 |
I have run into this issue on my CentOS 7 server which hosts a few VMs. SELinux is preventing systemd-machine from search access on the directory 4394. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-machine should be allowed search access on the 4394 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-machine' --raw | audit2allow -M my-systemdmachine # semodule -i my-systemdmachine.pp Additional Information: Source Context system_u:system_r:systemd_machined_t:s0 Target Context system_u:system_r:svirt_t:s0:c121,c203 Target Objects 4394 [ dir ] Source systemd-machine Source Path systemd-machine Port <Unknown> Host tourian.digitalbytes.net Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tourian.digitalbytes.net Platform Linux tourian.digitalbytes.net 3.10.0-514.6.2.el7.x86_64 #1 SMP Thu Feb 23 03:04:39 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-05-26 05:23:19 EDT Last Seen 2017-05-26 05:23:19 EDT Local ID 88e47dc9-ce6e-441c-9883-2103a635f1f2 Raw Audit Messages type=AVC msg=audit(1495790599.193:3177): avc: denied { search } for pid=2564 comm="systemd-machine" name="4394" dev="proc" ino=43396 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:svirt_t:s0:c121,c203 tclass=dir Hash: systemd-machine,systemd_machined_t,svirt_t,dir,search |
|
|
Another user experienced a similar problem: restart libvirtd reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-514.21.1.el7.x86_64 package: selinux-policy-3.13.1-102.el7_3.16.noarch reason: SELinux is preventing systemd-machine from 'search' accesses on the directory 29232. reproducible: Not sure how to reproduce the problem type: libreport |
|
|
Another user experienced a similar problem: System was running headless. reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-862.2.3.el7.x86_64 package: selinux-policy-3.13.1-192.el7_5.3.noarch reason: SELinux is preventing systemd-machine from 'search' accesses on the directory 20062. reproducible: Not sure how to reproduce the problem type: libreport |
|
|
Another user experienced a similar problem: Just did a yum update, which installed a new kernel and updated several packages from the "updates" repo: ************************************** Installed: kernel.x86_64 0:3.10.0-957.10.1.el7 Updated: NetworkManager.x86_64 1:1.12.0-10.el7_6 NetworkManager-adsl.x86_64 1:1.12.0-10.el7_6 NetworkManager-bluetooth.x86_64 1:1.12.0-10.el7_6 NetworkManager-glib.x86_64 1:1.12.0-10.el7_6 NetworkManager-libnm.x86_64 1:1.12.0-10.el7_6 NetworkManager-ppp.x86_64 1:1.12.0-10.el7_6 NetworkManager-team.x86_64 1:1.12.0-10.el7_6 NetworkManager-tui.x86_64 1:1.12.0-10.el7_6 NetworkManager-wifi.x86_64 1:1.12.0-10.el7_6 NetworkManager-wwan.x86_64 1:1.12.0-10.el7_6 bpftool.x86_64 0:3.10.0-957.10.1.el7 cpp.x86_64 0:4.8.5-36.el7_6.1 dbus.x86_64 1:1.10.24-13.el7_6 dbus-libs.i686 1:1.10.24-13.el7_6 dbus-libs.x86_64 1:1.10.24-13.el7_6 dbus-x11.x86_64 1:1.10.24-13.el7_6 fcoe-utils.x86_64 0:1.0.32-2.el7_6 gcc.x86_64 0:4.8.5-36.el7_6.1 gcc-c++.x86_64 0:4.8.5-36.el7_6.1 gcc-gfortran.x86_64 0:4.8.5-36.el7_6.1 gdm.x86_64 1:3.28.2-12.el7_6 gnutls.i686 0:3.3.29-9.el7_6 gnutls.x86_64 0:3.3.29-9.el7_6 gnutls-dane.x86_64 0:3.3.29-9.el7_6 gnutls-utils.x86_64 0:3.3.29-9.el7_6 ipa-client.x86_64 0:4.6.4-10.el7.centos.3 ipa-client-common.noarch 0:4.6.4-10.el7.centos.3 ipa-common.noarch 0:4.6.4-10.el7.centos.3 kernel-debug-devel.x86_64 0:3.10.0-957.10.1.el7 kernel-headers.x86_64 0:3.10.0-957.10.1.el7 kernel-tools.x86_64 0:3.10.0-957.10.1.el7 kernel-tools-libs.x86_64 0:3.10.0-957.10.1.el7 libatomic.i686 0:4.8.5-36.el7_6.1 libblkid.i686 0:2.23.2-59.el7_6.1 libblkid.x86_64 0:2.23.2-59.el7_6.1 libgcc.i686 0:4.8.5-36.el7_6.1 libgcc.x86_64 0:4.8.5-36.el7_6.1 libgfortran.x86_64 0:4.8.5-36.el7_6.1 libgomp.x86_64 0:4.8.5-36.el7_6.1 libguestfs.x86_64 1:1.38.2-12.el7_6.2 libmount.i686 0:2.23.2-59.el7_6.1 libmount.x86_64 0:2.23.2-59.el7_6.1 libquadmath.x86_64 0:4.8.5-36.el7_6.1 libquadmath-devel.x86_64 0:4.8.5-36.el7_6.1 libsmartcols.x86_64 0:2.23.2-59.el7_6.1 libstdc++.i686 0:4.8.5-36.el7_6.1 libstdc++.x86_64 0:4.8.5-36.el7_6.1 libstdc++-devel.x86_64 0:4.8.5-36.el7_6.1 libuuid.i686 0:2.23.2-59.el7_6.1 libuuid.x86_64 0:2.23.2-59.el7_6.1 libuuid-devel.x86_64 0:2.23.2-59.el7_6.1 libvirt.x86_64 0:4.5.0-10.el7_6.6 libvirt-bash-completion.x86_64 0:4.5.0-10.el7_6.6 libvirt-client.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-config-network.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-config-nwfilter.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-interface.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-lxc.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-network.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-nodedev.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-nwfilter.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-qemu.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-secret.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-core.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-disk.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-gluster.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-iscsi.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-logical.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-mpath.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-rbd.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-driver-storage-scsi.x86_64 0:4.5.0-10.el7_6.6 libvirt-daemon-kvm.x86_64 0:4.5.0-10.el7_6.6 libvirt-libs.x86_64 0:4.5.0-10.el7_6.6 mutter.x86_64 0:3.28.3-6.el7_6 nss-pem.i686 0:1.0.3-5.el7_6.1 nss-pem.x86_64 0:1.0.3-5.el7_6.1 openssl.x86_64 1:1.0.2k-16.el7_6.1 openssl-devel.x86_64 1:1.0.2k-16.el7_6.1 openssl-libs.i686 1:1.0.2k-16.el7_6.1 openssl-libs.x86_64 1:1.0.2k-16.el7_6.1 python-perf.x86_64 0:3.10.0-957.10.1.el7 python2-ipaclient.noarch 0:4.6.4-10.el7.centos.3 python2-ipalib.noarch 0:4.6.4-10.el7.centos.3 shadow-utils.x86_64 2:4.1.5.1-25.el7_6.1 sos.noarch 0:3.6-16.el7.centos tuned.noarch 0:2.10.0-6.el7_6.3 util-linux.x86_64 0:2.23.2-59.el7_6.1 xfsprogs.x86_64 0:4.5.0-19.el7_6 xorg-x11-server-Xorg.x86_64 0:1.20.1-5.3.el7_6 xorg-x11-server-common.x86_64 0:1.20.1-5.3.el7_6 ************************************** This error popped up during what looks like either the end of the install process, or perhaps the post-install process of some package. It also killed my running TigerVNC session to another PC. So, looks like something isn't working quite 100% with the new change. reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-957.5.1.el7.x86_64 package: selinux-policy-3.13.1-229.el7_6.9.noarch reason: SELinux is preventing /usr/lib/systemd/systemd-machined from 'search' accesses on the directory 10449. reproducible: Not sure how to reproduce the problem type: libreport |
|
|
Actually, it wasn't TigerVNC killed (as per previous comment), it was virt-manager. It was just a local dev VM running, not a remote one. :wink: |
- Anonymous
