View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012779 | CentOS-7 | selinux-policy | public | 2017-02-04 08:51 | 2019-05-21 04:16 |
Reporter | lec@easterng.ro | ||||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | new | Resolution | open | ||
Platform | OS | OS Version | 7 | ||
Product Version | |||||
Target Version | Fixed in Version | ||||
Summary | 0012779: SELinux is preventing systemd-machine from 'search' accesses on the directory 10336. | ||||
Description | Description of problem: SELinux is preventing systemd-machine from 'search' accesses on the directory 10336. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-machine should be allowed search access on the 10336 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-machine' --raw | audit2allow -M my-systemdmachine # semodule -i my-systemdmachine.pp Additional Information: Source Context system_u:system_r:systemd_machined_t:s0 Target Context system_u:system_r:svirt_t:s0:c356,c393 Target Objects 10336 [ dir ] Source systemd-machine Source Path systemd-machine Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.13.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-02-03 19:44:21 EET Last Seen 2017-02-03 19:44:21 EET Local ID a9de8e72-dc26-4916-842c-9ecbd44e557c Raw Audit Messages type=AVC msg=audit(1486143861.795:13480): avc: denied { search } for pid=16719 comm="systemd-machine" name="10336" dev="proc" ino=1021043 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:svirt_t:s0:c356,c393 tclass=dir Hash: systemd-machine,systemd_machined_t,svirt_t,dir,search Version-Release number of selected component: selinux-policy-3.13.1-102.el7_3.13.noarch | ||||
Additional Information | reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-514.6.1.el7.x86_64 reproducible: Not sure how to reproduce the problem type: libreport | ||||
Tags | No tags attached. | ||||
abrt_hash | 261bbef5aa693083a0f4cac92449b34508a8b9cff51d7100f581570e3e98aae8 | ||||
URL | |||||
I have run into this issue on my CentOS 7 server which hosts a few VMs. SELinux is preventing systemd-machine from search access on the directory 4394. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-machine should be allowed search access on the 4394 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-machine' --raw | audit2allow -M my-systemdmachine # semodule -i my-systemdmachine.pp Additional Information: Source Context system_u:system_r:systemd_machined_t:s0 Target Context system_u:system_r:svirt_t:s0:c121,c203 Target Objects 4394 [ dir ] Source systemd-machine Source Path systemd-machine Port <Unknown> Host tourian.digitalbytes.net Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tourian.digitalbytes.net Platform Linux tourian.digitalbytes.net 3.10.0-514.6.2.el7.x86_64 #1 SMP Thu Feb 23 03:04:39 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-05-26 05:23:19 EDT Last Seen 2017-05-26 05:23:19 EDT Local ID 88e47dc9-ce6e-441c-9883-2103a635f1f2 Raw Audit Messages type=AVC msg=audit(1495790599.193:3177): avc: denied { search } for pid=2564 comm="systemd-machine" name="4394" dev="proc" ino=43396 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:svirt_t:s0:c121,c203 tclass=dir Hash: systemd-machine,systemd_machined_t,svirt_t,dir,search |
|
Another user experienced a similar problem: restart libvirtd reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-514.21.1.el7.x86_64 package: selinux-policy-3.13.1-102.el7_3.16.noarch reason: SELinux is preventing systemd-machine from 'search' accesses on the directory 29232. reproducible: Not sure how to reproduce the problem type: libreport |
|
Another user experienced a similar problem: System was running headless. reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-862.2.3.el7.x86_64 package: selinux-policy-3.13.1-192.el7_5.3.noarch reason: SELinux is preventing systemd-machine from 'search' accesses on the directory 20062. reproducible: Not sure how to reproduce the problem type: libreport |
|
Another user experienced a similar problem: Just did a yum update, which installed a new kernel and updated several packages from the "updates" repo: ************************************** Installed: kernel.x86_64 0:3.10.0-957.10.1.el7 Updated: NetworkManager.x86_64 1:1.12.0-10.el7_6 NetworkManager-adsl.x86_64 1:1.12.0-10.el7_6 NetworkManager-bluetooth.x86_64 1:1.12.0-10.el7_6 NetworkManager-glib.x86_64 1:1.12.0-10.el7_6 NetworkManager-libnm.x86_64 1:1.12.0-10.el7_6 NetworkManager-ppp.x86_64 1:1.12.0-10.el7_6 NetworkManager-team.x86_64 1:1.12.0-10.el7_6 NetworkManager-tui.x86_64 1:1.12.0-10.el7_6 NetworkManager-wifi.x86_64 1:1.12.0-10.el7_6 NetworkManager-wwan.x86_64 1:1.12.0-10.el7_6 bpftool.x86_64 0:3.10.0-957.10.1.el7 cpp.x86_64 0:4.8.5-36.el7_6.1 dbus.x86_64 1:1.10.24-13.el7_6 dbus-libs.i686 1:1.10.24-13.el7_6 dbus-libs.x86_64 1:1.10.24-13.el7_6 dbus-x11.x86_64 1:1.10.24-13.el7_6 fcoe-utils.x86_64 0:1.0.32-2.el7_6 gcc.x86_64 0:4.8.5-36.el7_6.1 gcc-c++.x86_64 0:4.8.5-36.el7_6.1 gcc-gfortran.x86_64 0:4.8.5-36.el7_6.1 gdm.x86_64 1:3.28.2-12.el7_6 gnutls.i686 0:3.3.29-9.el7_6 gnutls.x86_64 0:3.3.29-9.el7_6 gnutls-dane.x86_64 0:3.3.29-9.el7_6 gnutls-utils.x86_64 0:3.3.29-9.el7_6 ipa-client.x86_64 0:4.6.4-10.el7.centos.3 ipa-client-common.noarch 0:4.6.4-10.el7.centos.3 ipa-common.noarch 0:4.6.4-10.el7.centos.3 kernel-debug-devel.x86_64 0:3.10.0-957.10.1.el7 kernel-headers.x86_64 0:3.10.0-957.10.1.el7 kernel-tools.x86_64 0:3.10.0-957.10.1.el7 kernel-tools-libs.x86_64 0:3.10.0-957.10.1.el7 libatomic.i686 0:4.8.5-36.el7_6.1 libblkid.i686 0:2.23.2-59.el7_6.1 libblkid.x86_64 0:2.23.2-59.el7_6.1 libgcc.i686 0:4.8.5-36.el7_6.1 libgcc.x86_64 0:4.8.5-36.el7_6.1 libgfortran.x86_64 0:4.8.5-36.el7_6.1 libgomp.x86_64 0:4.8.5-36.el7_6.1 libguestfs.x86_64 1:1.38.2-12.el7_6.2 libmount.i686 0:2.23.2-59.el7_6.1 libmount.x86_64 0:2.23.2-59.el7_6.1 libquadmath.x86_64 0:4.8.5-36.el7_6.1 libquadmath-devel.x86_64 0:4.8.5-36.el7_6.1 libsmartcols.x86_64 0:2.23.2-59.el7_6.1 libstdc++.i686 0:4.8.5-36.el7_6.1 libstdc++.x86_64 0:4.8.5-36.el7_6.1 libstdc++-devel.x86_64 0:4.8.5-36.el7_6.1 libuuid.i686 0:2.23.2-59.el7_6.1 libuuid.x86_64 0:2.23.2-59.el7_6.1 libuuid-devel.x86_64 0:2.23.2-59.el7_6.1 libvirt.x86_64 0:4.5.0-10.el7_6.6 libvirt-bash-completion.x86_64 0:4.5.0-10.el7_6.6 libvirt-client.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-config-network.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-config-nwfilter.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-interface.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-lxc.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-network.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-nodedev.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-nwfilter.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-qemu.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-secret.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-core.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-disk.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-gluster.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-iscsi.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-logical.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-mpath.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-rbd.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-scsi.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-kvm.x86_64 0:4.5.0-10.el7_6.6 libvirt-libs.x86_64 0:4.5.0-10.el7_6.6 mutter.x86_64 0:3.28.3-6.el7_6 nss-pem.i686 0:1.0.3-5.el7_6.1 nss-pem.x86_64 0:1.0.3-5.el7_6.1 openssl.x86_64 1:1.0.2k-16.el7_6.1 openssl-devel.x86_64 1:1.0.2k-16.el7_6.1 openssl-libs.i686 1:1.0.2k-16.el7_6.1 openssl-libs.x86_64 1:1.0.2k-16.el7_6.1 python-perf.x86_64 0:3.10.0-957.10.1.el7 python2-ipaclient.noarch 0:4.6.4-10.el7.centos.3 python2-ipalib.noarch 0:4.6.4-10.el7.centos.3 shadow-utils.x86_64 2:4.1.5.1-25.el7_6.1 sos.noarch 0:3.6-16.el7.centos tuned.noarch 0:2.10.0-6.el7_6.3 util-linux.x86_64 0:2.23.2-59.el7_6.1 xfsprogs.x86_64 0:4.5.0-19.el7_6 xorg-x11-server-Xorg.x86_64 0:1.20.1-5.3.el7_6 xorg-x11-server-common.x86_64 0:1.20.1-5.3.el7_6 ************************************** This error popped up during what looks like either the end of the install process, or perhaps the post-install process of some package. It also killed my running TigerVNC session to another PC. So, looks like something isn't working quite 100% with the new change. reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-957.5.1.el7.x86_64 package: selinux-policy-3.13.1-229.el7_6.9.noarch reason: SELinux is preventing /usr/lib/systemd/systemd-machined from 'search' accesses on the directory 10449. reproducible: Not sure how to reproduce the problem type: libreport |
|
Actually, it wasn't TigerVNC killed (as per previous comment), it was virt-manager. It was just a local dev VM running, not a remote one. :wink: | |
Another user experienced a similar problem: Install updates reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-957.10.1.el7.x86_64 package: selinux-policy-3.13.1-229.el7_6.12.noarch reason: SELinux is preventing systemd-machine from 'search' accesses on the Verzeichnis 3271. reproducible: Not sure how to reproduce the problem type: libreport |
|
Another user experienced a similar problem: I'm also experiencing kernel crash at boot. Dracut fails mounting partitions itself, but it could be done via dracut-shell. After manual mount, chroot via systemd retriggers the process. reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-862.el7.x86_64 package: selinux-policy-3.13.1-229.el7_6.12.noarch reason: SELinux is preventing /usr/lib/systemd/systemd-machined from 'search' accesses on the directory 12514. reproducible: Not sure how to reproduce the problem type: libreport |
|
Update made system unable to boot. I managed it to find partitions (already available at the crash point) via dracut-shell. Several remapping were took in place by dracut during remaining boot and i got some other (related?) issues (networking, dbus, kvm, ...). dracut_crash.journal (6,749 bytes) |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2017-02-04 08:51 | lec@easterng.ro | New Issue | |
2017-05-26 16:45 | link | Note Added: 0029343 | |
2017-06-09 10:37 | TuxHandwerker | Note Added: 0029425 | |
2018-05-22 16:29 | hobbes129 | Note Added: 0031892 | |
2019-03-20 02:22 | justinclift | Note Added: 0034049 | |
2019-03-20 02:24 | justinclift | Note Added: 0034050 | |
2019-04-30 05:11 | TuxHandwerker | Note Added: 0034407 | |
2019-05-21 03:00 | t3kK4m | Note Added: 0034486 | |
2019-05-21 04:16 | t3kK4m | File Added: dracut_crash.journal | |
2019-05-21 04:16 | t3kK4m | Note Added: 0034487 |