Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Bootup avc, "systemd-tmpfile" important? (http://www.linux-archive.org/fedora-selinux-support/660878-bootup-avc-systemd-tmpfile-important.html)

Dominick Grift 04-29-2012 10:45 AM

Bootup avc, "systemd-tmpfile" important?
 
Not important i believe, but this is something that should be fixed i
guess.

systemd-tmpfiles is trying to change the context (/dev/lp2) where it is
not needed. Does not seem very efficient to me.

Is that location mentioned anywhere in /etc/tmpfiles.d?

On Sun, 2012-04-29 at 09:38 +0100, Frank Murphy wrote:
> Box was set to "fixfiles onboot"
>
> Saw this avc:
> *** Warning -- SELinux targeted policy relabel is required.
> *** Relabeling could take a very long time, depending on file
> *** system size and speed of hard drives.
> [ 8.566136] type=1400 audit(1335687882.859:7): avc: denied {
> relabelfrom } for pid=489 comm="systemd-tmpfile" name="lp2"
> dev="devtmpfs" ino=11419
> scontext=system_u:system_r:systemd_tmpfiles_t:s0
> tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
> [ 8.588374] type=1400 audit(1335687882.881:8): avc: denied {
> relabelto } for pid=489 comm="systemd-tmpfile" name="lp2"
> dev="devtmpfs" ino=11419
> scontext=system_u:system_r:systemd_tmpfiles_t:s0
> tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
>
>
> selinux-policy-targeted-3.10.0-118.fc17.noarch
>
>


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Frank Murphy 04-29-2012 11:32 AM

Bootup avc, "systemd-tmpfile" important?
 
On 29/04/12 11:45, Dominick Grift wrote:


Not important i believe, but this is something that should be fixed i
guess.

systemd-tmpfiles is trying to change the context (/dev/lp2) where it is
not needed. Does not seem very efficient to me.

Is that location mentioned anywhere in /etc/tmpfiles.d?



No, and they're breeding,
the avc's cover lp0, lp1,lp2,lp3,lp4


--
Regards,
Frank
"Jack of all, fubars"
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 04-29-2012 04:17 PM

Bootup avc, "systemd-tmpfile" important?
 
On Sun, 2012-04-29 at 12:32 +0100, Frank Murphy wrote:
> On 29/04/12 11:45, Dominick Grift wrote:
> >
> > Not important i believe, but this is something that should be fixed i
> > guess.
> >
> > systemd-tmpfiles is trying to change the context (/dev/lp2) where it is
> > not needed. Does not seem very efficient to me.
> >
> > Is that location mentioned anywhere in /etc/tmpfiles.d?
> >
>
> No, and they're breeding,
> the avc's cover lp0, lp1,lp2,lp3,lp4
>
>

I would say that this is a bug in a systemd-tmpfiles configuration file
that some package includes.

Because i do not think systemd-tmpfiles should set device node labels,
and even if it should it should probably check first to see if setting
it is even needed.

In the case you enclosed, it is trying to set a context the same as the
device nodes current context. (e.g. redundant)

So imho this isnt a selinux-policy bug but a instead it is a bug in a
systemd-tmpfiles configuration file. I could be wrong about that though.


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 04-30-2012 03:50 PM

Bootup avc, "systemd-tmpfile" important?
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2012 04:38 AM, Frank Murphy wrote:
> Box was set to "fixfiles onboot"
>
> Saw this avc: *** Warning -- SELinux targeted policy relabel is required.
> *** Relabeling could take a very long time, depending on file *** system
> size and speed of hard drives. [ 8.566136] type=1400
> audit(1335687882.859:7): avc: denied { relabelfrom } for pid=489
> comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=11419
> scontext=system_u:system_r:systemd_tmpfiles_t:s0
> tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file [
> 8.588374] type=1400 audit(1335687882.881:8): avc: denied { relabelto }
> for pid=489 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=11419
> scontext=system_u:system_r:systemd_tmpfiles_t:s0
> tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
>
>
> selinux-policy-targeted-3.10.0-118.fc17.noarch
>
>
That should show up in selinux-policy-targeted-3.10.0-120.fc17.noarch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+etLkACgkQrlYvE4MpobPf8QCgiriqRer69S pkvxRHumXHBwZF
GGgAoNhhtSrqYynSYtdKE6vcSH/xTeQI
=8vxr
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 04-30-2012 05:24 PM

Bootup avc, "systemd-tmpfile" important?
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2012 12:17 PM, Dominick Grift wrote:
> On Sun, 2012-04-29 at 12:32 +0100, Frank Murphy wrote:
>> On 29/04/12 11:45, Dominick Grift wrote:
>>>
>>> Not important i believe, but this is something that should be fixed i
>>> guess.
>>>
>>> systemd-tmpfiles is trying to change the context (/dev/lp2) where it
>>> is not needed. Does not seem very efficient to me.
>>>
>>> Is that location mentioned anywhere in /etc/tmpfiles.d?
>>>
>>
>> No, and they're breeding, the avc's cover lp0, lp1,lp2,lp3,lp4
>>
>>
>
> I would say that this is a bug in a systemd-tmpfiles configuration file
> that some package includes.
>
> Because i do not think systemd-tmpfiles should set device node labels, and
> even if it should it should probably check first to see if setting it is
> even needed.
>
> In the case you enclosed, it is trying to set a context the same as the
> device nodes current context. (e.g. redundant)
>
> So imho this isnt a selinux-policy bug but a instead it is a bug in a
> systemd-tmpfiles configuration file. I could be wrong about that though.
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Yes please open a bug on systemd to check if a context is the same as the
context it is going to set, and then don't set it.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+eyrgACgkQrlYvE4MpobN9IACgsCMojHoZ8y qx0c2AeCWDx81R
0wUAn06hx5w4ajg43lSmYNUMDazA7ydU
=oQwC
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Frank Murphy 05-01-2012 07:55 AM

Bootup avc, "systemd-tmpfile" important?
 
On 30/04/12 18:24, Daniel J Walsh wrote:



Yes please open a bug on systemd to check if a context is the same as the
context it is going to set, and then don't set it.



https://bugzilla.redhat.com/show_bug.cgi?id=817765


--
Regards,
Frank
"Jack of all, fubars"
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 05-01-2012 08:56 AM

Bootup avc, "systemd-tmpfile" important?
 
On Tue, 2012-05-01 at 08:55 +0100, Frank Murphy wrote:
> On 30/04/12 18:24, Daniel J Walsh wrote:
>
> >
> > Yes please open a bug on systemd to check if a context is the same as the
> > context it is going to set, and then don't set it.
> >
>
> https://bugzilla.redhat.com/show_bug.cgi?id=817765
>
>

The avc denials you enclosed in that bz do not support the bug. They
only have the "relabelfrom" and not the "relabelto" ones:

[ 8.566136] type=1400 audit(1335687882.859:7): avc: denied {
relabelfrom } for pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[ 8.588374] type=1400 audit(1335687882.881:8): avc: denied {
relabelto } for pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file

The above shows the issue

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 02:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.