View Issue Details

IDProjectCategoryView StatusLast Update
0017673CentOS-7selinux-policypublic2020-09-10 16:17
Reporterkmwetles Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
OS Version7 
Summary0017673: SELinux is preventing /usr/bin/bash from 'execute' accesses on the file /usr/bin/systemctl.
DescriptionDescription of problem:
This happens when an automounted directory is symbolically linked into the home directory. When I try to list the directory, it fires the automount checker which triggers these errors. Other than that I can't trace down exactly what causes the problem.
SELinux is preventing /usr/bin/bash from 'execute' accesses on the file /usr/bin/systemctl. It seems to occur whenever automount tries to determine the mount status of automounted directories within my home directory.

***** Plugin automount_exec_config (91.4 confidence) suggests *************

If you want to allow bash to have execute access on the systemctl file
Then you need to change the label on '/usr/bin/systemctl'
chcon -t bin_t '/usr/bin/systemctl'

***** Plugin catchall (9.59 confidence) suggests **************************

If you believe that bash should be allowed execute access on the systemctl file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'service' --raw | audit2allow -M my-service
# semodule -i my-service.pp

Additional Information:
Source Context system_u:system_r:automount_t:s0
Target Context system_u:object_r:systemd_systemctl_exec_t:s0
Target Objects /usr/bin/systemctl [ file ]
Source service
Source Path /usr/bin/bash
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages systemd-219-73.el7_8.8.x86_64
Policy RPM selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-1127.13.1.el7.x86_64 #1 SMP
                              Tue Jun 23 15:46:38 UTC 2020 x86_64 x86_64
Alert Count 3
First Seen 2020-08-14 16:50:46 PDT
Last Seen 2020-08-14 16:50:50 PDT
Local ID a7c4bdc3-251b-42fc-8310-fc52ac98dfa9

Raw Audit Messages
type=AVC msg=audit(1597449050.312:3435422): avc: denied { execute } for pid=5346 comm="service" name="systemctl" dev="md126p3" ino=10619978 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0

Hash: service,automount_t,systemd_systemctl_exec_t,file,execute

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-1127.13.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-08-15 00:44 kmwetles New Issue