On 10/11/2015 01:41 PM, Daniel J Walsh wrote:
>
> On 10/10/2015 09:09 AM, Dusty Mabe wrote:
>>
>> On 10/10/2015 08:02 AM, Daniel J Walsh wrote:
>>> On 10/09/2015 01:07 PM, Bruno Wolff III wrote:
>>>> On Fri, Oct 09, 2015 at 12:43:52 -0400,
>>>> Dusty Mabe <dusty(a)dustymabe.com> wrote:
>>>>> On 10/08/2015 03:06 PM, Dusty Mabe wrote:
>>>>>> and this is in the journal:
>>>>>>
>>>>>> ```
>>>>>> Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1
uid=0
>>>>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>>>>> msg='Unknown permission stop for class system
>>>>>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
addr=? terminal=?'
>>>>>> Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1
uid=0
>>>>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>>>>> msg='Unknown permission stop for class system
>>>>>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
addr=? terminal=?'
>>>>>> ```
>>>>> Any comments on the USER_AVC statements? Even if I have docker.pp I
>>>>> still see these.
>>>> I got something similar running getmail from cron. I asked about it on
>>>> the selinux list but didn't get any suggestions on how to make a
rule
>>>> to allow this (audit2allow doesn't seem to handle this avc.)
>>>> _______________________________________________
>>>> cloud mailing list
>>>> cloud(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/cloud
>>>> Fedora Code of Conduct:
http://fedoraproject.org/code-of-conduct
>>> If you systemctl daemon-rexec does the problem go away?
>> No, I still see them. I did an reexec and then started and stopped a
>> container. The `USER_AVC` messages get spit out to the journal on both
>> start and stop.
>>
>> ```
>> [root@footest ~]# journalctl -f | grep USER_AVC &
>> [1] 11388
>> [root@footest ~]# docker run -it --rm busybox /bin/sh
>> Oct 10 13:08:16 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown
>> permission start for class system exe="/usr/lib/systemd/systemd"
>> sauid=0 hostname=? addr=? terminal=?'
>> / #
>> / # exit
>> Oct 10 13:08:23 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown
>> permission stop for class system exe="/usr/lib/systemd/systemd"
>> sauid=0 hostname=? addr=? terminal=?'
>> Oct 10 13:08:23 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown
>> permission stop for class system exe="/usr/lib/systemd/systemd"
>> sauid=0 hostname=? addr=? terminal=?'
>> ```
> So this means that selinux policy does not define a start call for the
> system class. Meaning this is either a bug in systemd, systemd is
> asking for a start access on system when it should be asking for it on a
> service. Or selinux-policy needs to add a start permission for system.
> I am thinking this is probably a problem with systemd. Adding
> Miroslav to
> see if he knows.
>
What OS? This is a systemd bug. AFAIK they added some fixes for it.
Fedora 23 beta cloud image [1] is where I started. I then fully updated
the system (dnf update -y) and rebooted before installing docker. Just
installing/starting docker gives me the USER_AVCs. If they fixed some
stuff it isn't in F23.
Dusty
[1] -