Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1607806
Summary: | SELinux is preventing /usr/lib/systemd/systemd from 'mounton' accesses on the file /run/systemd/unit-root/proc/kallsyms. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | dwalsh, lvrabec, mgrepl, plautrba, pmoore |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:eeb7519b8f47bb495339926778c00566b4179beb48c5d73053460bc6382f4e99;VARIANT_ID=server; | ||
Fixed In Version: | selinux-policy-3.14.2-34.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-12 02:57:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Slebodnik
2018-07-24 10:14:44 UTC
Similar AVCs with different process type=PROCTITLE msg=audit(07/24/2018 12:11:33.959:320) : proctitle=(upowerd) type=PATH msg=audit(07/24/2018 12:11:33.959:320) : item=1 name=/run/systemd/inaccessible/reg inode=14388 dev=00:17 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(07/24/2018 12:11:33.959:320) : item=0 name=/run/systemd/unit-root/proc/kallsyms inode=4026532080 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_map_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/24/2018 12:11:33.959:320) : cwd=/ type=SYSCALL msg=audit(07/24/2018 12:11:33.959:320) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x7f054f69e845 a1=0x560d598c7100 a2=0x0 a3=MS_BIND|MS_REC items=2 ppid=1 pid=2299 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(upowerd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(07/24/2018 12:11:33.959:320) : avc: denied { mounton } for pid=2299 comm=(upowerd) path=/run/systemd/unit-root/proc/kallsyms dev="proc" ino=4026532080 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:system_map_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(07/24/2018 12:11:33.976:321) : proctitle=(upowerd) type=PATH msg=audit(07/24/2018 12:11:33.976:321) : item=1 name=/run/systemd/unit-root/var/lib/upower inode=100400 dev=00:29 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devicekit_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(07/24/2018 12:11:33.976:321) : item=0 name=/run/systemd/unit-root/var/lib/upower inode=100400 dev=00:29 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devicekit_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/24/2018 12:11:33.976:321) : cwd=/ type=SYSCALL msg=audit(07/24/2018 12:11:33.976:321) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x560d599a58b0 a1=0x560d599a58b0 a2=0x0 a3=MS_BIND|MS_REC items=2 ppid=1 pid=2299 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(upowerd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(07/24/2018 12:11:33.976:321) : avc: denied { mounton } for pid=2299 comm=(upowerd) path=/run/systemd/unit-root/var/lib/upower dev="dm-1" ino=100400 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devicekit_var_lib_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(07/24/2018 12:11:36.686:330) : proctitle=(ostnamed) type=PATH msg=audit(07/24/2018 12:11:36.686:330) : item=1 name=/run/systemd/inaccessible/reg inode=14388 dev=00:17 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(07/24/2018 12:11:36.686:330) : item=0 name=/run/systemd/unit-root/proc/kallsyms inode=4026532080 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_map_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/24/2018 12:11:36.686:330) : cwd=/ type=SYSCALL msg=audit(07/24/2018 12:11:36.686:330) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x7f054f69e845 a1=0x560d599912d0 a2=0x0 a3=MS_BIND|MS_REC items=2 ppid=1 pid=2789 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(ostnamed) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(07/24/2018 12:11:36.686:330) : avc: denied { mounton } for pid=2789 comm=(ostnamed) path=/run/systemd/unit-root/proc/kallsyms dev="proc" ino=4026532080 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:system_map_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(07/24/2018 12:11:35.428:326) : proctitle=(geoclue) type=PATH msg=audit(07/24/2018 12:11:35.428:326) : item=1 name=/run/systemd/inaccessible/reg inode=14388 dev=00:17 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(07/24/2018 12:11:35.428:326) : item=0 name=/run/systemd/unit-root/proc/kallsyms inode=4026532080 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_map_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/24/2018 12:11:35.428:326) : cwd=/ type=SYSCALL msg=audit(07/24/2018 12:11:35.428:326) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x7f054f69e845 a1=0x560d599c3030 a2=0x0 a3=MS_BIND|MS_REC items=2 ppid=1 pid=2591 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(geoclue) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(07/24/2018 12:11:35.428:326) : avc: denied { mounton } for pid=2591 comm=(geoclue) path=/run/systemd/unit-root/proc/kallsyms dev="proc" ino=4026532080 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:system_map_t:s0 tclass=file permissive=1 BZ is in MODIFIED state but I can still see AVC with selinux-policy-3.14.2-30.fc29.noarch This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'. selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726 selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |