View Issue Details

IDProjectCategoryView StatusLast Update
0015266CentOS-7selinux-policypublic2018-09-12 05:03
Reporterkszewczyk 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0015266: SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the plik libsystemd-shared-234.so.
DescriptionDescription of problem:
Upgrade from systemd-219 to newer 234:
# wget https://copr.fedorainfracloud.org/coprs/jsynacek/systemd-backports-for-centos-7/repo/epel-7/jsynacek-systemd-backports-for-centos-7-epel-7.repo -O /etc/yum.repos.d/jsynacek-systemd-centos-7.repo
# yum update systemd

Run openvpn --config xyz.ovpn

Check busctl:
# ip link show tun0
18: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
    link/none
# busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedesktop.resolve1.Manager SetLinkDNS 'ia(iay)' 18 2 2 4 193 181 14 10 2 4 193 181 14 11

Then SELinux error
SELinux is preventing /usr/lib/systemd/systemd-resolved from 'read' accesses on the plik libsystemd-shared-234.so.

***** Plugin catchall (100. confidence) suggests **************************

Aby systemd-resolved powinno mieć domyślnie read dostęp do libsystemd-shared-234.so file.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Do
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# ausearch -c 'systemd-resolve' --raw | audit2allow -M my-systemdresolve
# semodule -i my-systemdresolve.pp

Additional Information:
Source Context system_u:system_r:systemd_resolved_t:s0
Target Context system_u:object_r:init_exec_t:s0
Target Objects libsystemd-shared-234.so [ file ]
Source systemd-resolve
Source Path /usr/lib/systemd/systemd-resolved
Port <Unknown>
Host (removed)
Source RPM Packages systemd-234-0.1.el7.centos.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-862.11.6.el7.x86_64 #1 SMP
                              Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64
Alert Count 5
First Seen 2018-09-12 06:49:37 CEST
Last Seen 2018-09-12 06:49:37 CEST
Local ID 9932c339-5819-4d4f-9582-db97b8e01058

Raw Audit Messages
type=AVC msg=audit(1536727777.619:525): avc: denied { read } for pid=18593 comm="systemd-resolve" name="libsystemd-shared-234.so" dev="dm-0" ino=890 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1536727777.619:525): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff2df89b20 a1=80000 a2=7fca7ce60150 a3=7fca7ce604f8 items=0 ppid=1 pid=18593 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-resolve exe=/usr/lib/systemd/systemd-resolved subj=system_u:system_r:systemd_resolved_t:s0 key=(null)

Hash: systemd-resolve,systemd_resolved_t,init_exec_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-192.el7_5.6.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-862.11.6.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash2cebbe042f21f1d9cde172b7676feb62fcb8b738338264486d22d5af24fb22f3
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2018-09-12 05:03 kszewczyk New Issue