tripleo

AVC reported for tmpfs accesses

Bug #1820019 reported by Cédric Jeanneret
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Invalid
Medium
Cédric Jeanneret
tripleo stein-rc1

Bug Description

Hello,

Some new AVC reported on an osp15:

type=AVC msg=audit(1552550088.001:4259): avc: denied { read } for pid=85977 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=605557 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0

Journalctl shows the following:
Mar 14 07:54:49 undercloud.localdomain setroubleshoot[85982]: SELinux is preventing /usr/lib/systemd/systemd-user-runtime-dir from read access on the directory dbus-1. For complete SELinux messages run: sealert -l d74972a4-9c79-48f7-83b3->
Mar 14 07:54:49 undercloud.localdomain platform-python[85982]: SELinux is preventing /usr/lib/systemd/systemd-user-runtime-dir from read access on the directory dbus-1.

                                                               ***** Plugin catchall (100. confidence) suggests **************************

                                                               If you believe that systemd-user-runtime-dir should be allowed read access on the dbus-1 directory by default.
                                                               Then you should report this as a bug.
                                                               You can generate a local policy module to allow this access.
                                                               Do
                                                               allow this access for now by executing:
                                                               # ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru
                                                               # semodule -X 300 -i my-systemduserru.pp

In this case, we might want to allow the access. @Juan, any thoughts?

Cheers,

C.

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

Small note:
apparently the authorization looks like:
allow init_t session_dbusd_tmp_t:dir read;

Revision history for this message
Juan Antonio Osorio Robles (juan-osorio-robles) wrote :

I don't think is a bug for tripleo.

Changed in tripleo:
status: Triaged → Invalid
Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

Reported BZ against systemd:
https://bugzilla.redhat.com/show_bug.cgi?id=1688671

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.