Comments

26 Comments

Fixes #1485471 for me as well.

BZ#1411360 SELinux is preventing (ostnamed) from 'mounton' accesses on the file /proc/mtrr.
BZ#1433555 SELinux is preventing systemd-hostnam from 'create' accesses on the file .#hostnameC0Zq0X.

LGTM

BZ#1383867 SELinux is preventing pickup from 'read' accesses on the lnk_file log.
BZ#1398007 postfix: no log entries for sent mails
BZ#1398853 SELinux file context for /usr/lib/systemd/resolv.conf should be net_conf_t

LGTM thanks for packaging it

karma

wfm xfce uefi/bios

karma

LGTM

BZ#1379634 CVE-2016-7543 bash: Specially crafted SHELLOPTS+PS4 variables allows command substitution [fedora-all]
karma

LGTM

BZ#1378345 CVE-2016-7044 CVE-2016-7045 irssi: various flaws [fedora-all]

In reply to https://bodhi.fedoraproject.org/updates/selinux-policy-3.13.1-211.fc25#comment-481907:

I've just reviewed my prior feedbacks and realized that I should have submitted the comments in Bugzilla. It's done, and please don't hate me, I'll make sure to review the docs next time...

WFM:

[root@omiday ~]# last -n1 reboot
reboot   system boot  4.8.0-0.rc4.git0 Sat Sep  3 23:48   still running

wtmp begins Mon Jul 25 17:00:39 2016

[root@omiday ~]# ausearch -m avc -ts 23:48 | grep "firewalld" 
<no matches>

Sorry about the previous messed up report and empty submissions, here's a formatted one:

[root@omiday ~]# last -n1 reboot
reboot   system boot  4.8.0-0.rc4.git0 Sat Sep  3 23:48   still running

wtmp begins Mon Jul 25 17:00:39 2016
[root@omiday ~]# ausearch -m avc -ts 23:48 | grep "{ getattr }"
type=AVC msg=audit(1472968121.957:143): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0

Related boot logs:

Sep 03 23:48:39 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules.
Sep 03 23:48:39 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules.
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  8 users, 14 roles, 5046 types, 305 bools, 1 sens, 1024 cats
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  94 classes, 105642 rules
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Permission validate_trans in class security not defined in policy.
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Permission module_load in class system not defined in policy.
Sep 03 23:48:39 omiday.can.local kernel: SELinux: the above unknown classes and permissions will be allowed
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Completing initialization.
Sep 03 23:48:39 omiday.can.local kernel: SELinux:  Setting up existing superblocks.
Sep 03 23:48:39 omiday.can.local systemd[1]: Successfully loaded SELinux policy in 76.855ms.
Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied
Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied
Sep 03 23:48:39 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied
Sep 03 23:48:39 omiday.can.local systemd[1]: Relabelled /dev and /run in 20.613ms.
Sep 03 23:48:39 omiday.can.local systemd-journald[1093]: Journal started
Sep 03 23:48:39 omiday.can.local audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
Sep 03 23:48:39 omiday.can.local audit: MAC_POLICY_LOAD policy loaded auid=4294967295 ses=4294967295
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { relabelto } for  pid=1 comm="systemd" name="fifo" dev="tmpfs" ino=1173 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=fifo_file permissive=0
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { getattr } for  pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=1172 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0
Sep 03 23:48:39 omiday.can.local audit[1]: AVC avc:  denied  { relabelfrom } for  pid=1 comm="systemd" name="chr" dev="tmpfs" ino=1171 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=0

[root@omiday selinux]# last -n1 reboot reboot system boot 4.8.0-0.rc4.git0 Sat Sep 3 23:09 still running

wtmp begins Mon Jul 25 17:00:39 2016 [root@omiday selinux]# ausearch -m avc -ts 23:09 | grep "{ getattr }" type=AVC msg=audit(1472965784.408:145): avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0

(Possible) Related boot logs:

Sep 03 23:09:42 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules. Sep 03 23:09:42 omiday.can.local kernel: SELinux: 32768 avtab hash slots, 105642 rules. Sep 03 23:09:42 omiday.can.local kernel: SELinux: 8 users, 14 roles, 5046 types, 305 bools, 1 sens, 1024 cats Sep 03 23:09:42 omiday.can.local kernel: SELinux: 94 classes, 105642 rules Sep 03 23:09:42 omiday.can.local kernel: SELinux: Permission validate_trans in class security not defined in policy. Sep 03 23:09:42 omiday.can.local kernel: SELinux: Permission module_load in class system not defined in policy. Sep 03 23:09:42 omiday.can.local kernel: SELinux: the above unknown classes and permissions will be allowed Sep 03 23:09:42 omiday.can.local kernel: SELinux: Completing initialization. Sep 03 23:09:42 omiday.can.local kernel: SELinux: Setting up existing superblocks. Sep 03 23:09:42 omiday.can.local systemd[1]: Successfully loaded SELinux policy in 90.371ms. Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/fifo: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/blk: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Unable to fix SELinux security context of /run/systemd/inaccessible/chr: Permission denied Sep 03 23:09:42 omiday.can.local systemd[1]: Relabelled /dev and /run in 20.204ms. Sep 03 23:09:42 omiday.can.local systemd-journald[1080]: Journal started Sep 03 23:09:41 omiday.can.local audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Sep 03 23:09:42 omiday.can.local audit: MAC_POLICY_LOAD policy loaded auid=4294967295 ses=4294967295 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { relabelto } for pid=1 comm="systemd" name="fifo" dev="tmpfs" ino=11094 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=fifo_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { getattr } for pid=1 comm="systemd" path="/run/systemd/inaccessible/blk" dev="tmpfs" ino=11093 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=0 Sep 03 23:09:42 omiday.can.local audit[1]: AVC avc: denied { relabelfrom } for pid=1 comm="systemd" name="chr" dev="tmpfs" ino=11092 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=0