View Issue Details

IDProjectCategoryView StatusLast Update
0012779CentOS-7selinux-policypublic2019-05-21 04:16
Reporterlec@easterng.ro 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0012779: SELinux is preventing systemd-machine from 'search' accesses on the directory 10336.
DescriptionDescription of problem:
SELinux is preventing systemd-machine from 'search' accesses on the directory 10336.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that systemd-machine should be allowed search access on the 10336 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-machine' --raw | audit2allow -M my-systemdmachine
# semodule -i my-systemdmachine.pp

Additional Information:
Source Context system_u:system_r:systemd_machined_t:s0
Target Context system_u:system_r:svirt_t:s0:c356,c393
Target Objects 10336 [ dir ]
Source systemd-machine
Source Path systemd-machine
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.13.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-514.6.1.el7.x86_64 #1 SMP
                              Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-02-03 19:44:21 EET
Last Seen 2017-02-03 19:44:21 EET
Local ID a9de8e72-dc26-4916-842c-9ecbd44e557c

Raw Audit Messages
type=AVC msg=audit(1486143861.795:13480): avc: denied { search } for pid=16719 comm="systemd-machine" name="10336" dev="proc" ino=1021043 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:svirt_t:s0:c356,c393 tclass=dir


Hash: systemd-machine,systemd_machined_t,svirt_t,dir,search

Version-Release number of selected component:
selinux-policy-3.13.1-102.el7_3.13.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-514.6.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash261bbef5aa693083a0f4cac92449b34508a8b9cff51d7100f581570e3e98aae8
URL

Activities

link

link

2017-05-26 16:45

reporter   ~0029343

I have run into this issue on my CentOS 7 server which hosts a few VMs.


SELinux is preventing systemd-machine from search access on the directory 4394.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that systemd-machine should be allowed search access on the 4394 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-machine' --raw | audit2allow -M my-systemdmachine
# semodule -i my-systemdmachine.pp

Additional Information:
Source Context system_u:system_r:systemd_machined_t:s0
Target Context system_u:system_r:svirt_t:s0:c121,c203
Target Objects 4394 [ dir ]
Source systemd-machine
Source Path systemd-machine
Port <Unknown>
Host tourian.digitalbytes.net
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name tourian.digitalbytes.net
Platform Linux tourian.digitalbytes.net
                              3.10.0-514.6.2.el7.x86_64 #1 SMP Thu Feb 23
                              03:04:39 UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-05-26 05:23:19 EDT
Last Seen 2017-05-26 05:23:19 EDT
Local ID 88e47dc9-ce6e-441c-9883-2103a635f1f2

Raw Audit Messages
type=AVC msg=audit(1495790599.193:3177): avc: denied { search } for pid=2564 comm="systemd-machine" name="4394" dev="proc" ino=43396 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:svirt_t:s0:c121,c203 tclass=dir


Hash: systemd-machine,systemd_machined_t,svirt_t,dir,search
TuxHandwerker

TuxHandwerker

2017-06-09 10:37

reporter   ~0029425

Another user experienced a similar problem:

restart libvirtd

reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-514.21.1.el7.x86_64
package: selinux-policy-3.13.1-102.el7_3.16.noarch
reason: SELinux is preventing systemd-machine from 'search' accesses on the directory 29232.
reproducible: Not sure how to reproduce the problem
type: libreport
hobbes129

hobbes129

2018-05-22 16:29

reporter   ~0031892

Another user experienced a similar problem:

System was running headless.

reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-862.2.3.el7.x86_64
package: selinux-policy-3.13.1-192.el7_5.3.noarch
reason: SELinux is preventing systemd-machine from 'search' accesses on the directory 20062.
reproducible: Not sure how to reproduce the problem
type: libreport
justinclift

justinclift

2019-03-20 02:22

reporter   ~0034049

Another user experienced a similar problem:

Just did a yum update, which installed a new kernel and updated several packages from the "updates" repo:

**************************************

Installed:
  kernel.x86_64 0:3.10.0-957.10.1.el7

Updated:
  NetworkManager.x86_64 1:1.12.0-10.el7_6
  NetworkManager-adsl.x86_64 1:1.12.0-10.el7_6
  NetworkManager-bluetooth.x86_64 1:1.12.0-10.el7_6
  NetworkManager-glib.x86_64 1:1.12.0-10.el7_6
  NetworkManager-libnm.x86_64 1:1.12.0-10.el7_6
  NetworkManager-ppp.x86_64 1:1.12.0-10.el7_6
  NetworkManager-team.x86_64 1:1.12.0-10.el7_6
  NetworkManager-tui.x86_64 1:1.12.0-10.el7_6
  NetworkManager-wifi.x86_64 1:1.12.0-10.el7_6
  NetworkManager-wwan.x86_64 1:1.12.0-10.el7_6
  bpftool.x86_64 0:3.10.0-957.10.1.el7
  cpp.x86_64 0:4.8.5-36.el7_6.1
  dbus.x86_64 1:1.10.24-13.el7_6
  dbus-libs.i686 1:1.10.24-13.el7_6
  dbus-libs.x86_64 1:1.10.24-13.el7_6
  dbus-x11.x86_64 1:1.10.24-13.el7_6
  fcoe-utils.x86_64 0:1.0.32-2.el7_6
  gcc.x86_64 0:4.8.5-36.el7_6.1
  gcc-c++.x86_64 0:4.8.5-36.el7_6.1
  gcc-gfortran.x86_64 0:4.8.5-36.el7_6.1
  gdm.x86_64 1:3.28.2-12.el7_6
  gnutls.i686 0:3.3.29-9.el7_6
  gnutls.x86_64 0:3.3.29-9.el7_6
  gnutls-dane.x86_64 0:3.3.29-9.el7_6
  gnutls-utils.x86_64 0:3.3.29-9.el7_6
  ipa-client.x86_64 0:4.6.4-10.el7.centos.3
  ipa-client-common.noarch 0:4.6.4-10.el7.centos.3
  ipa-common.noarch 0:4.6.4-10.el7.centos.3
  kernel-debug-devel.x86_64 0:3.10.0-957.10.1.el7
  kernel-headers.x86_64 0:3.10.0-957.10.1.el7
  kernel-tools.x86_64 0:3.10.0-957.10.1.el7
  kernel-tools-libs.x86_64 0:3.10.0-957.10.1.el7
  libatomic.i686 0:4.8.5-36.el7_6.1
  libblkid.i686 0:2.23.2-59.el7_6.1
  libblkid.x86_64 0:2.23.2-59.el7_6.1
  libgcc.i686 0:4.8.5-36.el7_6.1
  libgcc.x86_64 0:4.8.5-36.el7_6.1
  libgfortran.x86_64 0:4.8.5-36.el7_6.1
  libgomp.x86_64 0:4.8.5-36.el7_6.1
  libguestfs.x86_64 1:1.38.2-12.el7_6.2
  libmount.i686 0:2.23.2-59.el7_6.1
  libmount.x86_64 0:2.23.2-59.el7_6.1
  libquadmath.x86_64 0:4.8.5-36.el7_6.1
  libquadmath-devel.x86_64 0:4.8.5-36.el7_6.1
  libsmartcols.x86_64 0:2.23.2-59.el7_6.1
  libstdc++.i686 0:4.8.5-36.el7_6.1
  libstdc++.x86_64 0:4.8.5-36.el7_6.1
  libstdc++-devel.x86_64 0:4.8.5-36.el7_6.1
  libuuid.i686 0:2.23.2-59.el7_6.1
  libuuid.x86_64 0:2.23.2-59.el7_6.1
  libuuid-devel.x86_64 0:2.23.2-59.el7_6.1
  libvirt.x86_64 0:4.5.0-10.el7_6.6
  libvirt-bash-completion.x86_64 0:4.5.0-10.el7_6.6
  libvirt-client.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-config-network.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-config-nwfilter.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-interface.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-lxc.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-network.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-nodedev.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-nwfilter.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-qemu.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-secret.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-storage.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-storage-core.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-storage-disk.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-storage-gluster.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-storage-iscsi.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-storage-logical.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-storage-mpath.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-storage-rbd.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-driver-storage-scsi.x86_64 0:4.5.0-10.el7_6.6
  libvirt-daemon-kvm.x86_64 0:4.5.0-10.el7_6.6
  libvirt-libs.x86_64 0:4.5.0-10.el7_6.6
  mutter.x86_64 0:3.28.3-6.el7_6
  nss-pem.i686 0:1.0.3-5.el7_6.1
  nss-pem.x86_64 0:1.0.3-5.el7_6.1
  openssl.x86_64 1:1.0.2k-16.el7_6.1
  openssl-devel.x86_64 1:1.0.2k-16.el7_6.1
  openssl-libs.i686 1:1.0.2k-16.el7_6.1
  openssl-libs.x86_64 1:1.0.2k-16.el7_6.1
  python-perf.x86_64 0:3.10.0-957.10.1.el7
  python2-ipaclient.noarch 0:4.6.4-10.el7.centos.3
  python2-ipalib.noarch 0:4.6.4-10.el7.centos.3
  shadow-utils.x86_64 2:4.1.5.1-25.el7_6.1
  sos.noarch 0:3.6-16.el7.centos
  tuned.noarch 0:2.10.0-6.el7_6.3
  util-linux.x86_64 0:2.23.2-59.el7_6.1
  xfsprogs.x86_64 0:4.5.0-19.el7_6
  xorg-x11-server-Xorg.x86_64 0:1.20.1-5.3.el7_6
  xorg-x11-server-common.x86_64 0:1.20.1-5.3.el7_6

**************************************

This error popped up during what looks like either the end of the install process, or perhaps the post-install process of some package.

It also killed my running TigerVNC session to another PC. So, looks like something isn't working quite 100% with the new change.

reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-957.5.1.el7.x86_64
package: selinux-policy-3.13.1-229.el7_6.9.noarch
reason: SELinux is preventing /usr/lib/systemd/systemd-machined from 'search' accesses on the directory 10449.
reproducible: Not sure how to reproduce the problem
type: libreport
justinclift

justinclift

2019-03-20 02:24

reporter   ~0034050

Actually, it wasn't TigerVNC killed (as per previous comment), it was virt-manager. It was just a local dev VM running, not a remote one. :wink:
TuxHandwerker

TuxHandwerker

2019-04-30 05:11

reporter   ~0034407

Another user experienced a similar problem:

Install updates

reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-957.10.1.el7.x86_64
package: selinux-policy-3.13.1-229.el7_6.12.noarch
reason: SELinux is preventing systemd-machine from 'search' accesses on the Verzeichnis 3271.
reproducible: Not sure how to reproduce the problem
type: libreport
t3kK4m

t3kK4m

2019-05-21 03:00

reporter   ~0034486

Another user experienced a similar problem:

I'm also experiencing kernel crash at boot. Dracut fails mounting partitions itself, but it could be done via dracut-shell. After manual mount, chroot via systemd retriggers the process.

reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-862.el7.x86_64
package: selinux-policy-3.13.1-229.el7_6.12.noarch
reason: SELinux is preventing /usr/lib/systemd/systemd-machined from 'search' accesses on the directory 12514.
reproducible: Not sure how to reproduce the problem
type: libreport
t3kK4m

t3kK4m

2019-05-21 04:16

reporter   ~0034487

Update made system unable to boot.
I managed it to find partitions (already available at the crash point) via dracut-shell.
Several remapping were took in place by dracut during remaining boot and i got some other (related?) issues (networking, dbus, kvm, ...).

dracut_crash.journal (6,749 bytes)

Issue History

Date Modified Username Field Change
2017-02-04 08:51 lec@easterng.ro New Issue
2017-05-26 16:45 link Note Added: 0029343
2017-06-09 10:37 TuxHandwerker Note Added: 0029425
2018-05-22 16:29 hobbes129 Note Added: 0031892
2019-03-20 02:22 justinclift Note Added: 0034049
2019-03-20 02:24 justinclift Note Added: 0034050
2019-04-30 05:11 TuxHandwerker Note Added: 0034407
2019-05-21 03:00 t3kK4m Note Added: 0034486
2019-05-21 04:16 t3kK4m File Added: dracut_crash.journal
2019-05-21 04:16 t3kK4m Note Added: 0034487