733086 – avcs on boot - rtc and /dev/live and systemd-tmpfiles

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 733086 - avcs on boot - rtc and /dev/live and systemd-tmpfiles

Summary: avcs on boot - rtc and /dev/live and systemd-tmpfiles

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libselinux
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedNTH
Duplicates (1):	733512 (view as bug list)
Depends On:
Blocks:	F16Beta-accepted, F16BetaFreezeExcept F16Blocker, F16FinalBlocker
TreeView+	depends on / blocked

Reported:	2011-08-24 17:29 UTC by Mads Kiilerich
Modified:	2011-09-23 04:01 UTC (History)
CC List:	19 users (show)
Fixed In Version:	libselinux-2.1.5-5.fc16
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-09-23 04:01:53 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
dmesg (deleted) 2011-08-24 17:29 UTC, Mads Kiilerich	no flags	Details
dmesg (deleted) 2011-08-25 12:29 UTC, Mads Kiilerich	no flags	Details
View All

Description Mads Kiilerich 2011-08-24 17:29:38 UTC

Created attachment 519674 [details]
dmesg

When booting live image with
selinux-policy-targeted-3.10.0-18.fc16.noarch
dracut-013-4.fc16.noarch
systemd-33-2.fc16.x86_64
udev-173-1.fc16.x86_64

I get:

[   16.592255] type=1400 audit(1314206451.269:4): avc:  denied  { relabelto } for  pid=538 comm="udevd" name="rtc" dev=devtmpfs ino=1326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   16.592355] type=1400 audit(1314206451.270:5): avc:  denied  { associate } for  pid=538 comm="udevd" name="rtc" dev=devtmpfs ino=1326 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem

[   17.380126] type=1400 audit(1314206452.058:6): avc:  denied  { associate } for  pid=463 comm="udevd" name="live" dev=devtmpfs ino=6778 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   17.382508] udevd[463]: setfilecon /dev/live failed: Permission denied

[   18.537611] systemd-tmpfiles[748]: Successfully loaded SELinux database in 16ms 966us, size on heap is 464K.
[   18.590550] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.602486] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.603547] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.610616] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.613431] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.615268] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.616286] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.617392] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.618274] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.619099] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.619919] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.620572] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.621293] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.622276] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.623425] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.631411] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.632045] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   18.632578] type=1400 audit(1314206453.311:7): avc:  denied  { write } for  pid=748 comm="systemd-tmpfile" name="cache" dev=dm-0 ino=13 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
[   18.632696] systemd-tmpfiles[748]: Failed to create directory /var/cache/man: Permission denied
[   18.633078] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.634558] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.635318] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.636119] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   18.636634] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   18.642937] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   18.645264] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   18.647172] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   18.649596] systemd-tmpfiles[748]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied

I don't know if they are related ... or if the latter should be reported to systemd?

Comment 1 Miroslav Grepl 2011-08-25 09:38:57 UTC

Did you build own live image?

Comment 2 Mads Kiilerich 2011-08-25 09:57:47 UTC

Yes I did. I don't think there has been made official images from -testing with dracut-013-4 yet - but I'm not up-to-date on that.

I'm using livecd-tools-16.3-1.fc16.x86_64 . AFAIK the conclusion on bug 728576 was that it should be OK as long as there is no /selinux on the build host. I would however expect the version with dwalsh's fixes to get in now after the alpha has been released.

I can try with the rawhide livecd-tools - if you think that makes any difference?

Comment 3 Mads Kiilerich 2011-08-25 12:29:25 UTC

Created attachment 519832 [details]
dmesg

I get the same (and other) avcs on a real installed non-live system:

[   16.402026] type=1400 audit(1314274910.239:3): avc:  denied  { relabelto } for  pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   16.406903] type=1400 audit(1314274910.244:4): avc:  denied  { associate } for  pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   16.419579] type=1400 audit(1314274910.257:5): avc:  denied  { write } for  pid=569 comm="udevd" name="rtc" dev=devtmpfs ino=1294 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file

[   20.478361] type=1400 audit(1314274914.325:6): avc:  denied  { relabelto } for  pid=579 comm="udevd" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   20.482800] type=1400 audit(1314274914.329:7): avc:  denied  { write } for  pid=579 comm="udevd" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   20.489577] type=1400 audit(1314274914.336:8): avc:  denied  { create } for  pid=579 comm="udevd" name="cdrom" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file

[   22.518889] type=1400 audit(1314274916.370:9): avc:  denied  { read } for  pid=918 comm="udisks-lvm-pv-e" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   22.522458] type=1400 audit(1314274916.374:10): avc:  denied  { getattr } for  pid=918 comm="udisks-lvm-pv-e" path="/dev/scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   22.596964] type=1400 audit(1314274916.448:11): avc:  denied  { read } for  pid=919 comm="lvm" name="scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   22.599293] type=1400 audit(1314274916.451:12): avc:  denied  { getattr } for  pid=919 comm="lvm" path="/dev/scd0" dev=devtmpfs ino=7326 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   22.671811] type=1400 audit(1314274916.523:13): avc:  denied  { associate } for  pid=638 comm="udevd" name="root" dev=devtmpfs ino=10462 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem

[   24.914650] multipathd[988]: /etc/multipath.conf does not exist, blacklisting all devices.
[   24.917362] type=1400 audit(1314274918.771:14): avc:  denied  { getattr } for  pid=996 comm="modprobe" path="socket:[14635]" dev=sockfs ino=14635 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
[   24.917624] multipathd[988]: A sample multipath.conf file is located at

I guess the new dracut requires new policies ... or is buggy ...

selinux-policy-targeted-3.10.0-18.fc16.noarch
dracut-013-4.fc16.noarch
systemd-33-2.fc16.x86_64

Comment 4 Miroslav Grepl 2011-08-25 12:37:45 UTC

What does

# matchpathcon /dev/rtc

on your F16 real installed non-live system?

Comment 5 Mads Kiilerich 2011-08-25 12:40:46 UTC

[root@imac ~]# matchpathcon /dev/rtc
/dev/rtc	system_u:object_r:default_t:s0
[root@imac ~]# restorecon /dev/rtc
[root@imac ~]# matchpathcon /dev/rtc
/dev/rtc	system_u:object_r:default_t:s0
[root@imac ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.10.0-18.fc16.noarch
[root@imac ~]#

Comment 6 Mads Kiilerich 2011-08-25 12:58:22 UTC

I guess it doesn't make sense to repeat matchpathcon without -V, but both before and after and everywhere and with selinux-policy-targeted-3.10.0-21.fc16 it is:
lrwxrwxrwx. root root system_u:object_r:default_t:s0   /dev/rtc -> rtc0
crw-------. root root system_u:object_r:clock_device_t:s0 /dev/rtc0

Comment 7 Daniel Walsh 2011-08-25 19:06:46 UTC

So this is fixed with -21 correct?

Comment 8 Mads Kiilerich 2011-08-25 23:02:16 UTC

No, it is not my experience that -21 fixes it, but I also didn't look for that. Should -21 fix it? Then I will try again and focus on that.

One piece of the puzzle I might be missing: Is the policy more or less included in the dracut initrd so that I have to rebuild it after updating the policy? Or do the dracut scripts run without SE constraints until the policy is loaded from /etc ?

Comment 9 Mads Kiilerich 2011-08-26 19:12:15 UTC

After installation of -21 and relabel and dracut -f I still get:

[   15.842516] type=1400 audit(1314384836.679:3): avc:  denied  { relabelto } for  pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   15.847266] type=1400 audit(1314384836.684:4): avc:  denied  { associate } for  pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   15.849860] type=1400 audit(1314384836.687:5): avc:  denied  { write } for  pid=500 comm="udevd" name="rtc" dev=devtmpfs ino=10268 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   16.752414] type=1400 audit(1314384837.591:6): avc:  denied  { relabelto } for  pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   16.757783] type=1400 audit(1314384837.597:7): avc:  denied  { associate } for  pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   16.760762] type=1400 audit(1314384837.600:8): avc:  denied  { write } for  pid=603 comm="udevd" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   16.768291] type=1400 audit(1314384837.607:9): avc:  denied  { create } for  pid=603 comm="udevd" name="cdrom" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   23.345013] type=1400 audit(1314384844.199:10): avc:  denied  { read } for  pid=825 comm="udisks-lvm-pv-e" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   23.350214] type=1400 audit(1314384844.204:11): avc:  denied  { getattr } for  pid=825 comm="udisks-lvm-pv-e" path="/dev/scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   24.441708] type=1400 audit(1314384845.298:12): avc:  denied  { read } for  pid=885 comm="lvm" name="scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   24.443988] type=1400 audit(1314384845.301:13): avc:  denied  { getattr } for  pid=885 comm="lvm" path="/dev/scd0" dev=devtmpfs ino=10309 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
[   27.258082] dbus[998]: avc:  netlink poll: error 4

and I get 
[root@imac ~]# restorecon -R -v /dev
restorecon reset /dev/dvdrw context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/dvd context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/cdrw context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/cdrom context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/root context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/scd0 context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/rtc context system_u:object_r:default_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0

selinux-policy-targeted-3.10.0-21.fc16.noarch
dracut-013-4.fc16.noarch

Comment 10 Daniel Walsh 2011-08-26 20:43:36 UTC

Is this a livecd still?

Comment 11 Mads Kiilerich 2011-08-26 20:47:44 UTC

Comment 9 is on a real /dev/sda f16 + updates-testing system

(I obviously don't get the "live" errors here, but most of avc's are the same.)

Comment 12 Daniel Walsh 2011-08-26 21:55:23 UTC

This looks like a bogus labelling and is either caused by dracut or systemd.

Comment 13 Harald Hoyer 2011-08-29 08:20:50 UTC

In F16 dracut does not do any selinux anymore. Systemd took full control over it.

Comment 14 Daniel Walsh 2011-08-29 16:17:23 UTC

*** Bug 733512 has been marked as a duplicate of this bug. ***

Comment 15 Mads Kiilerich 2011-09-09 15:31:10 UTC

Same issues is seen with:
systemd-35-1.fc16.i686
dracut-013-8.fc16.noarch
selinux-policy-targeted-3.10.0-25.fc16.noarch
kernel-PAE-3.1.0-0.rc4.git0.1.fc16.i686
on a livecd built with livecd-tools-16.5-1.fc16.

This one do however also show up on a "real" machine:
type=1400 audit(1315568190.150:3): avc:  denied  { associate } for  pid=505 comm="udevd" name="rtc" dev=devtmpfs ino=179 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem

Comment 16 Peter Lemenkov 2011-09-11 11:51:22 UTC

Same for me:

[   56.745901] SELinux: initialized (dev sdh1, type xfs), uses xattr
[   56.851290] systemd-tmpfiles[959]: Successfully loaded SELinux database in 24ms 299us, size on heap is 469K.
[   56.878309] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.910704] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.915637] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.919232] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.922765] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.926310] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.929707] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.933037] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.936311] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.939428] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.942619] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.945781] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.961252] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.966561] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.969696] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.972737] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.975672] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied
[   56.978586] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied
[   56.981489] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   56.984506] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   56.987397] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   56.990160] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied
[   56.992969] systemd-tmpfiles[959]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied

Comment 17 Daniel Walsh 2011-09-12 19:23:22 UTC

If you run 

restorecon -R -v -n /run

Does it show anything?

Comment 18 Mads Kiilerich 2011-09-12 19:31:33 UTC

On a live system:

# restorecon -R -v -n /run
restorecon reset /run/abrt context system_u:object_r:var_run_t:s0->system_u:object_r:abrt_var_run_t:s0
restorecon reset /run/abrt/saved_core_pattern context system_u:object_r:initrc_var_run_t:s0->system_u:object_r:abrt_var_run_t:s0
restorecon reset /run/user/liveuser/dconf context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0
restorecon reset /run/user/liveuser/dconf/user context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0

# dmesg|grep audit.*rtc
[   12.120169] type=1400 audit(1315852826.192:3): avc:  denied  { associate } for  pid=530 comm="udevd" name="rtc" dev=devtmpfs ino=9487 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem

# rpm -q dracut systemd selinux-policy-targeted
dracut-013-8.fc16.noarch
systemd-35-1.fc16.x86_64
selinux-policy-targeted-3.10.0-25.fc16.noarch


FWIW I see many issues that indicates problems with the dracut/systemd interfacing and stuff from before the root pivoting causing strange errors later.

Comment 19 Mads Kiilerich 2011-09-12 19:42:39 UTC

On a installed system with the same package versions and enforcing=0 there is (almost) the same avcs and bad fs labels as mentioned in comment 9, but nothing wrong in /run.

Comment 20 Daniel Walsh 2011-09-12 19:45:40 UTC

The dconf file labels should be fixed in the next policy update.  Where is rtc located?

Comment 21 Peter Lemenkov 2011-09-12 19:45:59 UTC

(In reply to comment #17)
> If you run 
> 
> restorecon -R -v -n /run
> 
> Does it show anything?

[root@nostromo ~]# restorecon -R -v -n /run
[root@nostromo ~]# 

Unfortunately, nothing was changed. I still see all these messages after reboot (they're gone only if I switch to the permissive mode).

Comment 22 Mads Kiilerich 2011-09-12 19:52:53 UTC

(In reply to comment #20)
> The dconf file labels should be fixed in the next policy update.  Where is rtc
> located?

I assume it is /dev/rtc - which comment 9 points out has the wrong label.

Comment 23 Mads Kiilerich 2011-09-12 19:55:38 UTC

(In reply to comment #21)
> (they're gone only if I switch to the permissive mode).

Really? I do see them in permissive mode - I don't think I am able to boot in enforcing mode. Or did you mean selinux=0 / SELINUX=disabled mode?

Comment 24 Peter Lemenkov 2011-09-12 20:06:39 UTC

(In reply to comment #23)
> (In reply to comment #21)
> > (they're gone only if I switch to the permissive mode).
> 
> Really? I do see them in permissive mode - I don't think I am able to boot in
> enforcing mode. Or did you mean selinux=0 / SELINUX=disabled mode?

Yes, I was wrong - they still exists in a permissive mode as well.

I just updated to the latest selinux-policy-3.10.0-26.fc16.noarch and these issues are still here:

[root@nostromo ~]# dmesg | grep avc
[   17.456585] type=1400 audit(1315857818.600:4): avc:  denied  { associate } for  pid=445 comm="udevd" name="root" dev=devtmpfs ino=8261 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   17.520470] type=1400 audit(1315857818.664:5): avc:  denied  { associate } for  pid=447 comm="udevd" name="rtc" dev=devtmpfs ino=8105 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   56.882987] type=1400 audit(1315857858.025:6): avc:  denied  { associate } for  pid=714 comm="udevd" name="root" dev=devtmpfs ino=8261 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[   57.121410] type=1400 audit(1315857858.266:7): avc:  denied  { associate } for  pid=714 comm="udevd" name="rtc" dev=devtmpfs ino=8105 scontext=system_u:object_r:default_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
[root@nostromo ~]#

Comment 25 Daniel Walsh 2011-09-12 20:50:00 UTC

Fixed in libselinux-2.1.5-4.fc16

Comment 26 Fedora Update System 2011-09-12 20:51:52 UTC

libselinux-2.1.5-4.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/libselinux-2.1.5-4.fc16

Comment 27 Fedora Update System 2011-09-13 00:09:28 UTC

Package libselinux-2.1.5-4.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libselinux-2.1.5-4.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/libselinux-2.1.5-4.fc16
then log in and leave karma (feedback).

Comment 28 Peter Lemenkov 2011-09-13 05:26:47 UTC

Confirmed. This fixed issues with udevd. Unfortunately the issues with systemd-tmpfiles are still remaining unfixed.

Comment 29 Mads Kiilerich 2011-09-13 08:46:41 UTC

I have filed 
Bug 737837 - systemd-tmpfiles: Failed to set security context ... for /var: Permission denied

Comment 30 Fedora Update System 2011-09-15 21:20:39 UTC

Package libselinux-2.1.5-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libselinux-2.1.5-5.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/libselinux-2.1.5-5.fc16
then log in and leave karma (feedback).

Comment 31 Tim Flink 2011-09-17 02:39:23 UTC

Discussed in the 2011-09-16 blocker review meeting. Accepted as NTH for Fedora 16 beta because it will eventually be a final blocker and a fix is ready.

Comment 32 Fedora Update System 2011-09-23 04:01:42 UTC

libselinux-2.1.5-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.