1555328 – SELinux denying remount by 'ostnamed'

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1555328 - SELinux denying remount by 'ostnamed'

Summary: SELinux denying remount by 'ostnamed'

Keywords:
Status:	CLOSED DUPLICATE of bug 1554776
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F28BetaFreezeException
TreeView+	depends on / blocked

Reported:	2018-03-14 13:40 UTC by Micah Abbott
Modified:	2018-03-16 22:56 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.14.1-14.fc28
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-03-16 22:56:51 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Micah Abbott 2018-03-14 13:40:40 UTC

Booting into a Fedora Rawhide Atomic Host, the following SELinux denial is observed in the journal:

Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit[886]: AVC avc:  denied  { remount } for  pid=886 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0


This doesn't seem to affect the operation of the host, but just reporting it here.


$ rpm-ostree status
State: idle; auto updates disabled
Deployments:
● ostree://rawhide:fedora/rawhide/x86_64/atomic-host
                   Version: Rawhide.20180311.n.1 (2018-03-11 22:20:53)
                    Commit: b6d9fe6f817044bcaac2cbdbd52e3cdd7df02b718ceeeba1652ca1e0528db804

$ rpm -q selinux-policy systemd
selinux-policy-3.14.2-4.fc29.noarch
systemd-238-3.fc29.x86_64


$ sudo journalctl -b | grep -C 10 'avc:  denied' 
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Started Initial cloud-init job (pre-networking).
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cloud-init-local comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Reached target Network (Pre).
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Starting Network Manager...
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Starting Initial cloud-init job (metadata service crawler)...
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info>  [1521034314.4439] NetworkManager (version 1.10.2-1.fc28) is starting... (for the first time)
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info>  [1521034314.4453] Read config: /etc/NetworkManager/NetworkManager.conf
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info>  [1521034314.4644] manager[0x555f26bc4080]: monitoring kernel firmware directory '/lib/firmware'.
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain dbus-daemon[815]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.3' (uid=0 pid=869 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0")
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Starting Hostname Service...
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit[886]: AVC avc:  denied  { remount } for  pid=886 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit[886]: SYSCALL arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=564dd6eacf50 a2=0 a3=102f items=0 ppid=1 pid=886 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ostnamed)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit: PROCTITLE proctitle="(ostnamed)"
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain dbus-daemon[815]: [system] Successfully activated service 'org.freedesktop.hostname1'
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Started Hostname Service.
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info>  [1521034314.5604] hostname: hostname: using hostnamed
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info>  [1521034314.5605] hostname: hostname changed from (none) to "micah-f27ah-vm0314a.localdomain"
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain NetworkManager[869]: <info>  [1521034314.5614] dns-mgr[0x555f26be3950]: init: dns=default, rc-manager=symlink
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain systemd[1]: Started Network Manager.
Mar 14 13:31:54 micah-f27ah-vm0314a.localdomain dbus-daemon[815]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.3' (uid=0 pid=869 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0")

Comment 1 Dusty Mabe 2018-03-16 13:18:42 UTC

This is also affecting f28.. going to move to f28 and propose as FE.

Comment 2 Fedora Blocker Bugs Application 2018-03-16 13:20:34 UTC

Proposed as a Freeze Exception for 28-beta by Fedora user dustymabe using the blocker tracking app because:

 Would be nice to get this denial cleaned up so our CI tests can start passing again for f28

Comment 3 Paul Whalen 2018-03-16 19:34:13 UTC

Seeing this on aarch64 as well

----
time->Fri Mar 16 18:36:43 2018
type=AVC msg=audit(1521239803.932:125): avc:  denied  { remount } for  pid=883 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0

soft failures in openqa:
https://openqa.stg.fedoraproject.org/tests/254597#step/_console_avc_crash/8

Comment 4 Adam Williamson 2018-03-16 22:56:51 UTC

We already had a bug for this. Transferring nomination.

*** This bug has been marked as a duplicate of bug 1554776 ***

Note You need to log in before you can comment on or make changes to this bug.