[systemd-devel] SELinux is preventing (ostnamed) from mounton access on the directory /home
Samuel Rakitničan
samuel.rakitnican at gmail.com
Tue Apr 19 14:24:22 UTC 2016
Hello,
I have a system that is an upgrade from Fedora 23 to Fedora 24 Alpha.
Occasionally I get messages about selinux blocking systemd-hostnamed from
mounton access on /home. I can trigger this issue by running command
hostnamectl.
Is this supposed to happen? Is systemd-hostnamed supposed to do something
in /home directories and what might be the right fix for this?
On the second side I have another Fedora 24 system that is new install
using this same /home partition, and there is no this issue there.
Secondly, why is name of process trimmed, like (ostnamed), is this
intentional?
Relevant journalctl entries:
Apr 19 16:14:48 localhost systemd[1]: Starting Hostname Service...
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=filter family=2
entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=nat family=2 entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=raw family=2 entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=mangle family=2
entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=security family=2
entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=filter family=10
entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=nat family=10 entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=raw family=10 entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=mangle family=10
entries=0
Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=security family=10
entries=0
Apr 19 16:14:48 localhost audit[3618]: AVC avc: denied { mounton } for
pid=3618 comm="(ostnamed)" path="/home" dev="md126p2" ino=50332160
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Apr 19 16:14:48 localhost dbus[895]: [system] Successfully activated
service 'org.freedesktop.hostname1'
Apr 19 16:14:48 localhost systemd[1]: Started Hostname Service.
Apr 19 16:14:48 localhost audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
Apr 19 16:14:48 localhost kernel: nf_conntrack: automatic helper assignment
is deprecated and it will be removed soon. Use the iptables CT target to
attach helpers instead.
Apr 19 16:14:51 localhost dbus[895]: [system] Activating service
name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Apr 19 16:14:51 localhost gvfsd[1716]: ** (gvfsd:1716): WARNING **:
dbus_mount_reply: Error from org.gtk.vfs.Mountable.mount(): Failed to
retrieve share list from server: Connection refused
Apr 19 16:14:51 localhost gvfsd[1716]: ** (process:3624): WARNING **:
Couldn't create directory monitor on smb://x-gnome-default-workgroup/.
Error: The specified location is not mounted
Apr 19 16:14:51 localhost dbus[895]: [system] Successfully activated
service 'org.fedoraproject.Setroubleshootd'
Apr 19 16:14:52 localhostA setroubleshoot[3649]: SELinux is preventing
(ostnamed) from mounton access on the directory /home. For complete SELinux
messages. run sealert -l 29306eea-442b-448d-a647-6f1dede9ee78
Apr 19 16:14:52 localhost python3[3649]: SELinux is preventing (ostnamed)
from mounton access on the directory /home.
***** Plugin restorecon (94.8
confidence) suggests ************************
If you want to fix the label.
/home default label should be
home_root_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /home
***** Plugin catchall_labels
(5.21 confidence) suggests *******************
If you want to allow (ostnamed)
to have mounton access on the home directory
Then you need to change the
label on /home
Do
# semanage fcontext -a -t
FILE_TYPE '/home'
where FILE_TYPE is one of the
following: admin_home_t, anon_inodefs_t, audit_spool_t, auditd_log_t,
autofs_t, automount_tmp_t, bacula_store_t, binfmt_misc_fs_t, boot_t,
capifs_t, cgroup_t, cifs_t, container_image_t, debugfs_t, default_t,
device_t, devpts_t, dnssec_t, dosfs_t, ecryptfs_t, efivarfs_t, fusefs_t,
home_root_t, hugetlbfs_t, ifconfig_var_run_t, init_var_run_t, initrc_tmp_t,
iso9660_t, kdbusfs_t, mail_spool_t, mnt_t, mqueue_spool_t, named_conf_t,
news_spool_t, nfs_t, nfsd_fs_t, openshift_tmp_t, openshift_var_lib_t,
oracleasmfs_t, proc_t, proc_xen_t, pstore_t, public_content_rw_t,
public_content_t, ramfs_t, random_seed_t, removable_t, root_t,
rpc_pipefs_t, security_t, spufs_t, src_t, svirt_sandbox_file_t,
sysctl_fs_t, sysctl_t, sysfs_t, sysv_t, tmp_t, tmpfs_t, usbfs_t,
user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_lib_nfs_t, var_lib_t,
var_lock_t, var_log_t, var_run_t, var_t, virt_image_t, virt_var_lib_t,
vmblock_t, vxfs_t, xend_var_lib_t, xend_var_run_t, xenfs_t,
xenstored_var_lib_t.
Then execute:
restorecon -v '/home'
***** Plugin catchall (1.44
confidence) suggests **************************
If you believe that (ostnamed)
should be allowed mounton access on the home directory by default.
Then you should report this as a
bug.
You can generate a local policy
module to allow this access.
Do
allow this access for now by
executing:
# ausearch -c (ostnamed) --raw |
audit2allow -M mypol
# semodule -i mypol.pp
Apr 19 16:14:54 localhost gvfsd[1716]: ** (gvfsd:1716): WARNING **:
dbus_mount_reply: Error from org.gtk.vfs.Mountable.mount(): Failed to
retrieve share list from server: Connection refused
Apr 19 16:14:54 localhost gvfsd[1716]: ** (process:3622): WARNING **:
Couldn't create directory monitor on smb://x-gnome-default-workgroup/.
Error: The specified location is not mounted
Apr 19 16:15:18 localhost audit[1]: SERVICE_STOP pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
$ sealert -l 29306eea-442b-448d-a647-6f1dede9ee78
SELinux is preventing (ostnamed) from mounton access on the directory /home.
***** Plugin restorecon (94.8 confidence) suggests
************************
If you want to fix the label.
/home default label should be home_root_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /home
***** Plugin catchall_labels (5.21 confidence) suggests
*******************
If you want to allow (ostnamed) to have mounton access on the home directory
Then you need to change the label on /home
Do
# semanage fcontext -a -t FILE_TYPE '/home'
where FILE_TYPE is one of the following: admin_home_t, anon_inodefs_t,
audit_spool_t, auditd_log_t, autofs_t, automount_tmp_t, bacula_store_t,
binfmt_misc_fs_t, boot_t, capifs_t, cgroup_t, cifs_t, container_image_t,
debugfs_t, default_t, device_t, devpts_t, dnssec_t, dosfs_t, ecryptfs_t,
efivarfs_t, fusefs_t, home_root_t, hugetlbfs_t, ifconfig_var_run_t,
init_var_run_t, initrc_tmp_t, iso9660_t, kdbusfs_t, mail_spool_t, mnt_t,
mqueue_spool_t, named_conf_t, news_spool_t, nfs_t, nfsd_fs_t,
openshift_tmp_t, openshift_var_lib_t, oracleasmfs_t, proc_t, proc_xen_t,
pstore_t, public_content_rw_t, public_content_t, ramfs_t, random_seed_t,
removable_t, root_t, rpc_pipefs_t, security_t, spufs_t, src_t,
svirt_sandbox_file_t, sysctl_fs_t, sysctl_t, sysfs_t, sysv_t, tmp_t,
tmpfs_t, usbfs_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t,
var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t,
virt_image_t, virt_var_lib_t, vmblock_t, vxfs_t, xend_var_lib_t,
xend_var_run_t, xenfs_t, xenstored_var_lib_t.
Then execute:
restorecon -v '/home'
***** Plugin catchall (1.44 confidence) suggests
**************************
If you believe that (ostnamed) should be allowed mounton access on the home
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c (ostnamed) --raw | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:unlabeled_t:s0
Target Objects /home [ dir ]
Source (ostnamed)
Source Path (ostnamed)
Port <Unknown>
Host localhost
Source RPM Packages
Target RPM Packages filesystem-3.2-37.fc24.x86_64
Policy RPM selinux-policy-3.13.1-182.fc24.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost
Platform Linux localhost 4.5.1-300.fc24.x86_64 #1 SMP
Tue
Apr 12 18:55:06 UTC 2016 x86_64 x86_64
Alert Count 28
First Seen 2016-04-18 20:27:54 CEST
Last Seen 2016-04-19 16:14:48 CEST
Local ID 29306eea-442b-448d-a647-6f1dede9ee78
Raw Audit Messages
type=AVC msg=audit(1461075288.431:423): avc: denied { mounton } for
pid=3618 comm="(ostnamed)" path="/home" dev="md126p2" ino=50332160
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Hash: (ostnamed),init_t,unlabeled_t,dir,mounton
I have tried running restorecon -v /home with no success
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20160419/31774101/attachment-0001.html>
More information about the systemd-devel
mailing list