View Issue Details

IDProjectCategoryView StatusLast Update
0015266CentOS-7selinux-policypublic2018-09-12 05:03
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0015266: SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the plik
DescriptionDescription of problem:
Upgrade from systemd-219 to newer 234:
# wget -O /etc/yum.repos.d/jsynacek-systemd-centos-7.repo
# yum update systemd

Run openvpn --config xyz.ovpn

Check busctl:
# ip link show tun0
18: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
# busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedesktop.resolve1.Manager SetLinkDNS 'ia(iay)' 18 2 2 4 193 181 14 10 2 4 193 181 14 11

Then SELinux error
SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the plik

***** Plugin catchall (100. confidence) suggests **************************

Aby systemd-resolved powinno mieć domyślnie read dostęp do file.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# ausearch -c 'systemd-resolve' --raw | audit2allow -M my-systemdresolve
# semodule -i my-systemdresolve.pp

Additional Information:
Source Context system_u:system_r:systemd_resolved_t:s0
Target Context system_u:object_r:init_exec_t:s0
Target Objects [ file ]
Source systemd-resolve
Source Path /usr/lib/systemd/systemd-resolved
Port <Unknown>
Host (removed)
Source RPM Packages systemd-234-0.1.el7.centos.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-862.11.6.el7.x86_64 #1 SMP
                              Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64
Alert Count 5
First Seen 2018-09-12 06:49:37 CEST
Last Seen 2018-09-12 06:49:37 CEST
Local ID 9932c339-5819-4d4f-9582-db97b8e01058

Raw Audit Messages
type=AVC msg=audit(1536727777.619:525): avc: denied { read } for pid=18593 comm="systemd-resolve" name="" dev="dm-0" ino=890 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1536727777.619:525): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff2df89b20 a1=80000 a2=7fca7ce60150 a3=7fca7ce604f8 items=0 ppid=1 pid=18593 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-resolve exe=/usr/lib/systemd/systemd-resolved subj=system_u:system_r:systemd_resolved_t:s0 key=(null)

Hash: systemd-resolve,systemd_resolved_t,init_exec_t,file,read

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-862.11.6.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2018-09-12 05:03 kszewczyk New Issue