msg=audit(1371131845.127:8742): avc: denied { read } for pid=585 comm="accounts-daemon" name="log" dev="dm-1" ino=2883619 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1371131845.127:8742): arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES a0=8 a1=7fae6947bb90 a2=1002fce a3=0 items=0 ppid=1 pid=585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) Hash: accounts-daemon,accountsd_t,var_log_t,dir,read
Description of problem: Updated to the latest accoutservice Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: At system reboot Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.i686 type: libreport
Description of problem: just logged after an update Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: G3 was just started. did nothing, no mouse click, no keyboard typing. F19 beta up to date. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.i686 type: libreport
Description of problem: Just popped up after a reboot (system had hung prior to the reboot). Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
As this seems to hit everyone, nominating as a blocker per Final criterion "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login (see Blocker_Bug_FAQ)".
Description of problem: This bug occurred after update and logged session Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Note the bug also affected rawhide as well running on VM using Gnome Boxes.
Description of problem: Happens immediatly after login Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: After the first logon screen, and when desktop is loaded. May this problem is caused by a recent automatic system update. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.i686 type: libreport
Description of problem: This SELinux warning have been popping up at every startup of Fedora 19 for some days (2 or 3). Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: just logged my computer after night shutdown Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: Didn't do much. Came up after login. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
I recommend people hitting this (which is, pretty much, everyone using GNOME, apparently) do the 'audit2allow' operation suggested by the SELinux troubleshooter for now, otherwise this problem is just going to spam the hell out of your logs; the access is tried about every three seconds on my systems.
The update has been submitted.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
The update works for me, thanks.
I'm happy now, thanks....
Description of problem: Reboot after updates! Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.i686 type: libreport
Description of problem: After updating accountsservice-0.6.34-1.fc19.x86_64 Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: I installed F19 Final TC3, updated with testing updates, created another user and logged in (to GNOME). Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Same happens to me after update F19: Raw Audit Messages type=AVC msg=audit(1371215508.382:475): avc: denied { read } for pid=522 comm="accounts-daemon" name="log" dev="dm-1" ino=393231 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir Hash: accounts-daemon,accountsd_t,var_log_t,dir,read
Description of problem: just installed recent updates for F19Beta which included some auth subsystem changes, rebooted Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: This bug is really anoying me - abrt is flagging this every 5 seconds Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: This is driving me crazy, my PC is running warm and is very slow. Please publish a workaround until this item can be fixed.... Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Simon: there's already an update linked from this bug. Just install it.
Description of problem: After fresh install of Fedora 19 beta Mate when starting the desktop you get many SELinux notifications. If you close one another pops up over and over and over. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: F19 beta desktop running. 2x of these alerts have popped up. I do use the gnome log viewer, but don't know if this is related. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
For those who have a loop in /var/log/messages and the PC gets warm, just delete the files at /var/log/journal/ as described here http://www.happyassassin.net/2013/06/14/fedora-1920-logfile-explosions/
Description of problem: Just after login. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.i686.PAE type: libreport
Well, I followed the advice from http://www.happyassassin.net/2013/06/14/fedora-1920-logfile-explosions/ as suggested and installed the SELinux policy packages straight from http://koji.fedoraproject.org/koji/buildinfo?buildID=426578 and things seem to have calmed down, but I sure was drowning in logs for a while there.
hraf: if your logs aren't terribly important you can follow the other advice from my post to wipe large journal files to save a bit of space and prevent your journalctl output being huge and slow.
I added the policy myself and deleted the journal files. Rebooted and it worked like a charm. Of course i didnt need the information in those files. The system created new ones with same name.
Already did that Adam, thanks for the tip.
Description of problem: Notification shown in gnome shell after rebooting. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Phew! Many thanks for the quick responses. Updating to: http://koji.fedoraproject.org/koji/buildinfo?buildID=426578 plus, deleting all .journal and .journal~ files found in sub-folders under /var/log/journal and rebooting did the trick.
Description of problem: I just logged in Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: The problem appeared at the very end of booting Fedora 19, about the time when the clock applet appears in the middle of the upper panel. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: fedora 19 yum-updated today (15/06/2013). The problem shows up after rebooting the system and logging in. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
*** Bug 973367 has been marked as a duplicate of this bug. ***
Description of problem: After logging in to Fedora 19 beta I did receive that Selinux alarm. Consultation needed here. First time I feel a bit lost and disorientated, about how to categorize and how to decide about that specific Selinux alarm here. Very often I could decide to establish a local policy module, but very much apprehensive to do the suggested #grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol, #semodule -i mypol.pp here. If I don't allow access, the Selinux-Alarm will be triggered again for sure. Feels almost like an autoimmune reaction of the system (joking here) Any advice? Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.i686.PAE type: libreport
Description of problem: booting after login Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: This is an upgraded Fedora 19 system (from v18). This alert comes up after logging into Gnome shell. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Klaus: just install the update. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19 http://koji.fedoraproject.org/koji/buildinfo?buildID=426578
(In reply to Ray Strode [halfline] from comment #7) > because it watches when accounts come and go in wtmp. This isn't new > behavior though, afaik. I guess something must have changed in the release, > not sure what, but I don't think it's a bug. Should it be migrated to use systemd-logind (at least when available?) instead of watching wtmp?
Description of problem: updated for today's F19+updates-testing, rebooted for kernel changes and just logged into gnome session Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: The problem happens every time I boot my laptop. I believe that the access is required. I have not allowed the access yet as it is an anoyance rather than a real problem for me. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: I restarted the computer for the first time after the initial installation of F19Beta. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Trying this correction and I get the following errors. I'm new to linux and not sure what I'm doing wrong. Could someone suggest the correct way to get the update installed? yum localupdate selinux-policy-3.12.1-52.fc19.noarch.rpm Failed to set locale, defaulting to C Loaded plugins: langpacks, refresh-packagekit Examining selinux-policy-3.12.1-52.fc19.noarch.rpm: selinux-policy-3.12.1-52.fc19.noarch Marking selinux-policy-3.12.1-52.fc19.noarch.rpm as an update to selinux-policy-3.12.1-48.fc19.noarch Resolving Dependencies --> Running transaction check ---> Package selinux-policy.noarch 0:3.12.1-48.fc19 will be updated --> Processing Dependency: selinux-policy = 3.12.1-48.fc19 for package: selinux-policy-targeted-3.12.1-48.fc19.noarch --> Processing Dependency: selinux-policy = 3.12.1-48.fc19 for package: selinux-policy-targeted-3.12.1-48.fc19.noarch ---> Package selinux-policy.noarch 0:3.12.1-52.fc19 will be an update --> Finished Dependency Resolution Error: Package: selinux-policy-targeted-3.12.1-48.fc19.noarch (@fedora) Requires: selinux-policy = 3.12.1-48.fc19 Removing: selinux-policy-3.12.1-48.fc19.noarch (@fedora) selinux-policy = 3.12.1-48.fc19 Updated By: selinux-policy-3.12.1-52.fc19.noarch (/selinux-policy-3.12.1-52.fc19.noarch) selinux-policy = 3.12.1-52.fc19 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest
Kurt: there's two or three packages you have to update together. If the packages haven't reached your mirror yet, the easiest thing to do is go to /tmp , run 'bodhi -D selinux-policy-3.12.1-52.fc19' , and then 'yum update selin*.rpm'. That will do what you need (might need 'yum install bodhi' first).
Description of problem: I have tried to transmit a bugreport via bugzilla (initial bug 973849) and my bugzilla id was wrong ! Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: boot the system login to KDE Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.i686.PAE type: libreport
(In reply to Adam Williamson from comment #55) > Klaus: just install the update. > > https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19 > > http://koji.fedoraproject.org/koji/buildinfo?buildID=426578 Adeam, thanks for providing an update. Feels right but installation efforts with yumex deliver a message error resolving dependencies: package: selinux-policy-targeted-3.12.1-48.fc19.noarch (@updates-testing) requires: selinux-policy = 3.12.1-48.fc19 to remove: selinux-policy-3.12.1-48.fc19.noarch (@fedora) selinux-policy = 3.12.1-48.fc19 updated by: selinux-policy-3.12.1-52.fc19.noarch (/selinux-policy-3.12.1-52.fc19.noarch(1)) selinux-policy = 3.12.1-52.fc19
Description of problem: Updated f18-f19 with fedup, relabeled and then logged in. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
(In reply to klaus from comment #64) > (In reply to Adam Williamson from comment #55) > > Klaus: just install the update. > > > > https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19 > > > > http://koji.fedoraproject.org/koji/buildinfo?buildID=426578 > > Adeam, thanks for providing an update. Feels right but installation efforts > with yumex deliver a message > > error resolving dependencies: > > package: selinux-policy-targeted-3.12.1-48.fc19.noarch (@updates-testing) > requires: selinux-policy = 3.12.1-48.fc19 > to remove: selinux-policy-3.12.1-48.fc19.noarch (@fedora) > selinux-policy = 3.12.1-48.fc19 > updated by: selinux-policy-3.12.1-52.fc19.noarch > (/selinux-policy-3.12.1-52.fc19.noarch(1)) > selinux-policy = 3.12.1-52.fc19 execute rpm -qa selinux\* and update all packages listed to avoid that error
Description of problem: This popped up after I logged in from booting up. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
(In reply to Adam Williamson from comment #61) > Kurt: there's two or three packages you have to update together. If the > packages haven't reached your mirror yet, the easiest thing to do is go to > /tmp , run 'bodhi -D selinux-policy-3.12.1-52.fc19' , and then 'yum update > selin*.rpm'. That will do what you need (might need 'yum install bodhi' > first). Thank you, that worked like a charm. The update fixed the problem as well. Thanks!
Description of problem: You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.ppv Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: Boot F19 beta, watch setroubleshoot almost immediately start complaining. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: I installed all the latest updates for Fedora-19, then shut down my machine. Upon starting it up again the next day I got this selinux denial. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Discussed at 2013-06-17 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-17/f19final-blocker-review-6.2013-06-17-16.01.log.txt . Accepted as a blocker per criterion "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login (see Blocker_Bug_FAQ)" . Please, everyone who's hitting this, just install the selinux-policy update. It fixes it.
Description of problem: This happened on first login after a cold boot Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: automatic report? Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
Description of problem: Just noticed it on the message tray, no idea how it occured. Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport
https://admin.fedoraproject.org/updates/FEDORA-2013-10881/selinux-policy-3.12.1-52.fc19 has gone stable, closing.