Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1365214 - SELinux is preventing gdbus from 'write' accesses on the fifo_file /run/systemd/inhibit/1.ref.
Summary: SELinux is preventing gdbus from 'write' accesses on the fifo_file /run/syste...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard: abrt_hash:2af4b81290245108b108c0f47c7...
Depends On: 1357144
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-08 16:07 UTC by Radka Skvarilova
Modified: 2016-11-04 02:36 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.13.1-93.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1357144
Environment:
Last Closed: 2016-11-04 02:36:29 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Radka Skvarilova 2016-08-08 16:07:54 UTC
I found similar problem of this bug in rhel7

selinux-policy-3.13.1-92.el7.noarch
systemd-219-25.el7.x86_64

AVC:
type=SYSCALL msg=audit(08/08/2016 11:53:53.631:567) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x6 a1=0x7f7fe5445b20 a2=MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=646 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 


type=AVC msg=audit(08/08/2016 11:53:53.631:567) : avc:  denied  { write } for  pid=646 comm=gdbus path=/run/systemd/inhibit/1.ref dev="tmpfs" ino=22752 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file 

Steps to Reproduce:
1.setenforce 0
2.systemctl restart systemd-logind.service




+++ This bug was initially created as a clone of Bug #1357144 +++

Description of problem:
SELinux is preventing gdbus from 'write' accesses on the fifo_file /run/systemd/inhibit/1.ref.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gdbus should be allowed write access on the 1.ref fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdbus' --raw | audit2allow -M my-gdbus
# semodule -X 300 -i my-gdbus.pp

Additional Information:
Source Context                system_u:system_r:modemmanager_t:s0
Target Context                system_u:object_r:systemd_logind_inhibit_var_run_t
                              :s0
Target Objects                /run/systemd/inhibit/1.ref [ fifo_file ]
Source                        gdbus
Source Path                   gdbus
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-202.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.7.0-0.rc7.git2.1.fc25.x86_64 #1
                              SMP Wed Jul 13 21:14:25 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-07-15 21:04:18 EDT
Last Seen                     2016-07-15 21:04:18 EDT
Local ID                      26691368-6123-410d-b856-efb9fea7d8e4

Raw Audit Messages
type=AVC msg=audit(1468631058.973:104): avc:  denied  { write } for  pid=943 comm="gdbus" path="/run/systemd/inhibit/1.ref" dev="tmpfs" ino=18215 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file permissive=0


Hash: gdbus,modemmanager_t,systemd_logind_inhibit_var_run_t,fifo_file,write

Version-Release number of selected component:
selinux-policy-3.13.1-202.fc25.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.7.0-0.rc7.git2.1.fc25.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

--- Additional comment from Medic Momcilo on 2016-07-22 03:04:51 EDT ---

Description of problem:
Boot up the PC after an update and had SE alert shown.

Version-Release number of selected component:
selinux-policy-3.13.1-203.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.0-0.rc7.git4.1.fc25.x86_64
type:           libreport

--- Additional comment from Jan Kurik on 2016-07-26 00:44:18 EDT ---

This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

--- Additional comment from Kwang Moo Yi on 2016-08-03 12:46:48 EDT ---

I can confirm the problem exists for me as well, on fedora24 instead of 25.

selinux-policy-3.13.1-191.9.fc24.noarch
kernel:         4.6.5-300.fc24.x86_64

Comment 2 Milos Malik 2016-08-09 07:19:24 UTC
The scenario in fact generates 3 different SELinux denials (2 USER_AVCs and 1 AVC):
----
type=USER_AVC msg=audit(08/09/2016 09:16:32.057:355) : pid=565 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { 0x2 } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=:1.82 spid=532 tpid=7477 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=(null)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/09/2016 09:16:32.063:356) : pid=565 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { 0x2 } for msgtype=signal interface=org.freedesktop.login1.Manager member=SeatNew dest=org.freedesktop.DBus spid=7477 tpid=532 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=(null)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(08/09/2016 09:16:32.095:357) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x6 a1=0x7fbbabffeb20 a2=MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=573 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 
type=AVC msg=audit(08/09/2016 09:16:32.095:357) : avc:  denied  { write } for  pid=573 comm=gdbus path=/run/systemd/inhibit/7.ref dev="tmpfs" ino=51290 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file 
----

Comment 7 errata-xmlrpc 2016-11-04 02:36:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html


Note You need to log in before you can comment on or make changes to this bug.