SELinux missing access vector with systemd #1682

Closed
pizzarabe opened this Issue Nov 29, 2016 · 0 comments

Projects

None yet

3 participants

@pizzarabe

Issue Report

Bug

Using SELinux (configured with the docs https://coreos.com/os/docs/latest/selinux.html) systemd-analyze critical-chain is not working in enforcing.

With the help of #selinux we were able to find

USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='Unknown permission status for class system exe="/usr/lib64/systemd/systemd" sauid=0 hostname=? addr=? terminal=?

According to them:

the "start stop status reload" access vector permissions have to be associated with the "system" security class in the "access_vectors" file of the coreos selinux policy

CoreOS Version

NAME=CoreOS
ID=coreos
VERSION=1185.3.0
VERSION_ID=1185.3.0
BUILD_ID=2016-11-01-0605
PRETTY_NAME="CoreOS 1185.3.0 (MoreOS)"
ANSI_COLOR="1;32"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"
@mjg59 mjg59 self-assigned this Nov 30, 2016
@mjg59 mjg59 added a commit to mjg59/coreos-overlay that referenced this issue Dec 20, 2016
@mjg59 mjg59 sys-apps/systemd: Update to disable selinux permissions checks 31616e4
@mjg59 mjg59 added a commit to mjg59/coreos-overlay that referenced this issue Dec 20, 2016
@mjg59 mjg59 sys-apps/systemd: Update to disable selinux permissions checks 90f4e7a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment